Analysis
-
max time kernel
64s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-11-2024 19:56
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00313.7z
Resource
win7-20240903-en
General
-
Target
RNSM00313.7z
-
Size
776KB
-
MD5
33010f7b6871b4a6d48ad986a7454f44
-
SHA1
d9890107f31ad288ddfcb9209ca161ae650b8b99
-
SHA256
6c00dc53bbc28ea49a1998bde2de32e6b343cb5f8c10675fd324ceee1babf569
-
SHA512
cc7b63824fcb81bfadf2b981ca2790faeaa0b426b942c8bab1eaae78fcff0077e052490f8d369d235cc13a1374da85bdde6c174413b6ec0aee02c5a0369eda9b
-
SSDEEP
12288:gO2/uqGkN9vJUzF//JNI6/QOLW3qx6LSYv/oOn7WAL7PjUBqy+dM9l89nEwKrx3M:6FGkk/XPJL8tv/l73jU0K9+uwo3M
Malware Config
Signatures
-
GandCrab payload 6 IoCs
resource yara_rule behavioral1/memory/2988-419-0x00000000001F0000-0x0000000000207000-memory.dmp family_gandcrab behavioral1/memory/2988-417-0x0000000000400000-0x0000000001CC5000-memory.dmp family_gandcrab behavioral1/memory/2988-3357-0x0000000000400000-0x0000000001CC5000-memory.dmp family_gandcrab behavioral1/memory/1756-13323-0x00000000002C0000-0x00000000002D7000-memory.dmp family_gandcrab behavioral1/memory/1756-13325-0x0000000000400000-0x0000000001CC5000-memory.dmp family_gandcrab behavioral1/memory/1756-13404-0x0000000000400000-0x0000000001CC5000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components Explorer.EXE -
Drops file in Drivers directory 20 IoCs
description ioc Process File opened for modification \??\c:\Windows\System32\drivers\etc\hosts HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\ja-JP\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\drivers\etc\protocol HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\drivers\etc\services HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\UMDF\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\de-DE\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\en-US\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\etc\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\UMDF\de-DE\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\UMDF\es-ES\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\UMDF\fr-FR\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\UMDF\ja-JP\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\drivers\etc\networks HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\it-IT\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\UMDF\en-US\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\UMDF\it-IT\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\es-ES\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\drivers\fr-FR\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\drivers\gmreadme.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 2 IoCs
description ioc Process File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe -
Executes dropped EXE 3 IoCs
pid Process 2792 HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 1756 sbuhay.exe -
Loads dropped DLL 9 IoCs
pid Process 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\drrkggiovtc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\sbuhay.exe\"" Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\R: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\S: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\V: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\A: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\B: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\K: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\M: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\O: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\P: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\Q: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\Z: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\G: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\J: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\U: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\W: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\I: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\N: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\T: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\X: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\Y: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\E: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe File opened (read-only) \??\H: Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmisdn.inf_amd64_neutral_061c61abd3904560\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\de-DE\Licenses\OEM\Starter\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\de-DE\Licenses\_Default\EnterpriseN\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\fus2base.frm HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\hcw85b64.inf_amd64_neutral_22b436d5d06ab017\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\hidserv.inf_amd64_neutral_f2223e39f37c69f3\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\config\systemprofile\AppData\Roaming\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\de-DE\Licenses\eval\Enterprise\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\iirsp2.inf_amd64_neutral_9ed65fe0bab06b1b\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\pcmcia.inf_amd64_neutral_1678e66e0cbb04b2\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z9FSTZ5\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmcodex.inf_amd64_neutral_9bb71004e7b8f7ae\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmnttp2.inf_amd64_neutral_d218c42ac8635704\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\de-DE\Licenses\OEM\HomePremiumN\license.rtf HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\de-DE\lipeula.rtf HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_neutral_9b64397618841a19\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\Amd64\PCLXL.GPD HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\averfx2hbh826d_noaverir_x64.inf_amd64_neutral_da2ba9e8a30dad14\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\CNHF_309.GPD HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\arc.inf_amd64_neutral_11b52dec8e94d9aa\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\netw5v64.inf_amd64_neutral_a6b778ba802632cc\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\nulhpopr.inf_amd64_neutral_e078ec466987bb3b\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmaiwa5.inf_amd64_neutral_ea8128ac5da37eb9\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\ph3xibc0.inf_amd64_neutral_c24bcc939e6dfc23\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\de-DE\Licenses\eval\ProfessionalE\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\hpoa1ss.inf_amd64_neutral_8cae09a2238d64e0\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\de-DE\Licenses\_Default\Ultimate\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmoptn.inf_amd64_neutral_be2f30f68f2a5567\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_neutral_f8bdd2cbac28a8fd\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRM680CN.GPD HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\Boot\de-DE\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\de-DE\Licenses\eval\Professional\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\angel264.inf_amd64_neutral_04b54b6322607cce\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\Dism\it-IT\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\agp.inf_amd64_neutral_22cdceb61fbafb43\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\bthmtpenum.inf_amd64_neutral_c70e85b87ee4ece9\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmbsb.inf_amd64_neutral_56a9f6bceeec7f72\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\de-DE\Licenses\eval\HomePremiumE\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\de-DE\Licenses\OEM\EnterpriseN\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\de-DE\Licenses\OEM\StarterE\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRD153C.GPD HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRM5460C.GPD HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1216mk5_ibv64.inf_amd64_neutral_3eaae75b591bd148\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\hiddigi.inf_amd64_neutral_12aaf5742a9969da\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\de-DE\Licenses\_Default\Starter\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmmc288.inf_amd64_neutral_c4a901dab689ad79\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmtdkj7.inf_amd64_neutral_7c21481229e1e66c\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\Dism\ja-JP\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\en-US\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\ph3xibc5.inf_amd64_neutral_2270382453de2dbb\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRF2480C.GPD HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRM465CN.GPD HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\config\systemprofile\ntuser.dat{d5e30002-f518-11df-a5c1-806e6f6e6963}.TM.blf HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\de-DE\Licenses\eval\UltimateN\license.rtf HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\System32\de-DE\Licenses\OEM\StarterN\license.rtf HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\ehstorcertdrv.inf_amd64_neutral_2e1cecffae9c899a\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmntt1.inf_amd64_neutral_ecf5cff2236b273a\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR22F.GIF HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BREEZE.WAV HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\bs\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\logo.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15056_.GIF HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\America\La_Paz HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\ka\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\EURO\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\grvschema.xsd HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5 HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files\Windows Media Player\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\logo.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_Off.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\WordMUI.XML HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Pacific\Easter HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\ShowOpen.jpg HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Program Files\VideoLAN\VLC\lua\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created \??\c:\Windows\assembly\NativeImages_v2.0.50727_64\mcGlidHostObj\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\3bfcfe12488f0a2285f5f08274cbc13f\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\ehome\en-US\playReady_eula_oem.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationProvider_gac_x86 HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.Vsa\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_ja_b77a5c561934e089\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\PLA\Rules\Rules.System.Memory.xml HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\inf\usbhub\0C0A\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\Media\Delta\Windows Hardware Insert.wav HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\Microsoft.NET\Framework\v3.5\SQL\es\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\PLA\Reports\es-ES\Report.System.Diagnostics.xml HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\servicing\Version\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\5ac17cc5b92efda83e2925857f4fa655\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\es-ES\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Calendars\v4.0_4.0.0.0__b03f5f7f11d50a3a\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_MSIL\System.Web.Extensions.resources\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\inf\aspnet_state\001F\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\inf\MSDTC Bridge 4.0.0.0\000D\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\PLA\Rules\de-DE\Rules.System.NetDiagFramework.xml HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\PLA\Reports\de-DE\Report.System.NetDiagFramework.xml HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.SmartTag\14.0.0.0__71e9bce111e9429c\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_MSIL\System.Windows.Forms.resources\2.0.0.0_ja_b77a5c561934e089\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\8e1a0ff5d2f22bb7de74bb93081c8fba\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\diagnostics\system\Networking\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\es\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.JScript\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost.Resources\1.0.0.0_it_31bf3856ad364e35\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\f0f10d0591d11a36ee2aa8ee2fbdb2bf\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\eula.rtf HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\Speech\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\inf\ASP.NET_4.0.30319\000A\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\Microsoft.NET\Framework\v3.5\MOF\de\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\668443fd7a2b8ee0c9d813bba224cb32\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\diagnostics\system\Printer\RS_SpoolerCrashing.ps1 HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86 HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\Media\Afternoon\Windows Logon Sound.wav HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_MSIL\system.management.resources\2.0.0.0_de_b03f5f7f11d50a3a\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\de64901e4cd2074f5c70733ab5d7787a\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework\v3.5\SQL\EN\DropSqlPersistenceProviderSchema.sql HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1041\eula.rtf HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\PLA\Rules\ja-JP\Rules.System.Diagnostics.xml HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\Registration\CRMLog\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\Media\Afternoon\Windows Pop-up Blocked.wav HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File opened for modification \??\c:\Windows\Media\Delta\Windows Error.wav HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.ServiceMoniker40\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data14bed3a9#\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http.Rtc\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\Dont_Worry.txt HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe -
System Location Discovery: System Language Discovery 1 TTPs 45 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sbuhay.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sbuhay.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString sbuhay.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier sbuhay.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Explorer.EXE -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell Explorer.EXE -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 2336 NOTEPAD.EXE 988 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2792 HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3068 Explorer.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2792 HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeRestorePrivilege 2060 7zFM.exe Token: 35 2060 7zFM.exe Token: SeSecurityPrivilege 2060 7zFM.exe Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 2060 7zFM.exe 2060 7zFM.exe 2336 NOTEPAD.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 988 NOTEPAD.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE -
Suspicious use of SendNotifyMessage 45 IoCs
pid Process 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE 3068 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 632 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 35 PID 2988 wrote to memory of 632 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 35 PID 2988 wrote to memory of 632 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 35 PID 2988 wrote to memory of 632 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 35 PID 2988 wrote to memory of 2960 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 37 PID 2988 wrote to memory of 2960 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 37 PID 2988 wrote to memory of 2960 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 37 PID 2988 wrote to memory of 2960 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 37 PID 2988 wrote to memory of 1372 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 39 PID 2988 wrote to memory of 1372 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 39 PID 2988 wrote to memory of 1372 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 39 PID 2988 wrote to memory of 1372 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 39 PID 2988 wrote to memory of 2380 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 41 PID 2988 wrote to memory of 2380 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 41 PID 2988 wrote to memory of 2380 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 41 PID 2988 wrote to memory of 2380 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 41 PID 2988 wrote to memory of 2036 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 43 PID 2988 wrote to memory of 2036 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 43 PID 2988 wrote to memory of 2036 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 43 PID 2988 wrote to memory of 2036 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 43 PID 2988 wrote to memory of 3000 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 45 PID 2988 wrote to memory of 3000 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 45 PID 2988 wrote to memory of 3000 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 45 PID 2988 wrote to memory of 3000 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 45 PID 2988 wrote to memory of 2020 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 47 PID 2988 wrote to memory of 2020 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 47 PID 2988 wrote to memory of 2020 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 47 PID 2988 wrote to memory of 2020 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 47 PID 2988 wrote to memory of 1812 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 49 PID 2988 wrote to memory of 1812 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 49 PID 2988 wrote to memory of 1812 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 49 PID 2988 wrote to memory of 1812 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 49 PID 2988 wrote to memory of 2388 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 51 PID 2988 wrote to memory of 2388 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 51 PID 2988 wrote to memory of 2388 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 51 PID 2988 wrote to memory of 2388 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 51 PID 2988 wrote to memory of 2772 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 53 PID 2988 wrote to memory of 2772 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 53 PID 2988 wrote to memory of 2772 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 53 PID 2988 wrote to memory of 2772 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 53 PID 2988 wrote to memory of 1716 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 55 PID 2988 wrote to memory of 1716 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 55 PID 2988 wrote to memory of 1716 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 55 PID 2988 wrote to memory of 1716 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 55 PID 2988 wrote to memory of 2256 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 59 PID 2988 wrote to memory of 2256 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 59 PID 2988 wrote to memory of 2256 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 59 PID 2988 wrote to memory of 2256 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 59 PID 2988 wrote to memory of 2112 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 61 PID 2988 wrote to memory of 2112 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 61 PID 2988 wrote to memory of 2112 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 61 PID 2988 wrote to memory of 2112 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 61 PID 2988 wrote to memory of 304 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 63 PID 2988 wrote to memory of 304 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 63 PID 2988 wrote to memory of 304 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 63 PID 2988 wrote to memory of 304 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 63 PID 2988 wrote to memory of 2740 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 65 PID 2988 wrote to memory of 2740 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 65 PID 2988 wrote to memory of 2740 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 65 PID 2988 wrote to memory of 2740 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 65 PID 2988 wrote to memory of 2704 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 68 PID 2988 wrote to memory of 2704 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 68 PID 2988 wrote to memory of 2704 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 68 PID 2988 wrote to memory of 2704 2988 Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe 68 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00313.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2060
-
C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe"C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2792
-
C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe"C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:632
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2960
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:1372
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2380
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:3000
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2020
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:1812
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2388
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:304
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2740
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2704
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2724
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2500
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:688
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:1496
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2096
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:1668
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:300
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:1432
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:444
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:1572
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:944
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:1860
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:760
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2208
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2628
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:1396
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2056
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:884
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:1616
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2588
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns1.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:840
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\SysWOW64\nslookup.exenslookup zonealarm.bit ns2.cloud-name.ru2⤵
- System Location Discovery: System Language Discovery
PID:2948
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2688
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Dont_Worry.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2336
-
C:\Windows\Explorer.EXE"C:\Windows\Explorer.EXE"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3068 -
C:\Users\Admin\AppData\Roaming\Microsoft\sbuhay.exe"C:\Users\Admin\AppData\Roaming\Microsoft\sbuhay.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:1756
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Dont_Worry.txt2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:988
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
738B
MD57854423ffc1ddebaf6d2aa0319df9da6
SHA1102f885e12ab54c45788d080dfbfc259719c8897
SHA256d00e18a6aabc9c410cf6ed54974e57d13a29d30cf561e21f3f2d6155fbc2a07d
SHA5120d7b9473e003df7184d88c57c1f2a82c7afce00c560c8b8bf3d111551e89a0b651ec1fbccad8d6aa7042bcf23ba96a804cbc3b5b73466ea8b74bc18f2cc8345d
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg
Filesize8KB
MD5ff1338a11f94082f67937a83776f02da
SHA109043ad356cf938c83609cc7ab7be27777a41b4b
SHA256a9159189383c14acf86b00d2fc21e07a5e17aa0fa6cb42bbc4c1e6e2d0ede13a
SHA512eceff60455bdd79b6c2f40e541d72afa373b0f1d1b4cdf69b5d7f1baedb99a54279cc93b341d65d51a1ff61e7c4941fe684ba93d082cba0031f944d0f5ba5cde
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg
Filesize4KB
MD5dc718aadf43d3363c39e98699a00b14e
SHA1f8e286409bac40a2be56124fdd1b7ea457eddbd4
SHA256c55eeb82c9719956f8f9417c656117b3500a8e753e7cec0cfcd18a1d6bd18987
SHA512ca9cf32ebe6bbeb242569fc7a0ce88488e554728df8635872e9068f5149801d7aba0facc011622c46f133119c33569d4af805011bdadf54ad3b0248f80399edd
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_GreenTea.gif
Filesize23KB
MD5c742d1ceafb9462c599168674faefc63
SHA1b31b3f5eceb1cff906b0c7995b08de42e44f2a3b
SHA256060cf458a582b92a99df8e817bcb380f30211b7e376f5facf1244bf2b8898e0a
SHA512a1fb7a1907ceac6dd9ca88249de425e0d1c5d10e58c5646da5aba75ed09b25e9a99a6879382fb96aaeefec03ff3d4c14defa6391e8b3792e23be03682be6c393
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif
Filesize9KB
MD50f62f8d8536823d327458f2d2804d19d
SHA1a4f92667c115a770f3b5c19df094218691b7fd02
SHA25649ecb57fc094902a7bc7deedebd1502bd4b4ba5badaa819c01d0e267e93e7b17
SHA512bcc68d33f2154521d34148f131947020413cc8cc86587dc19272b1eb474755ce17f4e527d599d94604da8409d2749be6eb870d48a1c73df3df36a2cf5db1df9c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif
Filesize16KB
MD5646a9223ae5a84df24791bdc00ff5dbd
SHA191c2f838a4d6df5bad265f2dbac447233da6d009
SHA2568ce111e8660c02649728bb4a87f8d6c7ab8288f5be8822b905046e346a270b2f
SHA512c6ae662850944ec0b7ab4cdb71c43d42d9a789d8e27c55aa98fcd023c0632bc9b6fe88c5462eb444adfc90139b192346f409db9a2d21953a8fd5f3bd7c57f616
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Premium.gif
Filesize7KB
MD5fb3f6ad769af2880b23a62ba1af0ffdb
SHA1e64ea2daf5d0a3a4f2d229265d1dc431715a5851
SHA2561a493b9724d9197ca930018343b5488d159ac33754e0f919f56d17a5584e8b01
SHA512965ba4daebaa967add6e472dd8390c71d215e19701990bbb9c7e8b695a122971a1546be97c2359111cfb07f75eca0a4b55983daee840e76aa04921743a7044f9
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif
Filesize21KB
MD5d72e6eb8a8309941a2b380b2ca30821e
SHA10fd5fbd7deee6cd07e4a74b57b5a60616cd8ef5f
SHA256552d92940dae28fbe3a63956003296849610db505919ae717d88d1ba4ddf1612
SHA51251e010650f64ee46f272ad7abc0af57c246d237bd76133c6e95c54f4fa88612561c3e26d44b6642b24b94ce5fcf44f96c5707ec66d1f694fde42edc1743d1b2a
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_TexturedBlue.gif
Filesize7KB
MD57103f26ea8f2ac5c440dbf18273f99d4
SHA14011bc112336f109c6bcd8c1b21df4de3635cd3c
SHA2564636e3b31395c0f0c196b815284abb70971d446d2d8837c242c1751f1810ae27
SHA5128afe492bd4cef43dc052b2149826dad46d89887f6302d1dd719640ad47bd486f2000ba64779fa92ed5e5e26781057e5b2ef138873ee44e66582b0025b8f9647a
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif
Filesize16KB
MD5ab4732bc1776ea4d8a9557ca50efb8bb
SHA16d1860d6aea68563ade6d018f553071b33e1ba7f
SHA25659537f3abb0ae75741f7123f303b7f30a49c8570f0c05854d3d02b3172a345fb
SHA51204cfdc6b0b98afa1de8a0701636cb41fe5d91b62a715b1e6fac01b0a0b1b0148af2d24fc65a561383f82ee5d170aa0be79323a9a37568753d7d9aed7a8b0159d
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg
Filesize6KB
MD5f8b48ff399879463b24320a3f6f95e5f
SHA131e92d63a47795a0e965fa44389b675419e2406d
SHA256aa98a5736746aba566f4e79a10cfe1629546f29b11efa15f0f544664ef47aa68
SHA512c3af8b27e1609f567dcc49d3c670e70c413f0e1ccc5de024c022091f2a1876908f7089fc7db7563030220ffc59eb401022760bc0be0abe24e8ee31a9dc784aaf
-
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml
Filesize248KB
MD5fd05ac3aba645998561da31810b0a488
SHA1836dc1f973b190408480bfb6ee803551f23b0ed5
SHA256202cd943e129775947367177b712b32530b40fb32ef548f05cba902d856edd3e
SHA51250af8854026c2e50971fd98a7ac7efc0ce8af044e1d2f6c378de0067cb0f2d81f379f435e44ee0a5ab2ff76d295ad2f225bc09a1c2d3a458f698c974d684ad0a
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize13KB
MD579218353e126f9d5c9a4ca6e9b867974
SHA1fae7528d18aaec9bed9734d784b58114259572f3
SHA2565e35ad3b5a248057f8e5ae6b00ee74f9a1fe04e656c1c95968e289cb0e215e1c
SHA512f747ab7ac020b1c528301c9ac01dc8ee092a0df5c618d79950c1774fcd585bac6c5808b416f80d66a78e2a9b998fe0b07e7b3a5e0ae020226e5287e0f04c0510
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize10KB
MD5b3bac3bb1c9553de510e859ed4574e9b
SHA1ec886048805f5412799694f5a6dccef2a015f7f3
SHA2565e033f8db1a5058f10678fcc047a621839a63c874184f43ff596425ef345c00f
SHA512a9500087bd9743ac214a391c7800f7e53b3fcd0348703b1d54418259f4c8f002e0858799bc658eb54eb8c4a9cdded93d49468add0f202a8b2cfb4d49d68e6ee3
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize12KB
MD5c6227af1bd1230846c90d4a878dbab45
SHA1f29e52a8d770e3deb511fa54de34f74b14fea388
SHA25660e7f25483de01dfa3edb3e68764f9dcda27fc3f5fe9efa7a950d2713df8e891
SHA5129ffca7e53f39a1e7632035d54df1b0098704e451a3c23b9ab129644b4f8c29cab1957c825559684609665036d55ec15632f348328c767370bded25c5dbcfa6ab
-
C:\ProgramData\Microsoft\Windows\Caches\{07060702-62E9-40C1-8DB2-3263C50BD613}[email protected]
Filesize3KB
MD52b80fa2c3ac6103aade81f26c778d882
SHA1c340f61ca3adc0576505138001e469dd890c8a29
SHA256e62265b2fc997b2e5c2053f6bf23f7b85e7323e97eef703500ecaa1709115d5d
SHA5128b97cde6b645833a00e2f4955d696f57d7b3c5c9c1fccaad3fc93c6456b1b2aee5a7c3a89770bc61c311627a311ce8de3cb2fede5b7df53412a924877f6d9db2
-
C:\ProgramData\Microsoft\Windows\Caches\{0D117D84-DD73-4973-9E97-7931BACD5E7C}[email protected]
Filesize2KB
MD5a48f08e0ae3758a727f3197d9e35ac34
SHA13f97d32adf64f57b3c91c54f87cfc7ee1907e0f4
SHA256a3186f521a14ae68ee47ee4b2acf51f8b1b39351a471a3e9f0e04669b8ca3d02
SHA5129430cc009edb99d6daad5f942cf6ddeb9c0181383dc4ecfd880ec570a029b5aad981cbe6fcb3904ab8bfa58fe0f9b762b8f4846ebd660b7f526b3ba3d6ecae18
-
C:\ProgramData\Microsoft\Windows\Caches\{0D117D84-DD73-4973-9E97-7931BACD5E7C}[email protected]
Filesize2KB
MD5eacd38852b81dd1b6e89fecfe423aa90
SHA1744724c24830b9429868e8b3b10daabcf67b8222
SHA25677b5acdc2dfc5b39525b94ef96f3e667c3bdb2e132f3183dc3190b83227324ef
SHA5120d59e22989b856c74e9212e595b8b26c155b579be51907606b7f6c95472ca4bf66e51a9ad2b7bf6d86cbcae68f14d651c6116abe098a32c937aa083d2928426c
-
C:\ProgramData\Microsoft\Windows\Caches\{50BC2B31-83AC-4CEA-AE2D-B6C712F47ADA}[email protected]
Filesize2KB
MD57941dc853474a85ffd1f7355458eb890
SHA19bb70ecebf33fe2f7e65b1f97d290822ead20ffe
SHA256e836c54e733beb54125ef1ff57215b9a3f535c8d1d777ccee85efc39dfa109b7
SHA512c1ca7e21cab84a738c53ee359208af35c102218e1f6ac117ea8b3cdb72ae5b9bc631b7f7d2f102c88c6aa1c4a02218889dbb168e845c30b8eb41697d86b8bb58
-
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}[email protected]
Filesize191KB
MD5f2ec120a92b723b6b684e03d058bf507
SHA1e399b0a4c2da12928086038fc4ee1b44768b2ae3
SHA25655ee2e24f42b5ebac07437639a4c6a756cf5bc33ee1f82ac5ad6f1e9349fe7d4
SHA5124d92dd103060363fb545e9b26b835779a8eb9f20ef8bd72ed300f2dc68e544f6ec2f90435b30970c05da1f1df56e1644fa31e16858b1e00d7e3e22bbf9db1aff
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}[email protected]
Filesize406KB
MD5520cd9b3b53d322aa8f96d553f160a71
SHA18305602a325b580acdfb07f9659c7d02a284e1de
SHA2562da2dbcb4247dcbb1b587c70cfced2175ce73e40e4b4170b93ebe5e68a98c47f
SHA512284748d328a2b89f82ff051ed3ece3bedb3cc10970d467e22b3fc8cf760dc18294be171da5aa13521bcb65a770b434c92b9e68d98f53678b1218a67e363b515d
-
Filesize
9KB
MD538e420844fdd5e31e8fea8653d169b0a
SHA170527d2856f41931d5c4806dd033a4d0fa12fdd5
SHA256631da3b1118b2545f06e8377f2624bb6bd7fd455f4f9a0c8293d153dc6e8fcb0
SHA512a265027b0295fd6565f64e14b1b0f54cb7005971f8b1995cfb3c4fd912a75cba540f2fee020181282276026c0ca47008e5e0ee9a881c88859c99705240d65afc
-
Filesize
9KB
MD5768f3572b3c1f9ddd6f3205371d1608a
SHA192da5e50b441eca04bbbf2dc251a991d88ca60ad
SHA256d422942ad0b497140a383798a6e1f30b202a4817c412fbc1f721f46430fb948a
SHA5124b05f446edcb19746a796d0ad3ff8950502a25d1aadf2b31e1f70ee459808e178794dda1dba1618696a93549d2db288905704dd9e8a4167166cb18b475bb0651
-
Filesize
265KB
MD54f05826a6acbe367623844aa10ae7856
SHA10234b38535cee833dd4aa8ceee5b850bd4ec2026
SHA25629879e6ee4b6acf1cef4fd375e8bc2e33592893f4d022b1252ac8d7315ef6016
SHA512df0e2e3c34919c3a69ff6cf0a5e8b6aab26416c8178daa9ac87c7aec46969d435e7479f79faedbb19f8bda1da77659764acffb6f7a3769ae16c24faa6d6718ef
-
Filesize
9KB
MD59496c9a347b61f3cbb440fe0a4d9ff81
SHA1efbc6c774984f59bbe08087a570321fff38c87f5
SHA256d1a0b3f9ca47d086c6536ebfca0b66545e8e3e60cc04106e2a4a2d10119d6fb3
SHA51224558d5781719d328701403a06c0603f236246c03c1cb37c8655645404d6a120e9cc7addb53c466a433729e940d7f54512415b156e31289f4824ae05a62dd2b0
-
Filesize
2.0MB
MD5ae90134934deed3e22a35d28dcd7db00
SHA10c0585277efed2a414d3d3a82401dac79cfed459
SHA25647e1dcfc8ad546da9b7f26b62d6ecfe0924941c1c1e75ac71b769483abdf967e
SHA512291d44b97c0de886b3a2c4b4ccafdc796aa63b447c8f624e364205ad6b9b2169445032a530f270786146687571f6fc0d61d1cfb52687e43ae0a5344938c94600
-
Filesize
258KB
MD5b36e32f3dc68d1670518889f01cb9cb5
SHA10ba69817c2d26d34778674c5ffb3b9d192d871c9
SHA256dfae30c29c69a6431828b83dddf0386b5b692c86a56fa844e8f31a05cbc25ec6
SHA51209f46b47cabbbf271604615ede79b293af3fb1bce86ab2db609fe9d0656e6ea54ab30a877a44f01faf29ca6464525da87a7e3a5b97d378a4dcf3305ff975923c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
Filesize49KB
MD577e729b1c721183a0d034d3a663030c0
SHA1f209303904e7805fbc27854f3597e01ff87d030b
SHA256d2c5a49efca00a83a06ede90a2e11d26018b66ee980b884d7784472a10d891a0
SHA5127df6388e6d2e858d4c1a40b715d0de2a4c6bd6dff50838270a4443c8309a145bde2bd521f5c9b7fb22ba1cc49046a2daa800a0bf79adce4eb01fd5f91d557095
-
C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe
Filesize258KB
MD5314e24a6def3af01f320ae5384c494e8
SHA115de9768f8ae8dcc462a9d33382bd86ecd5925ac
SHA256053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131
SHA5129f86fc4e295fa39db1c297dfd0d5745f55bacb74c6ab19bdb0b03c12d4c4e77957cb4712e8f6f7d866b3fefd0ce114a2d99b0e8ccaffc3c05d7054d75241ae0c
-
C:\Users\Admin\Desktop\[email protected]
Filesize22KB
MD5b876e23387c04f12102fe432af83fa15
SHA15ba5aa4402458cd712fd428e6939b4069cb5d342
SHA256a833b1e0280b7b843c403b1855d3e07fdd25d3b2eeab281d9bd64c9b4dc6e929
SHA5125ad0648499d301c865967cdc4ff087f9d04a2b3630539e51bf146119ff6fc85cf2522dcbd0c62498c8ef4940cb5fa314ead876c343217eab80e60e945b238e5e
-
C:\Users\Admin\Desktop\[email protected]
Filesize237KB
MD5f6376b2b1d788f5fc49f1da14a4477ab
SHA1be81e1657bf0ef57c913b90892e98a7dccaadcf5
SHA2569cdd75ae28c58b8d829c9bea863288009c23316de21ca7d96c2dfd64e885cb0c
SHA512f8dfc2fe3792be1927d5678348e94918d7f8662188b5ce735294b5a104391bfab4da5a188fe32abae658073fd7f4657edfe394eb8770c4dc9e7d013241ebf77f
-
C:\Users\Admin\Desktop\[email protected]
Filesize128KB
MD5583ec09249dee1d00a6d860eac0b3ddb
SHA158740aa50ab6365f168b9cd9a36c47ec98ab83c7
SHA2563a3873924166782dc63a1ec701259eaf06b0bec7813260af001ee74c2ebe9d6e
SHA512180b294a0f217454e2f28a01bd574d0540d1e56c3fa58af22d90ee99c5bcee0feb25cda3c996dbc59313919fb83e14b93b6c0c0b2606a2ea415dfca1b7814624
-
C:\Users\Admin\Desktop\[email protected]
Filesize328KB
MD59dca826121e257eece58603b62b3be66
SHA1bc78af91586197d9f7c63d49f0790ca200ee3904
SHA256e09c86ef4893921ebb97eb353dd665d7cd47cf91c0be8c9470621fd0882ad7d8
SHA51272996e44fc4477128e48732e6a1ad3d642dadf8ed710b0be9322f690ae7e47bfa3848d2094002aa97528878ebecd86e0064c681d1c0e1b8464c25466b78dcfeb
-
C:\Users\Admin\Desktop\[email protected]
Filesize246KB
MD5b0d7b22856fc95a759870ca73f9eb72c
SHA1f3cc6e454ce905937bd15e3909c854e0d128fedf
SHA256e3cf76b93ff6b6e6fff4093de9af293af1d656e88fe9c6f6c501b0cf9f715156
SHA512c3f06cf5312512f9676baf2dfabc3712e4845d9415a65bed768cc16deb3d7226dea540c7186dbfd32e1502075cd018bd357b20f6e1a9ecb5806b991dba785955
-
C:\Users\Admin\Desktop\[email protected]
Filesize201KB
MD50c428b2413b9dac8d07308c3459a18b1
SHA177b4bd2afc5c3e92245d0dd5ee49971ebbb05151
SHA2560197a0ea68d31334a6de8db7e19a5cbc7ceee86a2a542921ccb504189aebbd3b
SHA5120fd768368dbe6a8305d251275aecb24df745be9cd1af471bfcb7b47df67ae24578c4da371599cd1e7717e6657f1979e2af565befa35f84592b7371e302c043bc
-
C:\Users\Admin\Desktop\[email protected]
Filesize319KB
MD544ce84f1b19f772654a2acee347cd2a2
SHA101232b8010a9bfbb943538c2ad76eb74e52c8beb
SHA256f8577014fff7632dcf2abe1e3342e2fa9bd14343db94eafb5e2d18ce65c50d36
SHA512de788e3de62bc03d7c91ba52bba2a7e80454c311f7dfce6ea411015fc90e9e7c69db5cee37cc6edd9490dc9025e80dd81c8eb4a7471d5519a5cf56cbe22d9216
-
C:\Users\Admin\Desktop\[email protected]
Filesize210KB
MD5cfa4eedb02ecb09302c27392ac45ab8a
SHA1458630cdb18611d1f0bed83ead6685a4786dc1a0
SHA25615b626a5e3f9f7cc0abe406c36d5b4b2f47fa314070054d3d4dbf253b2730fb3
SHA5121fc0afc8d891dca35ae21a6df3a31e24b86e6986bf5a7bdec4ca95f3cde66ee916d1fecf6637a2c9328f47e4cc39e0c4a8d83bb54794c43d773ea8ee37ac0848
-
C:\Users\Admin\Desktop\[email protected]
Filesize17KB
MD505dd2a86d0819a64ee4147b966def608
SHA127feda7aa02265c17161f4eebcfba9281969b0c4
SHA2563ffdb45b84b24b753d2e66334ada430c76917bd3a744276ec19863fd13a0faee
SHA512aa80726120aa3209804a1ada61d9c94dd21836caa2cc04ea3b40ef03f8bfc855c995359ba612bee9a85de98bb60dd5b115732018f0021e599c167c70cab11787
-
C:\Users\Admin\Desktop\[email protected]
Filesize283KB
MD50c6c1e90e5250d3fff1cddc1b1cf5204
SHA13c496687b0efdb0f86e90fdb1f32460ffe575637
SHA2560c704e059058a3dba4d8594c119947b9fb75565f73ed6baf5da2a33fbfbe8841
SHA512846d2a73199a94d90e3a72d6045eef650c2d980f1776af344560f777b5036b7cea2d443e2b510c00205f5a76de8c6a1f6c82f6cb50bd3a98edcdd50bb47a2195
-
C:\Users\Admin\Desktop\[email protected]
Filesize17KB
MD572f74d0ec5e85728a9c301dd8dc78244
SHA1b13a3f739e43932397edfa3212aa6d0ef36d96cb
SHA256065308d90c692f7fc02719e9dc60071524f709bb2d14eb1ab9c001f79898f537
SHA512a4ede483761e6d72e512e43865c6ab5a813ded1a2ab03e42d6bb44a9ff9fbc9ad7d71fabed1690ba081eb5ad4c0c96472dbbfb063c17789279a5b6956e45a50c
-
C:\Users\Public\Desktop\Adobe Reader [email protected]
Filesize3KB
MD57b6a6fda31cea706baeff6a36eb5b3c7
SHA106dc9933b2a6e105cc1096fe76691e530c191b93
SHA256e010c2e31c22b56285e8dff4daf333b22fffb468a8df9c411ea175af62b30014
SHA512f093a80eba669763247f85b91115f8304177ae04fd436662099c13acd95c6644516f1dbb685f0e46fe438fbdcc6831f6a89fe42a2c1528f9db6c53f64a2cb847
-
C:\Users\Public\Desktop\[email protected]
Filesize2KB
MD54bcf454bb318f56a4190f4a469dab94a
SHA18dc8f2e9af4306f92b35529c95e2eb3ea967009b
SHA2562dc8a5ed6e69f598c06b060a2504144ef65d5507d59b2c479c55377275a93e67
SHA5128c0e83582a5c15efbee22e2fd2d51aa1625274530bac6c7bd0466dd8dcab6b7fb0d3998a795079e3557d9e521178d1a0dea4a436b0abd9a744ae70e15654131c
-
C:\Users\Public\Desktop\Google [email protected]
Filesize3KB
MD51c23a921de0997f4e588a10aa17261ed
SHA123b5dd5dd40532879a0e74f4bfe71b003b7d6c6b
SHA256fa4ada9dbb16728020a22f554f247e42c132482c438d0d43694db2e5a9fa2aef
SHA512c3b071a3c765a59d5acd5e8a51a16f02ee3281fc3668663ab9f03280b7712bd1c80c35bd8c532d9666c2345ad72d21c5715e3d5d9c99ff512f9d4de032fd0275
-
C:\Users\Public\Desktop\VLC media [email protected]
Filesize2KB
MD5984603b2e3637492c106e1aa03b9a1a2
SHA133c3b728e54d3e2d1b561639032f77d67fcd6b1d
SHA256c7d749b47afc2de4cbafd35a1b781a90f29fb1b0c9c126769990d15fdd1c018e
SHA512c72c8da205235d40520e1f0fe91f5378738ac7f2ae321e8212245e0ff3beac977586072cff46588fde3d12c45ed42940a3bfcf76226aabb8eaf5b22f59d9edfc
-
Filesize
14KB
MD5b553b63041a28d7e5b52e19b9651329b
SHA17f4899945d9148bbc9b4dbd20775049fa69f0d28
SHA25608ca31cd6e055cd6fbfce197d71727b5f8d6a19389f64f573815ff12ff841f7e
SHA512688ad6acc4a8ff13fc14bd432866b9236694bd5b4fb16c85c7c02a4dea3cf4da64d327417d073bc6725236873c1aeb442f46a3442bf840175a930c1d02878004
-
Filesize
14KB
MD5ee21f1e7fc3c8e3f5dff68e21fff8833
SHA153f70f590cd7b7280704a2b501510846b879fc17
SHA2568566b4a7cbe31829d236f19ad36f17b06d8608fd51b372301248f0ffcb74c1b7
SHA51214218f5abcb3b8767777a865cee71bfff243303815a986937af1e6517c59035953cbc84c2d02da6f4909867e67e2744a146610e39cffe2379176bb4c4a94c1cd
-
\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe
Filesize2.2MB
MD5f5f2f6c370db4b38bdf8032ea3ef2a64
SHA1b5e188540539bc2b1d128f408160fa91e724c84b
SHA2561f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4
SHA512f2216faac5d07fb2d6f3faf6cf1e18e94c0ada8aba35a8d2d8491efd1ada526d5358a592b6877a9783cc9b5e81dd54fec8b9969ffd650c0f8aff2e3243dbe18c