Malware Analysis Report

2024-12-07 17:10

Sample ID 241112-yn4caaynhz
Target RNSM00313.7z
SHA256 6c00dc53bbc28ea49a1998bde2de32e6b343cb5f8c10675fd324ceee1babf569
Tags
gandcrab backdoor credential_access discovery persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c00dc53bbc28ea49a1998bde2de32e6b343cb5f8c10675fd324ceee1babf569

Threat Level: Known bad

The file RNSM00313.7z was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor credential_access discovery persistence ransomware spyware stealer

Gandcrab

Gandcrab family

GandCrab payload

Drops file in Drivers directory

Boot or Logon Autostart Execution: Active Setup

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: RenamesItself

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 19:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 19:56

Reported

2024-11-12 19:58

Platform

win7-20240903-en

Max time kernel

64s

Max time network

67s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00313.7z"

Signatures

GandCrab payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gandcrab

ransomware backdoor gandcrab

Gandcrab family

gandcrab

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\Explorer.EXE N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\System32\drivers\etc\hosts C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\ja-JP\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\drivers\etc\protocol C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\drivers\etc\services C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\UMDF\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\de-DE\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\en-US\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\etc\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\UMDF\de-DE\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\UMDF\es-ES\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\UMDF\fr-FR\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\UMDF\ja-JP\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\drivers\etc\networks C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\it-IT\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\UMDF\en-US\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\UMDF\it-IT\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\es-ES\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\drivers\fr-FR\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\drivers\gmreadme.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\drrkggiovtc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\sbuhay.exe\"" C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmisdn.inf_amd64_neutral_061c61abd3904560\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\de-DE\Licenses\OEM\Starter\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\de-DE\Licenses\_Default\EnterpriseN\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\fus2base.frm C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\hcw85b64.inf_amd64_neutral_22b436d5d06ab017\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\hidserv.inf_amd64_neutral_f2223e39f37c69f3\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\config\systemprofile\AppData\Roaming\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\de-DE\Licenses\eval\Enterprise\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\iirsp2.inf_amd64_neutral_9ed65fe0bab06b1b\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\pcmcia.inf_amd64_neutral_1678e66e0cbb04b2\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z9FSTZ5\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmcodex.inf_amd64_neutral_9bb71004e7b8f7ae\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmnttp2.inf_amd64_neutral_d218c42ac8635704\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\de-DE\Licenses\OEM\HomePremiumN\license.rtf C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\de-DE\lipeula.rtf C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_neutral_9b64397618841a19\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\Amd64\PCLXL.GPD C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\averfx2hbh826d_noaverir_x64.inf_amd64_neutral_da2ba9e8a30dad14\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\CNHF_309.GPD C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\arc.inf_amd64_neutral_11b52dec8e94d9aa\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\netw5v64.inf_amd64_neutral_a6b778ba802632cc\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\nulhpopr.inf_amd64_neutral_e078ec466987bb3b\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmaiwa5.inf_amd64_neutral_ea8128ac5da37eb9\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\ph3xibc0.inf_amd64_neutral_c24bcc939e6dfc23\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\de-DE\Licenses\eval\ProfessionalE\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\hpoa1ss.inf_amd64_neutral_8cae09a2238d64e0\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\de-DE\Licenses\_Default\Ultimate\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmoptn.inf_amd64_neutral_be2f30f68f2a5567\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_neutral_f8bdd2cbac28a8fd\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRM680CN.GPD C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\Boot\de-DE\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\de-DE\Licenses\eval\Professional\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\angel264.inf_amd64_neutral_04b54b6322607cce\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\Dism\it-IT\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\agp.inf_amd64_neutral_22cdceb61fbafb43\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\bthmtpenum.inf_amd64_neutral_c70e85b87ee4ece9\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmbsb.inf_amd64_neutral_56a9f6bceeec7f72\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\de-DE\Licenses\eval\HomePremiumE\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\de-DE\Licenses\OEM\EnterpriseN\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\de-DE\Licenses\OEM\StarterE\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRD153C.GPD C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRM5460C.GPD C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1216mk5_ibv64.inf_amd64_neutral_3eaae75b591bd148\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\hiddigi.inf_amd64_neutral_12aaf5742a9969da\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\de-DE\Licenses\_Default\Starter\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmmc288.inf_amd64_neutral_c4a901dab689ad79\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmtdkj7.inf_amd64_neutral_7c21481229e1e66c\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\Dism\ja-JP\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\en-US\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\ph3xibc5.inf_amd64_neutral_2270382453de2dbb\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRF2480C.GPD C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRM465CN.GPD C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\config\systemprofile\ntuser.dat{d5e30002-f518-11df-a5c1-806e6f6e6963}.TM.blf C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\de-DE\Licenses\eval\UltimateN\license.rtf C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\System32\de-DE\Licenses\OEM\StarterN\license.rtf C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\ehstorcertdrv.inf_amd64_neutral_2e1cecffae9c899a\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\System32\DriverStore\FileRepository\mdmntt1.inf_amd64_neutral_ecf5cff2236b273a\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR22F.GIF C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BREEZE.WAV C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files\VideoLAN\VLC\locale\bs\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\logo.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15056_.GIF C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\America\La_Paz C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files\VideoLAN\VLC\locale\ka\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\EURO\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\grvschema.xsd C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5 C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files\Windows Media Player\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\logo.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_Off.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\WordMUI.XML C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Pacific\Easter C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\ShowOpen.jpg C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Program Files\VideoLAN\VLC\lua\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\assembly\NativeImages_v2.0.50727_64\mcGlidHostObj\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\3bfcfe12488f0a2285f5f08274cbc13f\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\ehome\en-US\playReady_eula_oem.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationProvider_gac_x86 C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.Vsa\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_ja_b77a5c561934e089\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\PLA\Rules\Rules.System.Memory.xml C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\inf\usbhub\0C0A\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\Media\Delta\Windows Hardware Insert.wav C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\Microsoft.NET\Framework\v3.5\SQL\es\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\PLA\Reports\es-ES\Report.System.Diagnostics.xml C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\servicing\Version\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\5ac17cc5b92efda83e2925857f4fa655\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\es-ES\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Calendars\v4.0_4.0.0.0__b03f5f7f11d50a3a\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_MSIL\System.Web.Extensions.resources\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\inf\aspnet_state\001F\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\inf\MSDTC Bridge 4.0.0.0\000D\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\PLA\Rules\de-DE\Rules.System.NetDiagFramework.xml C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\PLA\Reports\de-DE\Report.System.NetDiagFramework.xml C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.SmartTag\14.0.0.0__71e9bce111e9429c\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_MSIL\System.Windows.Forms.resources\2.0.0.0_ja_b77a5c561934e089\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\8e1a0ff5d2f22bb7de74bb93081c8fba\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\diagnostics\system\Networking\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\es\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.JScript\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost.Resources\1.0.0.0_it_31bf3856ad364e35\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\f0f10d0591d11a36ee2aa8ee2fbdb2bf\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\eula.rtf C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\Speech\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\inf\ASP.NET_4.0.30319\000A\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\Microsoft.NET\Framework\v3.5\MOF\de\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\668443fd7a2b8ee0c9d813bba224cb32\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\diagnostics\system\Printer\RS_SpoolerCrashing.ps1 C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86 C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\Media\Afternoon\Windows Logon Sound.wav C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_MSIL\system.management.resources\2.0.0.0_de_b03f5f7f11d50a3a\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\de64901e4cd2074f5c70733ab5d7787a\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\Microsoft.NET\Framework\v3.5\SQL\EN\DropSqlPersistenceProviderSchema.sql C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1041\eula.rtf C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\PLA\Rules\ja-JP\Rules.System.Diagnostics.xml C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\Registration\CRMLog\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\Media\Afternoon\Windows Pop-up Blocked.wav C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File opened for modification \??\c:\Windows\Media\Delta\Windows Error.wav C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.ServiceMoniker40\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data14bed3a9#\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http.Rtc\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A
File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\Dont_Worry.txt C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\sbuhay.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nslookup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Microsoft\sbuhay.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Microsoft\sbuhay.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Microsoft\sbuhay.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\Explorer.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\Explorer.EXE N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 632 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 632 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 632 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 632 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2960 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2960 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2960 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2960 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 1372 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 1372 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 1372 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 1372 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2380 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2380 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2380 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2380 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2036 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2036 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2036 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2036 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 3000 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 3000 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 3000 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 3000 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2020 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2020 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2020 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2020 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 1812 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 1812 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 1812 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 1812 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2388 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2388 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2388 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2388 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2772 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2772 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2772 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2772 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 1716 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 1716 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 1716 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 1716 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2256 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2256 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2256 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2256 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2112 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2112 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2112 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2112 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 304 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 304 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 304 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 304 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2740 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2740 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2740 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2740 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2704 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2704 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2704 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe
PID 2988 wrote to memory of 2704 N/A C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe C:\Windows\SysWOW64\nslookup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00313.7z"

C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe

"C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe"

C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe

"C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe"

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns2.cloud-name.ru

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns2.cloud-name.ru

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Dont_Worry.txt

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns2.cloud-name.ru

C:\Windows\Explorer.EXE

"C:\Windows\Explorer.EXE"

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.cloud-name.ru

C:\Users\Admin\AppData\Roaming\Microsoft\sbuhay.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\sbuhay.exe"

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.cloud-name.ru

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Dont_Worry.txt

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns1.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup ransomware.bit ns2.cloud-name.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup zonealarm.bit ns2.cloud-name.ru

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipv4bot.whatismyipaddress.com udp
US 8.8.8.8:53 ns1.cloud-name.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 ns2.cloud-name.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ransomware.bit udp
US 8.8.8.8:53 ns2.cloud-name.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp
US 8.8.8.8:53 zonealarm.bit udp

Files

\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe

MD5 f5f2f6c370db4b38bdf8032ea3ef2a64
SHA1 b5e188540539bc2b1d128f408160fa91e724c84b
SHA256 1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4
SHA512 f2216faac5d07fb2d6f3faf6cf1e18e94c0ada8aba35a8d2d8491efd1ada526d5358a592b6877a9783cc9b5e81dd54fec8b9969ffd650c0f8aff2e3243dbe18c

C:\$Recycle.Bin\Dont_Worry.txt

MD5 7854423ffc1ddebaf6d2aa0319df9da6
SHA1 102f885e12ab54c45788d080dfbfc259719c8897
SHA256 d00e18a6aabc9c410cf6ed54974e57d13a29d30cf561e21f3f2d6155fbc2a07d
SHA512 0d7b9473e003df7184d88c57c1f2a82c7afce00c560c8b8bf3d111551e89a0b651ec1fbccad8d6aa7042bcf23ba96a804cbc3b5b73466ea8b74bc18f2cc8345d

C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe

MD5 314e24a6def3af01f320ae5384c494e8
SHA1 15de9768f8ae8dcc462a9d33382bd86ecd5925ac
SHA256 053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131
SHA512 9f86fc4e295fa39db1c297dfd0d5745f55bacb74c6ab19bdb0b03c12d4c4e77957cb4712e8f6f7d866b3fefd0ce114a2d99b0e8ccaffc3c05d7054d75241ae0c

memory/2988-419-0x00000000001F0000-0x0000000000207000-memory.dmp

memory/2988-417-0x0000000000400000-0x0000000001CC5000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 79218353e126f9d5c9a4ca6e9b867974
SHA1 fae7528d18aaec9bed9734d784b58114259572f3
SHA256 5e35ad3b5a248057f8e5ae6b00ee74f9a1fe04e656c1c95968e289cb0e215e1c
SHA512 f747ab7ac020b1c528301c9ac01dc8ee092a0df5c618d79950c1774fcd585bac6c5808b416f80d66a78e2a9b998fe0b07e7b3a5e0ae020226e5287e0f04c0510

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 b3bac3bb1c9553de510e859ed4574e9b
SHA1 ec886048805f5412799694f5a6dccef2a015f7f3
SHA256 5e033f8db1a5058f10678fcc047a621839a63c874184f43ff596425ef345c00f
SHA512 a9500087bd9743ac214a391c7800f7e53b3fcd0348703b1d54418259f4c8f002e0858799bc658eb54eb8c4a9cdded93d49468add0f202a8b2cfb4d49d68e6ee3

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 c6227af1bd1230846c90d4a878dbab45
SHA1 f29e52a8d770e3deb511fa54de34f74b14fea388
SHA256 60e7f25483de01dfa3edb3e68764f9dcda27fc3f5fe9efa7a950d2713df8e891
SHA512 9ffca7e53f39a1e7632035d54df1b0098704e451a3c23b9ab129644b4f8c29cab1957c825559684609665036d55ec15632f348328c767370bded25c5dbcfa6ab

memory/2792-2374-0x0000000000400000-0x000000000064A000-memory.dmp

memory/2988-3357-0x0000000000400000-0x0000000001CC5000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_GreenTea.gif

MD5 c742d1ceafb9462c599168674faefc63
SHA1 b31b3f5eceb1cff906b0c7995b08de42e44f2a3b
SHA256 060cf458a582b92a99df8e817bcb380f30211b7e376f5facf1244bf2b8898e0a
SHA512 a1fb7a1907ceac6dd9ca88249de425e0d1c5d10e58c5646da5aba75ed09b25e9a99a6879382fb96aaeefec03ff3d4c14defa6391e8b3792e23be03682be6c393

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif

MD5 0f62f8d8536823d327458f2d2804d19d
SHA1 a4f92667c115a770f3b5c19df094218691b7fd02
SHA256 49ecb57fc094902a7bc7deedebd1502bd4b4ba5badaa819c01d0e267e93e7b17
SHA512 bcc68d33f2154521d34148f131947020413cc8cc86587dc19272b1eb474755ce17f4e527d599d94604da8409d2749be6eb870d48a1c73df3df36a2cf5db1df9c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif

MD5 646a9223ae5a84df24791bdc00ff5dbd
SHA1 91c2f838a4d6df5bad265f2dbac447233da6d009
SHA256 8ce111e8660c02649728bb4a87f8d6c7ab8288f5be8822b905046e346a270b2f
SHA512 c6ae662850944ec0b7ab4cdb71c43d42d9a789d8e27c55aa98fcd023c0632bc9b6fe88c5462eb444adfc90139b192346f409db9a2d21953a8fd5f3bd7c57f616

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Premium.gif

MD5 fb3f6ad769af2880b23a62ba1af0ffdb
SHA1 e64ea2daf5d0a3a4f2d229265d1dc431715a5851
SHA256 1a493b9724d9197ca930018343b5488d159ac33754e0f919f56d17a5584e8b01
SHA512 965ba4daebaa967add6e472dd8390c71d215e19701990bbb9c7e8b695a122971a1546be97c2359111cfb07f75eca0a4b55983daee840e76aa04921743a7044f9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif

MD5 d72e6eb8a8309941a2b380b2ca30821e
SHA1 0fd5fbd7deee6cd07e4a74b57b5a60616cd8ef5f
SHA256 552d92940dae28fbe3a63956003296849610db505919ae717d88d1ba4ddf1612
SHA512 51e010650f64ee46f272ad7abc0af57c246d237bd76133c6e95c54f4fa88612561c3e26d44b6642b24b94ce5fcf44f96c5707ec66d1f694fde42edc1743d1b2a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_TexturedBlue.gif

MD5 7103f26ea8f2ac5c440dbf18273f99d4
SHA1 4011bc112336f109c6bcd8c1b21df4de3635cd3c
SHA256 4636e3b31395c0f0c196b815284abb70971d446d2d8837c242c1751f1810ae27
SHA512 8afe492bd4cef43dc052b2149826dad46d89887f6302d1dd719640ad47bd486f2000ba64779fa92ed5e5e26781057e5b2ef138873ee44e66582b0025b8f9647a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif

MD5 ab4732bc1776ea4d8a9557ca50efb8bb
SHA1 6d1860d6aea68563ade6d018f553071b33e1ba7f
SHA256 59537f3abb0ae75741f7123f303b7f30a49c8570f0c05854d3d02b3172a345fb
SHA512 04cfdc6b0b98afa1de8a0701636cb41fe5d91b62a715b1e6fac01b0a0b1b0148af2d24fc65a561383f82ee5d170aa0be79323a9a37568753d7d9aed7a8b0159d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

MD5 ff1338a11f94082f67937a83776f02da
SHA1 09043ad356cf938c83609cc7ab7be27777a41b4b
SHA256 a9159189383c14acf86b00d2fc21e07a5e17aa0fa6cb42bbc4c1e6e2d0ede13a
SHA512 eceff60455bdd79b6c2f40e541d72afa373b0f1d1b4cdf69b5d7f1baedb99a54279cc93b341d65d51a1ff61e7c4941fe684ba93d082cba0031f944d0f5ba5cde

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

MD5 dc718aadf43d3363c39e98699a00b14e
SHA1 f8e286409bac40a2be56124fdd1b7ea457eddbd4
SHA256 c55eeb82c9719956f8f9417c656117b3500a8e753e7cec0cfcd18a1d6bd18987
SHA512 ca9cf32ebe6bbeb242569fc7a0ce88488e554728df8635872e9068f5149801d7aba0facc011622c46f133119c33569d4af805011bdadf54ad3b0248f80399edd

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

MD5 f8b48ff399879463b24320a3f6f95e5f
SHA1 31e92d63a47795a0e965fa44389b675419e2406d
SHA256 aa98a5736746aba566f4e79a10cfe1629546f29b11efa15f0f544664ef47aa68
SHA512 c3af8b27e1609f567dcc49d3c670e70c413f0e1ccc5de024c022091f2a1876908f7089fc7db7563030220ffc59eb401022760bc0be0abe24e8ee31a9dc784aaf

C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

MD5 fd05ac3aba645998561da31810b0a488
SHA1 836dc1f973b190408480bfb6ee803551f23b0ed5
SHA256 202cd943e129775947367177b712b32530b40fb32ef548f05cba902d856edd3e
SHA512 50af8854026c2e50971fd98a7ac7efc0ce8af044e1d2f6c378de0067cb0f2d81f379f435e44ee0a5ab2ff76d295ad2f225bc09a1c2d3a458f698c974d684ad0a

memory/2792-7749-0x0000000000400000-0x000000000064A000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

MD5 38e420844fdd5e31e8fea8653d169b0a
SHA1 70527d2856f41931d5c4806dd033a4d0fa12fdd5
SHA256 631da3b1118b2545f06e8377f2624bb6bd7fd455f4f9a0c8293d153dc6e8fcb0
SHA512 a265027b0295fd6565f64e14b1b0f54cb7005971f8b1995cfb3c4fd912a75cba540f2fee020181282276026c0ca47008e5e0ee9a881c88859c99705240d65afc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

MD5 768f3572b3c1f9ddd6f3205371d1608a
SHA1 92da5e50b441eca04bbbf2dc251a991d88ca60ad
SHA256 d422942ad0b497140a383798a6e1f30b202a4817c412fbc1f721f46430fb948a
SHA512 4b05f446edcb19746a796d0ad3ff8950502a25d1aadf2b31e1f70ee459808e178794dda1dba1618696a93549d2db288905704dd9e8a4167166cb18b475bb0651

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

MD5 4f05826a6acbe367623844aa10ae7856
SHA1 0234b38535cee833dd4aa8ceee5b850bd4ec2026
SHA256 29879e6ee4b6acf1cef4fd375e8bc2e33592893f4d022b1252ac8d7315ef6016
SHA512 df0e2e3c34919c3a69ff6cf0a5e8b6aab26416c8178daa9ac87c7aec46969d435e7479f79faedbb19f8bda1da77659764acffb6f7a3769ae16c24faa6d6718ef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

MD5 9496c9a347b61f3cbb440fe0a4d9ff81
SHA1 efbc6c774984f59bbe08087a570321fff38c87f5
SHA256 d1a0b3f9ca47d086c6536ebfca0b66545e8e3e60cc04106e2a4a2d10119d6fb3
SHA512 24558d5781719d328701403a06c0603f236246c03c1cb37c8655645404d6a120e9cc7addb53c466a433729e940d7f54512415b156e31289f4824ae05a62dd2b0

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs

MD5 ae90134934deed3e22a35d28dcd7db00
SHA1 0c0585277efed2a414d3d3a82401dac79cfed459
SHA256 47e1dcfc8ad546da9b7f26b62d6ecfe0924941c1c1e75ac71b769483abdf967e
SHA512 291d44b97c0de886b3a2c4b4ccafdc796aa63b447c8f624e364205ad6b9b2169445032a530f270786146687571f6fc0d61d1cfb52687e43ae0a5344938c94600

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite

MD5 77e729b1c721183a0d034d3a663030c0
SHA1 f209303904e7805fbc27854f3597e01ff87d030b
SHA256 d2c5a49efca00a83a06ede90a2e11d26018b66ee980b884d7784472a10d891a0
SHA512 7df6388e6d2e858d4c1a40b715d0de2a4c6bd6dff50838270a4443c8309a145bde2bd521f5c9b7fb22ba1cc49046a2daa800a0bf79adce4eb01fd5f91d557095

memory/2792-12143-0x0000000000400000-0x000000000064A000-memory.dmp

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}[email protected]

MD5 520cd9b3b53d322aa8f96d553f160a71
SHA1 8305602a325b580acdfb07f9659c7d02a284e1de
SHA256 2da2dbcb4247dcbb1b587c70cfced2175ce73e40e4b4170b93ebe5e68a98c47f
SHA512 284748d328a2b89f82ff051ed3ece3bedb3cc10970d467e22b3fc8cf760dc18294be171da5aa13521bcb65a770b434c92b9e68d98f53678b1218a67e363b515d

C:\ProgramData\Microsoft\Windows\Caches\{07060702-62E9-40C1-8DB2-3263C50BD613}[email protected]

MD5 2b80fa2c3ac6103aade81f26c778d882
SHA1 c340f61ca3adc0576505138001e469dd890c8a29
SHA256 e62265b2fc997b2e5c2053f6bf23f7b85e7323e97eef703500ecaa1709115d5d
SHA512 8b97cde6b645833a00e2f4955d696f57d7b3c5c9c1fccaad3fc93c6456b1b2aee5a7c3a89770bc61c311627a311ce8de3cb2fede5b7df53412a924877f6d9db2

C:\ProgramData\Microsoft\Windows\Caches\{0D117D84-DD73-4973-9E97-7931BACD5E7C}[email protected]

MD5 eacd38852b81dd1b6e89fecfe423aa90
SHA1 744724c24830b9429868e8b3b10daabcf67b8222
SHA256 77b5acdc2dfc5b39525b94ef96f3e667c3bdb2e132f3183dc3190b83227324ef
SHA512 0d59e22989b856c74e9212e595b8b26c155b579be51907606b7f6c95472ca4bf66e51a9ad2b7bf6d86cbcae68f14d651c6116abe098a32c937aa083d2928426c

C:\ProgramData\Microsoft\Windows\Caches\{0D117D84-DD73-4973-9E97-7931BACD5E7C}[email protected]

MD5 a48f08e0ae3758a727f3197d9e35ac34
SHA1 3f97d32adf64f57b3c91c54f87cfc7ee1907e0f4
SHA256 a3186f521a14ae68ee47ee4b2acf51f8b1b39351a471a3e9f0e04669b8ca3d02
SHA512 9430cc009edb99d6daad5f942cf6ddeb9c0181383dc4ecfd880ec570a029b5aad981cbe6fcb3904ab8bfa58fe0f9b762b8f4846ebd660b7f526b3ba3d6ecae18

C:\ProgramData\Microsoft\Windows\Caches\{50BC2B31-83AC-4CEA-AE2D-B6C712F47ADA}[email protected]

MD5 7941dc853474a85ffd1f7355458eb890
SHA1 9bb70ecebf33fe2f7e65b1f97d290822ead20ffe
SHA256 e836c54e733beb54125ef1ff57215b9a3f535c8d1d777ccee85efc39dfa109b7
SHA512 c1ca7e21cab84a738c53ee359208af35c102218e1f6ac117ea8b3cdb72ae5b9bc631b7f7d2f102c88c6aa1c4a02218889dbb168e845c30b8eb41697d86b8bb58

C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}[email protected]

MD5 f2ec120a92b723b6b684e03d058bf507
SHA1 e399b0a4c2da12928086038fc4ee1b44768b2ae3
SHA256 55ee2e24f42b5ebac07437639a4c6a756cf5bc33ee1f82ac5ad6f1e9349fe7d4
SHA512 4d92dd103060363fb545e9b26b835779a8eb9f20ef8bd72ed300f2dc68e544f6ec2f90435b30970c05da1f1df56e1644fa31e16858b1e00d7e3e22bbf9db1aff

C:\Users\Admin\AppData\Roaming\Microsoft\sbuhay.exe

MD5 b36e32f3dc68d1670518889f01cb9cb5
SHA1 0ba69817c2d26d34778674c5ffb3b9d192d871c9
SHA256 dfae30c29c69a6431828b83dddf0386b5b692c86a56fa844e8f31a05cbc25ec6
SHA512 09f46b47cabbbf271604615ede79b293af3fb1bce86ab2db609fe9d0656e6ea54ab30a877a44f01faf29ca6464525da87a7e3a5b97d378a4dcf3305ff975923c

C:\Users\Admin\Desktop\[email protected]

MD5 b0d7b22856fc95a759870ca73f9eb72c
SHA1 f3cc6e454ce905937bd15e3909c854e0d128fedf
SHA256 e3cf76b93ff6b6e6fff4093de9af293af1d656e88fe9c6f6c501b0cf9f715156
SHA512 c3f06cf5312512f9676baf2dfabc3712e4845d9415a65bed768cc16deb3d7226dea540c7186dbfd32e1502075cd018bd357b20f6e1a9ecb5806b991dba785955

C:\Users\Admin\Desktop\[email protected]

MD5 9dca826121e257eece58603b62b3be66
SHA1 bc78af91586197d9f7c63d49f0790ca200ee3904
SHA256 e09c86ef4893921ebb97eb353dd665d7cd47cf91c0be8c9470621fd0882ad7d8
SHA512 72996e44fc4477128e48732e6a1ad3d642dadf8ed710b0be9322f690ae7e47bfa3848d2094002aa97528878ebecd86e0064c681d1c0e1b8464c25466b78dcfeb

C:\Users\Public\Desktop\Adobe Reader [email protected]

MD5 7b6a6fda31cea706baeff6a36eb5b3c7
SHA1 06dc9933b2a6e105cc1096fe76691e530c191b93
SHA256 e010c2e31c22b56285e8dff4daf333b22fffb468a8df9c411ea175af62b30014
SHA512 f093a80eba669763247f85b91115f8304177ae04fd436662099c13acd95c6644516f1dbb685f0e46fe438fbdcc6831f6a89fe42a2c1528f9db6c53f64a2cb847

C:\Users\Public\Desktop\[email protected]

MD5 4bcf454bb318f56a4190f4a469dab94a
SHA1 8dc8f2e9af4306f92b35529c95e2eb3ea967009b
SHA256 2dc8a5ed6e69f598c06b060a2504144ef65d5507d59b2c479c55377275a93e67
SHA512 8c0e83582a5c15efbee22e2fd2d51aa1625274530bac6c7bd0466dd8dcab6b7fb0d3998a795079e3557d9e521178d1a0dea4a436b0abd9a744ae70e15654131c

C:\Users\Public\Desktop\Google [email protected]

MD5 1c23a921de0997f4e588a10aa17261ed
SHA1 23b5dd5dd40532879a0e74f4bfe71b003b7d6c6b
SHA256 fa4ada9dbb16728020a22f554f247e42c132482c438d0d43694db2e5a9fa2aef
SHA512 c3b071a3c765a59d5acd5e8a51a16f02ee3281fc3668663ab9f03280b7712bd1c80c35bd8c532d9666c2345ad72d21c5715e3d5d9c99ff512f9d4de032fd0275

C:\Users\Public\Desktop\VLC media [email protected]

MD5 984603b2e3637492c106e1aa03b9a1a2
SHA1 33c3b728e54d3e2d1b561639032f77d67fcd6b1d
SHA256 c7d749b47afc2de4cbafd35a1b781a90f29fb1b0c9c126769990d15fdd1c018e
SHA512 c72c8da205235d40520e1f0fe91f5378738ac7f2ae321e8212245e0ff3beac977586072cff46588fde3d12c45ed42940a3bfcf76226aabb8eaf5b22f59d9edfc

C:\Users\Admin\Desktop\[email protected]

MD5 b876e23387c04f12102fe432af83fa15
SHA1 5ba5aa4402458cd712fd428e6939b4069cb5d342
SHA256 a833b1e0280b7b843c403b1855d3e07fdd25d3b2eeab281d9bd64c9b4dc6e929
SHA512 5ad0648499d301c865967cdc4ff087f9d04a2b3630539e51bf146119ff6fc85cf2522dcbd0c62498c8ef4940cb5fa314ead876c343217eab80e60e945b238e5e

C:\Users\Admin\Desktop\[email protected]

MD5 05dd2a86d0819a64ee4147b966def608
SHA1 27feda7aa02265c17161f4eebcfba9281969b0c4
SHA256 3ffdb45b84b24b753d2e66334ada430c76917bd3a744276ec19863fd13a0faee
SHA512 aa80726120aa3209804a1ada61d9c94dd21836caa2cc04ea3b40ef03f8bfc855c995359ba612bee9a85de98bb60dd5b115732018f0021e599c167c70cab11787

C:\Users\Admin\Desktop\[email protected]

MD5 f6376b2b1d788f5fc49f1da14a4477ab
SHA1 be81e1657bf0ef57c913b90892e98a7dccaadcf5
SHA256 9cdd75ae28c58b8d829c9bea863288009c23316de21ca7d96c2dfd64e885cb0c
SHA512 f8dfc2fe3792be1927d5678348e94918d7f8662188b5ce735294b5a104391bfab4da5a188fe32abae658073fd7f4657edfe394eb8770c4dc9e7d013241ebf77f

C:\Users\Admin\Desktop\[email protected]

MD5 583ec09249dee1d00a6d860eac0b3ddb
SHA1 58740aa50ab6365f168b9cd9a36c47ec98ab83c7
SHA256 3a3873924166782dc63a1ec701259eaf06b0bec7813260af001ee74c2ebe9d6e
SHA512 180b294a0f217454e2f28a01bd574d0540d1e56c3fa58af22d90ee99c5bcee0feb25cda3c996dbc59313919fb83e14b93b6c0c0b2606a2ea415dfca1b7814624

C:\Users\Admin\Desktop\[email protected]

MD5 0c428b2413b9dac8d07308c3459a18b1
SHA1 77b4bd2afc5c3e92245d0dd5ee49971ebbb05151
SHA256 0197a0ea68d31334a6de8db7e19a5cbc7ceee86a2a542921ccb504189aebbd3b
SHA512 0fd768368dbe6a8305d251275aecb24df745be9cd1af471bfcb7b47df67ae24578c4da371599cd1e7717e6657f1979e2af565befa35f84592b7371e302c043bc

C:\Users\Admin\Desktop\[email protected]

MD5 44ce84f1b19f772654a2acee347cd2a2
SHA1 01232b8010a9bfbb943538c2ad76eb74e52c8beb
SHA256 f8577014fff7632dcf2abe1e3342e2fa9bd14343db94eafb5e2d18ce65c50d36
SHA512 de788e3de62bc03d7c91ba52bba2a7e80454c311f7dfce6ea411015fc90e9e7c69db5cee37cc6edd9490dc9025e80dd81c8eb4a7471d5519a5cf56cbe22d9216

C:\Users\Admin\Desktop\[email protected]

MD5 cfa4eedb02ecb09302c27392ac45ab8a
SHA1 458630cdb18611d1f0bed83ead6685a4786dc1a0
SHA256 15b626a5e3f9f7cc0abe406c36d5b4b2f47fa314070054d3d4dbf253b2730fb3
SHA512 1fc0afc8d891dca35ae21a6df3a31e24b86e6986bf5a7bdec4ca95f3cde66ee916d1fecf6637a2c9328f47e4cc39e0c4a8d83bb54794c43d773ea8ee37ac0848

C:\Users\Admin\Desktop\[email protected]

MD5 0c6c1e90e5250d3fff1cddc1b1cf5204
SHA1 3c496687b0efdb0f86e90fdb1f32460ffe575637
SHA256 0c704e059058a3dba4d8594c119947b9fb75565f73ed6baf5da2a33fbfbe8841
SHA512 846d2a73199a94d90e3a72d6045eef650c2d980f1776af344560f777b5036b7cea2d443e2b510c00205f5a76de8c6a1f6c82f6cb50bd3a98edcdd50bb47a2195

C:\Users\Admin\Desktop\[email protected]

MD5 72f74d0ec5e85728a9c301dd8dc78244
SHA1 b13a3f739e43932397edfa3212aa6d0ef36d96cb
SHA256 065308d90c692f7fc02719e9dc60071524f709bb2d14eb1ab9c001f79898f537
SHA512 a4ede483761e6d72e512e43865c6ab5a813ded1a2ab03e42d6bb44a9ff9fbc9ad7d71fabed1690ba081eb5ad4c0c96472dbbfb063c17789279a5b6956e45a50c

memory/1756-13323-0x00000000002C0000-0x00000000002D7000-memory.dmp

memory/1756-13325-0x0000000000400000-0x0000000001CC5000-memory.dmp

memory/1756-13404-0x0000000000400000-0x0000000001CC5000-memory.dmp

memory/3068-14611-0x00000000040A0000-0x00000000040B0000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\SqlPersistenceProviderLogic.sql

MD5 ee21f1e7fc3c8e3f5dff68e21fff8833
SHA1 53f70f590cd7b7280704a2b501510846b879fc17
SHA256 8566b4a7cbe31829d236f19ad36f17b06d8608fd51b372301248f0ffcb74c1b7
SHA512 14218f5abcb3b8767777a865cee71bfff243303815a986937af1e6517c59035953cbc84c2d02da6f4909867e67e2744a146610e39cffe2379176bb4c4a94c1cd

memory/2792-14701-0x0000000000400000-0x000000000064A000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\fr\SqlPersistenceProviderLogic.sql

MD5 b553b63041a28d7e5b52e19b9651329b
SHA1 7f4899945d9148bbc9b4dbd20775049fa69f0d28
SHA256 08ca31cd6e055cd6fbfce197d71727b5f8d6a19389f64f573815ff12ff841f7e
SHA512 688ad6acc4a8ff13fc14bd432866b9236694bd5b4fb16c85c7c02a4dea3cf4da64d327417d073bc6725236873c1aeb442f46a3442bf840175a930c1d02878004

memory/2792-15643-0x0000000000400000-0x000000000064A000-memory.dmp