General Info

File name

GandCrab.exe

Full analysis
https://app.any.run/tasks/e5b89622-8cbf-42bf-933f-a9ec92cc6193
Verdict
Malicious activity
Analysis date
3/14/2019, 21:26:54
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
gandcrab
trojan
opendir
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

07fadb006486953439ce0092651fd7a6

SHA1

e42431d37561cc695de03b85e8e99c9e31321742

SHA256

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0

SSDEEP

3072:Ealy19emgKe0QuYS3UmWuDTEltI3S/7IarDrjCgrQp0M7W:EaqxxDwx/7IS40MS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
240 seconds
Additional time used
180 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Renames files like Ransomware
  • GandCrab.exe (PID: 3068)
GandCrab keys found
  • GandCrab.exe (PID: 3068)
Actions looks like stealing of personal data
  • GandCrab.exe (PID: 3068)
Deletes shadow copies
  • GandCrab.exe (PID: 3068)
Connects to CnC server
  • GandCrab.exe (PID: 3068)
Writes file to Word startup folder
  • GandCrab.exe (PID: 3068)
Creates files like Ransomware instruction
  • GandCrab.exe (PID: 3068)
Reads the cookies of Mozilla Firefox
  • GandCrab.exe (PID: 3068)
Creates files in the user directory
  • GandCrab.exe (PID: 3068)
Reads internet explorer settings
  • iexplore.exe (PID: 904)
Changes internet zones settings
  • iexplore.exe (PID: 3984)
Reads Microsoft Office registry keys
  • iexplore.exe (PID: 3984)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2018:09:24 09:47:02+02:00
PEType:
PE32
LinkerVersion:
12
CodeSize:
79360
InitializedDataSize:
114688
UninitializedDataSize:
null
EntryPoint:
0x6314
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
24-Sep-2018 07:47:02
Detected languages
English - United States
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
24-Sep-2018 07:47:02
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00013474 0x00013600 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.57387
.rdata 0x00015000 0x00006EE0 0x00007000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.58949
.data 0x0001C000 0x000138F4 0x00011C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.85604
.rsrc 0x00030000 0x000001E0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.7015
.reloc 0x00031000 0x000013B4 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.65085
Resources
1

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    ADVAPI32.dll

    SHELL32.dll

    ole32.dll

    MPR.dll

    WININET.dll

    XPSPRINT.DLL

    RPCRT4.dll

Exports

    No exports.

Screenshots

Processes

Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start #GANDCRAB gandcrab.exe wmic.exe no specs iexplore.exe iexplore.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3068
CMD
"C:\Users\admin\Desktop\GandCrab.exe"
Path
C:\Users\admin\Desktop\GandCrab.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\gandcrab.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\xpsprint.dll
c:\windows\system32\prntvpt.dll
c:\windows\system32\version.dll
c:\windows\system32\winspool.drv
c:\windows\system32\xpsgdiconverter.dll
c:\windows\system32\d2d1.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\xpsservices.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll

PID
3684
CMD
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Path
C:\Windows\system32\wbem\wmic.exe
Indicators
No indicators
Parent process
GandCrab.exe
User
admin
Integrity Level
MEDIUM
Exit code
2147749908
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wmiutils.dll

PID
3984
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\ZYRRH-DECRYPT.html
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\program files\microsoft office\office14\msohevi.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll

PID
904
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3984 CREDAT:79873
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msimtf.dll
c:\program files\microsoft office\office14\winword.exe

Registry activity

Total events
676
Read events
598
Write events
75
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
3068
GandCrab.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrab_RASAPI32
EnableFileTracing
0
3068
GandCrab.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrab_RASAPI32
EnableConsoleTracing
0
3068
GandCrab.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrab_RASAPI32
FileTracingMask
4294901760
3068
GandCrab.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrab_RASAPI32
ConsoleTracingMask
4294901760
3068
GandCrab.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrab_RASAPI32
MaxFileSize
1048576
3068
GandCrab.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrab_RASAPI32
FileDirectory
%windir%\tracing
3068
GandCrab.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrab_RASMANCS
EnableFileTracing
0
3068
GandCrab.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrab_RASMANCS
EnableConsoleTracing
0
3068
GandCrab.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrab_RASMANCS
FileTracingMask
4294901760
3068
GandCrab.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrab_RASMANCS
ConsoleTracingMask
4294901760
3068
GandCrab.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrab_RASMANCS
MaxFileSize
1048576
3068
GandCrab.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GandCrab_RASMANCS
FileDirectory
%windir%\tracing
3068
GandCrab.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3068
GandCrab.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3068
GandCrab.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3068
GandCrab.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3068
GandCrab.exe
write
HKEY_CURRENT_USER\Software\ex_data\data
ext
2E007A0079007200720068000000
3068
GandCrab.exe
write
HKEY_CURRENT_USER\Software\keys_data\data
public
0602000000A40000525341310008000001000100A72D39861ED186DFDCA939A61DBAE8A751C12022186CD5238B1F4BEDA6C8692B259A0E9BB76DC6AE313E37274B051B21B88D1E667F58F22FEF2F57C1E1B8EFEADECAB58EB2A5068EEBEC70F89E94D78D2663DF9485C3253E702FB11BC1652C89FF46C252D77FEEC31765A42E82B3BF272C291D761B3FC504CBA7307A959E9ADEE60B01AC67CC132DE529F8737662270DF3A45665D730B11880DAA560FA9A6A2DC23C2C0378D61F1FB08C8D0DB65376D5B43964FDC8431D0B92AFE25BCE29626EB92885437A1B6202C9FE1A6BD0C14411457985B342543AA401F14D8B076CA940BE778B4115AAD9F40FEC97ECBC34E670D6D4C60908B68818938945D23F16B9B9
3068
GandCrab.exe
write
HKEY_CURRENT_USER\Software\keys_data\data
private
9404000028C919CD85029A4A390FD2226B254451E494D2BA9534221B3E5DC87DE79C20CDFDC68BCD756A19147448D909A712D4A1BA7B0B7A20F1ED91A4E60BEE38354E2606101F508257B3549758436F803D06D875987FD78FECE5006B5F063E849838320B9CEEA2D23B3614AD4C14F0372D1F5E1B58799B0D3A9681706B4FA3DECD032E311DE415F2FB83F95A7E69479466B79A975F9CE50A18C9D684C6CCAC8F10B1A79B39A498B0B23DB3B0A4378DA374A0279C1ABC992846845323F151AE1370DCF3E452BE6DDC36BA7CCBA840DB0680DB16167BA62B9D7160AD17744132278AB66504D4059779FA9D3B06B72E140C9B86500C973458CE2512C398A0A97F26FF2A6B9BCAE554C2493A1F617A27ABEF9AA508BA5F7679BA1AA87C0873B5E1D5B734F87488601A7AA6A42FC9122DD9FEC0B42E0024ABAF8FC93B6B25D7EF3761C81AD528537A5150E36C19E7B99A65A44CE5A0BFD18604F8B4527A04DF0D33F7DC73E94BFED1D54A9653E8E3647B7D09663882A5C60575D95092DA04BF40194E4B1B5EEEF86B51A4F458BA8D7869F84186FB5214A2223D682EB74018E5608A46153128935EBA72815D9291610DD17D3B272F1C7A5E00BCC1E2B50AA72C8CBA86A6C496D07104005092565DDEA48087F11682B50479109DC7E8919ECD6E9657EB8F869B9BBDDB670D33709A3DBB6334E9E631F38BC44B425C95D474B4FF1BB3992BC9ABD33DD8D7A4615D2AE057C317561D65B76C53C765E1934E51CA06EE969DE4C4FD61531991AD79ED266ECFE4E110167AF4A72222CEB022C2DD07960C885A71B71786E985407CBE8A8CA05DED79F3AD03A74E626A16E8ED713C9031B2039D32345608AF5A8FC0123AC6F7540916160C5BAAC0DC78564D9F68CDE5D5E0067DE98E9E7CFF98DF1A2F1B4AC165EA54F01EB702B085894776CA4CE3754AA291054EDBE6E41CBAE00A01434BC9069FB8E9BCFD0791AE76B32D6455243CD37756C5DDEEB4386E5768311F7397DBF5980AFE5A5DB93B60A1BA84151384E5588D87A8B90584A54AB8C99A074229B9F0D7626FFFC0E33A1D06429F0F06CE421126AAD9F1EB2879D7AB7FCEEFBB937E637BAA1F74D927D2697104F53796D9C641600033062C0313406C4DAAAC5C116947E2AFEE766163CDED6BDA119D9B4F7ECAC572B4F1871341B5AD4F4906A7541A44D6CC3862613BE55C673643F3FCDF492159B1450D6C83D9887CD2D5A20B0D9D3664A7530AD16321F886AE5193BBC6086F1C0A380F0946235958D0E8E345813FDEB1024834A62A8437C78BB9131D35F38CD56C4DD47415F230BDEF4B229776CD3BE2E0031B91FFEB8D6B5714125AAB86537D4D444E6DBDB5C3D1E382CDC713DEDBC55237FD01E9952C31562B0491DF94641D2E73FC1CEAF3340545E4F6977C0815F0DCB6B1985B8047C33C0BEBFD3F5364BD9AC9FBBD3FC041C72DAD76082C26814249EA781D6CBB9B72908B122A2822A1A2C1F179216CB6D34B0F4D313B1A5E41D99685F8C11D9373F76CBA33D36F40EAAFE4C7136C6BF16F6561D380A182BCA509F85FE4B4E67ECC015711B632D0EC401BD623A8E00E41DC71C2644F2998244B28010D8DE03A174E310F5A8045FE53D4AEC9942CA8CD32688277EBD517D19BC87D843BA262035C50DC2708D9BDE5E41FC0427E61B86408E972E4A1A9EDB660B9D4E3EFA904DB6F1748B4BD6B1534C4CA4B968E702CA6C2CA1A921164DB6EF714334CFC3298B6E89D4C986D5396CEABAABDA0BDFBB125D2D8F57F124BCE88C1130EC662B5F5416BA763A036631FA4D131BA5D14266A9239FFCACA7DD944A114929458709885188CD425FFC3B44B31F728BC37CD15A7C10504C1F16BF1387C8D3F9CD05FA4CAC0933ECED2CF47AFA1F6EA90A5833567AD5605DCA5C57CE0E9621BBE9FE8EBB18B8CD7696B5692B91E723D2F4D7A7DC335E4945980E4C782B5D50B22C86CEF5D3F37696AB7C5B73B6448FEECD41FCB6285027216B4E6B28F48D766A96D4043769DD9AD4ABB16E6F392D7D38286AAF286858FD8B644DE64CF493DFC02AF66B1C400434A62FFC132C2048BE682633BFFECBFEC3305D24DA268D64E5B24715D189997D81940418720D95D13BA54A3BD1518667B1131D030193629D322D228D201958C1CAC0F68F12509E9B51E54AD82482CA299F18680483C26633EB9D801A981EC559E611159BB9372B765373AACE41CD5D0D8A6361C36D6F7E2B1BA2238B57AB99C996065A44E8EA3A4E837C6927837C455A5678BEFF542DC4440B65D44A14DE97530B8A21E8CC7A7B6C53C12DE0AEE3286682AAC983B66912AB5207B14AFD8A4CD3E18A07288EDCBF660E07B96770E7CBD3CC7DB4B2D78D66A89A4D4A14E6A6FDE203964E4
3068
GandCrab.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{BB4805BD-4697-11E9-BAD8-5254004A04AF}
0
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307030004000E0014001C002000A300
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307030004000E0014001C002000B300
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
0800000002000000A001000001000000030000008A000000000000007C003200080300006E4E71A320005355474745537E312E5A59520000600008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C002E007A00790072007200680000001C000000000000008E0000000100000080003200FE0200006E4E71A32000574542534C497E312E5A59520000640008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C002E007A00790072007200680000001C000000000000007C000000020000006E00320096FE00006E4E71A320005A595252482D7E312E48544D0000520008000400EFBE6E4E71A36E4E71A32A00000004E200000000030000000000000000000000000000005A0059005200520048002D0044004500430052005900500054002E00680074006D006C0000001C00000000000000
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
01000000D08C9DDF0115D1118C7A00C04FC297EB010000007A30EBDB371C3245A3B66ADD802A09F700000000020000000000106600000001000020000000AE3C9D4120DC3A6F6543A1699B78F1B6582051D65941C280807B7328CACFD160000000000E8000000002000020000000D5CAE7B0DC6C17E18176B96CD58C191A472F92AA431152A92CFFD7FEC7CE0467500000009B86426F5C15F4FB651244E8D64BD31D88F33586F09EF2C8C8E1A1188FC003A1B79B9ECA03573D24DF3EC95F4B461757D8D5F83CCC81580A5EBA0C44BD69A9B9BBE9CC5FDF39888F3A8437B5A671AF15400000008A9F4EA18D7C90E2AF0B381EA66CDD4D67B7F928E4912A84D9A4702276207CBE11F11556391724716CC63E8DBF572A3398AAE73BDAC4B1DB38ECD988D4425AE2
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
DefaultScope
{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
3984
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
01000000D08C9DDF0115D1118C7A00C04FC297EB010000007A30EBDB371C3245A3B66ADD802A09F7000000000200000000001066000000010000200000001F6D8DC096330D5D1C6F74435D0E20B01B3B87210DD474F1686393A94988BFEF000000000E80000000020000200000005270FF53A6D51ABC11DE9D9ED3721C890CFA1B5EC12402CE8D37EFF62E4E3BC410000000C96ADB304D595378640ED7EC74AC1F68400000001383E54F382FF984202C120C5B9CF84EFE9F8E58E63F8B6ACCAAAE5F9E776FFBC7196DF6314C74D389C99EAE7D4C0C6E7FC61CD412AA44695C944BB3954E131D
3984
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
3984
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
3984
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307030004000E0014001C002000D602
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
13
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307030004000E0014001C0020000503
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
43
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307030004000E0014001C0020007203
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
28
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
904
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
904
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Microsoft Word
904
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Default MHTML Editor
Last
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "%1"

Files activity

Executable files
0
Suspicious files
277
Text files
208
Unknown types
7

Dropped files

PID
Process
Filename
Type
3984
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata.zyrrh
binary
MD5: ce680744e8844462225afea8ffa24429
SHA256: fef77273c68bd551f670c4ab82a74fa1d812fddf01e80963a502625461c5733d
3984
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 8af188b5f21344c266387653bb5dfb92
SHA256: 7856597576130d491b06fff7e4425c1aac5e029ba8e1457671dbde20b2156537
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 26a7fdcfc3b6efc8d54063ac3f645c2a
SHA256: 51f989c70081a77dd0313787e87f32c9d9f34c06120f88c2fd6a7f7ac5e61206
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: a3365706bc1f6bb78321d707718dc2d5
SHA256: f6e6ab006907b82416640cc86b776d9e02eef59d79f9c32997b08325cc12ef35
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: c17c261d479480cec69cbb4c8c4c3d08
SHA256: 99818d97848e99f070eca60bf886374e041e798b85248dda87a6ac71aa3ce637
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Local\Temp\pidor.bmp
image
MD5: f1c74cd4dee6374ab98b405524c30acc
SHA256: 3ed4532fb26f7bc06841696b9837d5f1fea31fd8a6079a9b230540b939982297
3068
GandCrab.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.zyrrh
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Videos\Sample Videos\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.zyrrh
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Recorded TV\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.zyrrh
binary
MD5: 4c0e39e31e7692dc674174fc36fa44b2
SHA256: e4e23c257535658d3e9ab8d394746db3ff44c8e9c2445545fb84f5873a66d77a
3068
GandCrab.exe
C:\Users\Public\Recorded TV\Sample Media\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.zyrrh
binary
MD5: 801f2032594c641bb62f4b2f252e28e7
SHA256: 66cdefd95a7ecb1dd573e5cbd0f87de83c67855aa34068498f0f706e09749f67
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.zyrrh
binary
MD5: 1b14930153f2c8aa270b8b5a7adc3714
SHA256: d8ea7652e614a819899662c2d8cf144b98a3b07164f1528b096da1cd61007125
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.zyrrh
binary
MD5: bdd02f65046252d7ec077cb3c1ef9d8f
SHA256: 062a8bf6988933aaccc46334937031976e4ff302a6b7dcde705d69325ed1ace7
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.zyrrh
binary
MD5: 119c66dea5d7bd60d5f88a4bc3fd25ff
SHA256: 68de3de7c672ae4dec9849d4db7067357c5d47e264a44179d952d45c9b50c60f
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.zyrrh
binary
MD5: 792d07553a83766f638e19ee5d30c230
SHA256: 17cad747ab0c63c515c3ea0923e6fdee730eee0d2ce35c65b11feee40e237d8b
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.zyrrh
binary
MD5: 51e0e7f25c702448134a37ba993dc51f
SHA256: 482c1001744832d03ae6c897346a759b06f4b803818530b11c01479b8a2ab1c6
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.zyrrh
binary
MD5: 0000e9976513876f82befc6c24e9b91d
SHA256: 826b888ccb954d25d04fa66e54dfb14906de78c465c50cce2be347eab22047d8
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Pictures\Sample Pictures\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.zyrrh
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.zyrrh
binary
MD5: 090d7bbb965bcf27022379b10b6e6679
SHA256: e7304a40c8335b6552149da2815a3909d4d5a76ebaef73ebe74ef20dc7da177b
3068
GandCrab.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3.zyrrh
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Libraries\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\Public\Music\Sample Music\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\Public\Libraries\RecordedTV.library-ms.zyrrh
binary
MD5: 281aa2c3499581780880e78b511e8d20
SHA256: 157b9f17bd59ec75509ecef8cec16397fb317629b28f7acdbd1b8c673712a949
3068
GandCrab.exe
C:\Users\Public\Libraries\RecordedTV.library-ms
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\Public\Favorites\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\Public\Documents\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\Public\Pictures\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\Public\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\Public\Videos\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\Public\Downloads\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\Public\Music\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.zyrrh
binary
MD5: 34eb8036468af858e5b1766e1f4298ed
SHA256: 2171db28eb35ff277d85c4b8acd9e9efa6d2872dbae94160b2c1840ad3fc7e97
3068
GandCrab.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Saved Games\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Searches\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.zyrrh
binary
MD5: e062fa8dce03b8e38666be3a791454c5
SHA256: e902f49d4c4215eef8ba3a506b455aad2aea43c5fe77b64e854ec49555161c6f
3068
GandCrab.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Pictures\poteachers.png.zyrrh
binary
MD5: 8e5ee7b216e3f2f07b0e2cb2f1e9ab63
SHA256: f8bba1cb78232d8bd106f3002223eb4262ebffbbe7302e92163af4bc4dfa13ee
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Pictures\lotsee.jpg.zyrrh
binary
MD5: 99a0a0d2c18e892b60ac5c9d4812e5ba
SHA256: 5e3163385c0e87900f1cfc65c6c1f9469bace689ea14af7a0941e284e22fbb81
3068
GandCrab.exe
C:\Users\admin\Pictures\poteachers.png
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Pictures\lotsee.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Pictures\anotherplayer.png.zyrrh
binary
MD5: 81e4877cc7a9ab89809cb82cfd37d39a
SHA256: 34dd188c86907d49cd92cd39b40c3315d071ed3188bec785a7bf3d0e75164347
3068
GandCrab.exe
C:\Users\admin\Pictures\anotherplayer.png
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\ntuser.ini.zyrrh
binary
MD5: 4d1d3bcc4748e00c30e9a8314f881c7b
SHA256: 8773cbc593f0f9f8143294e1ceb1832a02470134bda2b137370033b952659078
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\ntuser.ini
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.zyrrh
binary
MD5: ab17e899f8b6a309fd0ef17128ad25b3
SHA256: 4bb8d8e1e946d3980fa4a649a33e0376a832d9b898b782dec28972b8aa1d884a
3068
GandCrab.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.zyrrh
binary
MD5: 750d039c5f5b60d4aab9829a476b61f8
SHA256: 477d70974669d1e94226fd25fc246d5af529a1ca287ee454301005b95d781cd9
3068
GandCrab.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.zyrrh
binary
MD5: 15072da7e4470e13e43b9c9971623c7f
SHA256: 04dbe8e8280ac3fdab4e633004c5e6b9885c62f1358115fcefdc87404ff0e941
3068
GandCrab.exe
C:\Users\admin\Links\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url.zyrrh
binary
MD5: 8a83f35978767db3f853d5c612d87181
SHA256: 1731cd54c0a192aa208659999aac34b331088b97365c7576970054072ed0dd54
3068
GandCrab.exe
C:\Users\admin\Favorites\Windows Live\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url.zyrrh
binary
MD5: fad224d1571c87b0d35fbc04e31edfbc
SHA256: 0f5c2a4c230ce51b2b0281353a0a2e5a0c8037f7da117477e0a34d0f2698c073
3068
GandCrab.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url.zyrrh
binary
MD5: 55e81d840ad915da8ae6854f0bfebe04
SHA256: 779a579722c5bddf6de7597c76cadb9b3c6d9253b991d58814ccbc10c371687c
3068
GandCrab.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url.zyrrh
binary
MD5: f3c2b7e62fd0ce0bd1b4e92df343ee92
SHA256: c12d326c969e5be846e8535a99f5b456b6e8255f1beff5cb7ea61818bec10d3d
3068
GandCrab.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url.zyrrh
binary
MD5: 33d528937688faf344f8160dd2723a01
SHA256: 862cfc432a3f7e6c81016249e8e28f910b8eeeabc97cb53e718e3439a1fc9292
3068
GandCrab.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url.zyrrh
binary
MD5: e1538feb0194d171b35dc9fbdf65e038
SHA256: 872320a92092337665ef45d234bc61869d877357ef46791694c2ae102b74bebf
3068
GandCrab.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url.zyrrh
binary
MD5: 03bbf19afc1c890241fe369c99bd1016
SHA256: 6ad2447c8ea82a972f5ef610377c431e8422352a748d213363d289408ea1ab37
3068
GandCrab.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url.zyrrh
binary
MD5: 2ac8fa411e78f182f88cec59ce78f24e
SHA256: f7cd4f0818c7709e60f4ba8d49b6bfc1829e324f39d1ef8a4e8a95625f8bcef8
3068
GandCrab.exe
C:\Users\admin\Favorites\MSN Websites\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url.zyrrh
binary
MD5: 43609b6b1a7e1e1109b6373d268cf3a3
SHA256: 8c6f9e88fdceb15cf1e7533ad3962320086c9238c9c879791a78cd7a2d1f1ce1
3068
GandCrab.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url.zyrrh
binary
MD5: d3027f6fb151107a5e8e13b6b87d1046
SHA256: 549554156d4dfc3fe6a1ee20563ea86739f9bcb587a5651f4369bb4c4be1f582
3068
GandCrab.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.zyrrh
binary
MD5: 958ebf36b0a13b981633986fa8cca77e
SHA256: cb2eeb041e76c6f9489646e8bd22feb3e9b5678d7f0a6e6e44bc89d7b5a6124f
3068
GandCrab.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url.zyrrh
binary
MD5: 3475a0ad8f79bf0572c7e9ff12745a4a
SHA256: 6f6eaac949bcfb9a102c7357e56c0154b0692f955a7e650cba0566246fe84f86
3068
GandCrab.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url.zyrrh
binary
MD5: 2267ec6f0b41d20e1e0f72d98477c8a8
SHA256: 1c12390dd8195344ab8693ca67b5dc33f6142fec5185659fbc850e3e38c41075
3068
GandCrab.exe
C:\Users\admin\Favorites\Microsoft Websites\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url.zyrrh
binary
MD5: 401ddf484dd2ac93ce7d96224aebc8b5
SHA256: b7424ee9d4713e8d837a7fc5c22ca36a08fdab365f4fa22f03c37279575b12f0
3068
GandCrab.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url.zyrrh
binary
MD5: 3e6d45d8e3466abbbce6c9f2af57191b
SHA256: e2248313abaa7651ea80bd2272b0513ff32029fb873b2a628c9e3c03760a0d59
3068
GandCrab.exe
C:\Users\admin\Favorites\Links for United States\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url.zyrrh
binary
MD5: b8c76feaa24186c15ab3bd4ab6a90618
SHA256: 94a8ee0f65ad9f03a1e2d722f3f752f76ef00e0a94ba1a953107a38fc0638487
3068
GandCrab.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Favorites\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Downloads\publicalways.jpg.zyrrh
binary
MD5: cc0896d07f1f7b6e969c827a9bd72408
SHA256: 3e38e1685dc7a254e58c366f3c4f6488c5c6cb0f58f79dcd61e5ee15855792ce
3068
GandCrab.exe
C:\Users\admin\Favorites\Links\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Downloads\publicalways.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Downloads\plansusr.jpg.zyrrh
binary
MD5: ae848d77284ff2478bc8d6c3740ede8f
SHA256: 00153aa766b2f4c33d751499d44c0464b62e2b657eb3f0d21cd0a94d92fffc4f
3068
GandCrab.exe
C:\Users\admin\Downloads\matypes.png.zyrrh
binary
MD5: 3b43c1bf0f40d7a601bacff404b30802
SHA256: 74301b385f99597f61fa8814865de3a78caa82a2a2ed18c411d4d1965b13b95d
3068
GandCrab.exe
C:\Users\admin\Downloads\holidaycurrency.png.zyrrh
flc
MD5: 8831477dab84d2463f300b50937a2236
SHA256: 0f03c2d7c52e36ad6ce58be6249c88b028dfe91eeb174b120679ec444023746f
3068
GandCrab.exe
C:\Users\admin\Downloads\matypes.png
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Downloads\holidaycurrency.png
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Downloads\plansusr.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Downloads\frifew.jpg.zyrrh
binary
MD5: 26a2edad318ff153a32a835128b48955
SHA256: 166dcb120fbc9d67fbc0ec69003cd1095465eb6bf4a0e408acd1127210b16be0
3068
GandCrab.exe
C:\Users\admin\Downloads\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Downloads\aidstone.jpg.zyrrh
binary
MD5: 522558e66ea849780d2fed7208f0ae85
SHA256: c93049215f15453d63f279b504d92ebf32bf72fe5c3d1415de8f62645964f60a
3068
GandCrab.exe
C:\Users\admin\Documents\talkfeature.rtf.zyrrh
binary
MD5: 7f680bb41204f390b9f93fa9be009c0f
SHA256: 758a60c9dd9a08bc6681fe145026f198619b2fd93779c0d95256ed029fab339c
3068
GandCrab.exe
C:\Users\admin\Downloads\aidstone.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Downloads\frifew.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\talkfeature.rtf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst.zyrrh
binary
MD5: 97ff5b2bffa06848ea0140c8421fe6e5
SHA256: 3af0d4a33e7b4cc7b31930832cab24a0948ab81e47d6e33c04ce5108d819d714
3068
GandCrab.exe
C:\Users\admin\Documents\protectionpurchase.rtf.zyrrh
binary
MD5: a3bfb8582389ad658ec2b8fab428f217
SHA256: fbc3d605c002e5f657c06d3ec87e700962404854a9e0575ea272415168164fba
3068
GandCrab.exe
C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp.zyrrh
binary
MD5: 328998f242d6d9ab9f3eb4a70d2b5e5c
SHA256: 550a4f1f7615b4993ec669a158c6b8ebefd823689b823e080bc53b1d2d399686
3068
GandCrab.exe
C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\protectionpurchase.rtf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.zyrrh
binary
MD5: a2e8cf51b7c587dda473688cf8da1f67
SHA256: 83f0fa15ad34236a06c15ca027fe19eb47dd943d8c2e6d1a7b0e3383cea4b197
3068
GandCrab.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst.zyrrh
binary
MD5: c895e4bfce6ae6ea6ff0d9fc03a58591
SHA256: 668047e311cb22c6e1e5f31333095e419cfe41f375cb0b532659352d9da9d3e5
3068
GandCrab.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\Outlook Files\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
binary
MD5: be836ed2e9f66033132a77bc0b4b925a
SHA256: e4022cdf27100912fe4ee8ba82bf59252d563667b191f8b631cd4a4611f249c3
3068
GandCrab.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one.zyrrh
binary
MD5: 3d748b9f4633d0fd1ea95bdd86f32bb5
SHA256: 51bb271ba8227d319d1c46cf6196986cab2fe1dc583947c2b41679dbd7978912
3068
GandCrab.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one.zyrrh
binary
MD5: 79111b7d945a8c58cb9a800b6d50cd48
SHA256: a0026ec9804467e1018973d1c83b7d0b3e5eeffbc4c0eaf4166979c2326ef46c
3068
GandCrab.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2.zyrrh
binary
MD5: ffbbf3448bb453f508c743897688fae8
SHA256: 0ac69c0df89dfe37dc44740d648f730c003c2cfb4a57b909f97a0d1436968436
3068
GandCrab.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Videos\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Documents\OneNote Notebooks\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Pictures\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Documents\nokiadating.rtf.zyrrh
binary
MD5: 398e146419bc62d668ec186b92bcf53f
SHA256: 39dba71023f93aea085c2bf06ea981f24df3e1f66ae9e2fa1ac15b8c7a1c4152
3068
GandCrab.exe
C:\Users\admin\Music\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Documents\milfsponsored.rtf.zyrrh
binary
MD5: f013f1dfd810a7c6c53a1215720c515f
SHA256: 11c8025998c2232047620289e6b3b9bc6a3dee0c979b18f9629bd813323fd3f6
3068
GandCrab.exe
C:\Users\admin\Documents\nokiadating.rtf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\milfsponsored.rtf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\lettersgmt.rtf.zyrrh
binary
MD5: 0f7ad5b8c257f0d3ed31c7f088e7e154
SHA256: 06f8f30834a9a8ef5fec57085e2b01f8e793156686b2b5499852705291ca74fb
3068
GandCrab.exe
C:\Users\admin\Documents\lettersgmt.rtf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Documents\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Desktop\wwwwestern.jpg.zyrrh
binary
MD5: d2a6f591d53906757ce185d0356bf827
SHA256: d871465e3d9158ffdc39d6cdf4587991643dfdb901576d52b4eebeae418b2e30
3068
GandCrab.exe
C:\Users\admin\Documents\associationyoung.rtf.zyrrh
binary
MD5: 1adafdb8b6af80d731067d4b5960ca1f
SHA256: f989249dde8e7053fa7870adaadbd1b6e56c3b1a024b9ee2434a5f76529b0c94
3068
GandCrab.exe
C:\Users\admin\Documents\associationyoung.rtf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Desktop\wwwwestern.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Desktop\vacationhomepage.rtf.zyrrh
binary
MD5: 44044d2b1a650ca1928ef8329acc1796
SHA256: 57c3cf92650c4aa0ac9563694a3e61df30ea8951c6f1d2ade2d25a79257c03aa
3068
GandCrab.exe
C:\Users\admin\Desktop\vacationhomepage.rtf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Desktop\usrno.jpg.zyrrh
binary
MD5: c3881342b64fd7f01ea5964a5f4630f9
SHA256: 8b6eccf4030e55b9217761e9adbfab8cd301b7990f9e6376c44a0c709228512f
3068
GandCrab.exe
C:\Users\admin\Desktop\sunde.jpg.zyrrh
binary
MD5: cef385b7d9a9b08787ecdc08eae27f2b
SHA256: 91753bf65eecd762baeaddc051b41775206035b3c78e58550074cd1382516089
3068
GandCrab.exe
C:\Users\admin\Desktop\usrno.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Desktop\sunde.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Desktop\stationenvironmental.rtf.zyrrh
binary
MD5: 09f86e94d43935b8c4537db1d591715d
SHA256: 617e0de329d1ec6da016f45686c6c72543149d3e64f0f70560df939e18f09540
3068
GandCrab.exe
C:\Users\admin\Desktop\finalcustom.rtf.zyrrh
binary
MD5: 5fdefe5c98b0a5564789cdab8d397e04
SHA256: afd5c0567e6366e1ce8b74a985744fde4b802e631647deded8438418687eb328
3068
GandCrab.exe
C:\Users\admin\Desktop\stationenvironmental.rtf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Desktop\desktopfrom.png.zyrrh
binary
MD5: ddc4a8c68cf3bec8e2cede716038c7ff
SHA256: 56e6c7f255589b17807660971b91f112014f09d6b2acd1d130a5198e56232d58
3068
GandCrab.exe
C:\Users\admin\Desktop\finalcustom.rtf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Desktop\areatechnical.jpg.zyrrh
binary
MD5: 9909d7577ad85d156d9e5952c3beffae
SHA256: 98ba2d63566c649f7bca29c9d9a9bc71ae9e4534887bbe08b83239c946679233
3068
GandCrab.exe
C:\Users\admin\Desktop\areaon.rtf.zyrrh
binary
MD5: 92989e2c7ffb8c57c9151390c1a45508
SHA256: 64a73f1f081a386c6cc708df58126300782fb52f78ac19a9296971bb5d8b073f
3068
GandCrab.exe
C:\Users\admin\Desktop\areatechnical.jpg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Desktop\desktopfrom.png
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Desktop\alloweddocument.rtf.zyrrh
binary
MD5: e6c330c6c55674047c211eab1e3e702b
SHA256: d3e9177f84a073ea379dbe8be778ae719c1b510070b731d60bbc1be80cd38f69
3068
GandCrab.exe
C:\Users\admin\Desktop\areaon.rtf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\Desktop\alloweddocument.rtf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Desktop\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Contacts\admin.contact.zyrrh
binary
MD5: 8d170373c9f12207a5e47166f2d44a53
SHA256: 9755d963713d62617adb4a76c479e9b75de994000982083ddbbc3a6b6e4eed29
3068
GandCrab.exe
C:\Users\admin\Contacts\admin.contact
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Sun\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\Contacts\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\WinRAR\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\WinRAR\version.dat.zyrrh
binary
MD5: d46872dc74aa03464fe014a038c5d58b
SHA256: 265946dd723e82bc47dd2342e787188e2949e076539d62a4b3b8adab6a78f176
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf.zyrrh
binary
MD5: e5eb66a4afe02e6ac0e67ca91ac311e0
SHA256: ab526e0ab45ca5f4466f92f61c5f35da5183ab629c4f0a9d1f6cd8a196e4d100
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Sun\Java\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\WinRAR\version.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf.zyrrh
binary
MD5: 4872d13a44ce90e915a85648923adb44
SHA256: 8a3a9e5808bd586e8b11cbd61fae4495fc9da6813d9584a73841adf307706b70
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf.zyrrh
binary
MD5: 9d1c0ccef2ff0a3b0ae20eaab05dcfd2
SHA256: 7c15624117c16bcead8e18d5e088edc020f6df8dee6982ccf5ad4b2bfe175b6d
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db.zyrrh
binary
MD5: 874a2fbe3a1c50a00d89e2ffcade768e
SHA256: 218c199c761c18611c551ec9dc2d770ba53f7256db79c281b8dd6c812acf9916
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db.zyrrh
gpg
MD5: acce7f35a6b6e0ea8b7b3159a63948d5
SHA256: 6ba1089793f00b2a543a61f5c1ae59f43bd44ff6a77ff93a6c9c554e1800a832
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal.zyrrh
binary
MD5: 0ace29c69dd428d744caa09ecd88ce42
SHA256: 3669ccc63d38458b22eaeef0bba19d21b8f38ef70aec9cb04b6c229c304b57dc
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\logs\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\shared.xml.zyrrh
binary
MD5: bcf93dcf968eb3c26ab3efb597e369f1
SHA256: fe6502e3a17329480e74a4e9ed637dd0aaf30f529e517a4ed0d3584ec5885cf1
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data.zyrrh
binary
MD5: dd8efc2c9482cd45ac348c34049ebf34
SHA256: 6ed32860a8744abb633d9959880bbca53616690d28619e9c94d347f7d0e98b60
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\shared.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\DataRv\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Skype\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml.zyrrh
binary
MD5: 739ec93feefe39f57aa730feda58eb20
SHA256: 3dd577fb4a07db3d419a74d87dd31712ab7564f559ae14835765022217518081
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat.zyrrh
binary
MD5: 0035f3087f902d9347d3450ce88388f2
SHA256: 172301ac933b0d52a16df2e5301b30c530cb060da1aeb9b828d4a49afefbfced
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat.zyrrh
binary
MD5: af8eec48d843da026b66b95cb40d5737
SHA256: 4807e404cbed493a18b3744b8cdc421835c298806a7434c40bf91751a76e652a
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml.zyrrh
binary
MD5: acfa0754837e7d1d08402b9fb041dfc6
SHA256: c83e1db915b9452a37f70ecc66191ed6003e0d6d1f1eaac67680633b3a6d2f66
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css.zyrrh
binary
MD5: 9436c4d405a8f696f6be56bfcf625fc9
SHA256: c5662f2f25984ac3d22a3e4e67688c84a8f671908979fc82cded7a0779644a43
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml.zyrrh
binary
MD5: 7a8e3ed31ca6e842c286489030b9fad6
SHA256: cce1ee83ab774b758db71bcf8ff7d44fa7dbc53e3738eb56e53745e6de3ed22a
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini.zyrrh
binary
MD5: 6baa38fa4115e757140dffc887cb699d
SHA256: 117a2a89ee9bf433a01be46119a5f6252de1496ead99a87fced04fd449399ebd
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css.zyrrh
binary
MD5: a15c65ce1d9c5fd9d31e8a59c0df6807
SHA256: 76be44e259f4161f9beebf291804a1fb51c7ec1879d45c82e4c93cf3e0bf8c91
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css.zyrrh
binary
MD5: e2a2bd92a9599909e1424a0a0c249610
SHA256: 4c1c501a270d7a19d878db498f9cef3cd02ed8ba59d4dcacadc936490bf48889
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css.zyrrh
binary
MD5: b07c994dc5915fd057e9fe73337414dd
SHA256: ca09685a892ec5ce37adb7251514c913a6a9e51c7c96af191b48743500033845
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css.zyrrh
binary
MD5: f174945aee6d9c47ea1a285e95058bca
SHA256: 3e603f35aca3b263c83958e619e2c8e15917e30727c762090eb9be60cc72218e
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css.zyrrh
binary
MD5: 270fd76be409870059a642cf6b93be63
SHA256: b291e90cf97b78c19bc04f2869a4bb09d5f671fdedd754f9bcc4bf2d76034e10
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css.zyrrh
binary
MD5: 4b43a76a523b6d03c86a42c6e389f540
SHA256: d7482e6246a527cf6e460b324fb1bf97e75048508a05c7f6e69caf68511b0afd
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css.zyrrh
binary
MD5: 749b69e488c2b441ac3eb0c93c2ebc5f
SHA256: 9427e6161d64076d8124ffddff70e47f574e6ad41fae7c3540b0cbe0c0b47609
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css.zyrrh
binary
MD5: bf1f424cc63d7dec2d860801f7d51723
SHA256: f679aa56a7e60f860b4abca76c8acdc5d885f47797b847b93e3e064e17d85796
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css.zyrrh
binary
MD5: c6c3ee5d88eacdab44a9612424a91b67
SHA256: 502088616d6e2d740e1a4831115afccdb78dcabefff8b64db3e49b08b5f3b982
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css.zyrrh
binary
MD5: 5e0e2c65b1f64539dcfae6528237cebc
SHA256: 9f72a3e26a06cdade38f732474d62b24081ba7c63aa0058e67f33ceee9675419
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css.zyrrh
binary
MD5: a10445be48dee08d672a092f28a97721
SHA256: 83713d3b64d1bc46cf8f2dec712aa483b8d6851955af2efb488e5b0a3600a030
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css.zyrrh
binary
MD5: 4020d2558f9849b9ac0968602f93f230
SHA256: 23c904c38263351895b16f738fd76660531be0e451c369bccc5573d923f243f8
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css.zyrrh
binary
MD5: 936136e21cb95dd7f3fdcf69bdd12e13
SHA256: 4e484efd3a28796756cc317714c2d9b2ff81ca9a7747dd147c96c14b07eafc5a
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css.zyrrh
binary
MD5: 2578372cc5c734e8b6edddf19e3d7dbd
SHA256: 5efeb8ac08bf7f9b087af054b58cec4549784af9ccec3d61bfc71542eebe0d28
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini.zyrrh
vc
MD5: 3c3342b8aafe5ed8fad1bf99ba0e7b7d
SHA256: 1fb21e5f6b64bfd0d094c9a166a6d2b743b6ca4d5586171d5c72c078057de8d6
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css.zyrrh
binary
MD5: 806adebb7d3abc71b807588f5bb99a47
SHA256: 07ad257def7e1e561079c79621b77a0634fd8c1f191bd7756fd4240d87981140
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.zyrrh
binary
MD5: 2c67edffb089ca1239ef7801b0ddd492
SHA256: bfdacec66197867fd28b62802f81d3a7aefcc4a3a9e7f4019d6aa666d1652e85
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak.zyrrh
binary
MD5: 6cadf7219f4de24e5b9fe7c482eba0e2
SHA256: 44a2ca6755a1316c8c5f241dec1533b5add85a0f4488369edbbd58963fe1844b
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat.zyrrh
binary
MD5: 2c438b68f4376b646b23c0b779d126a1
SHA256: 2baa7353f182086ba1a8a6482739e521491d9aa204ebfece549102caade083d3
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat.zyrrh
binary
MD5: 72b4fbb46e88fb1465722519e49016ef
SHA256: fc70f7c1cccf483d7a30984b3f10aa90f8c8eec27c14881456e033eb81f040d3
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat.zyrrh
binary
MD5: ede2c842e3517b5c9e8cfa6d6f00ab9f
SHA256: 09065cdd6b79f9688ae5a6a925ccff6fe7f3fa47dc0b4fe6e90d090e88e9072b
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat.zyrrh
binary
MD5: 8a27f1c652c33a13994649c347d8a5fc
SHA256: afbd6283b1a98666890e329e28eb2156af62020e8e7062a2914728ef6b7f7f01
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat.zyrrh
binary
MD5: 199604c3bc33a54d8b408fa36cc985f0
SHA256: cdef946ef4117b1ed8ac1651173cd133404c0165e2026ba34ab284835346633a
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat.zyrrh
binary
MD5: c6f74511729ed4e5291145f8c8485241
SHA256: f920465874b08b99c3e90267c0280f8f54396b40ca1446b340fcd59d3416d516
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat.zyrrh
binary
MD5: b74dd6b8c1b880d35ae43348d5acad2a
SHA256: e90837d244c6ad807693be8b2445d2bae86354351eda8335eb97361bdc7723e0
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat.zyrrh
binary
MD5: b4143e79116ab292b27d99beb6695db6
SHA256: 93db6fc68597ba402501e5be3431af04fd81af8eca57f9cb83692aac4a8ff167
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini.zyrrh
binary
MD5: e3e0ebc1a1da2563123d060aa5048bb1
SHA256: 004d96612aaace23a1bdcbf2c2ad9010ebc7c64d5e237eedc1625cdb6b312f28
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini.zyrrh
binary
MD5: b6bb5097b7224887174116bc87f8dd09
SHA256: c7726de4d886fdf3023300f3de2f8fd2708ccad4453a542d17eb7548589967b4
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat.zyrrh
binary
MD5: 4ff1fbefe6a0af18e6406ec81383b42e
SHA256: b8de8880ee88549b4314bb5e72dea7c90d900d8fa399319175ff2b8d3b10a140
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat.zyrrh
binary
MD5: 490f5e47b810267ac76a6dd2c3726e51
SHA256: d7a39d6b71553f0af65865b486d10244f7282af220ab20f73b019e73eeaf3d3e
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr.zyrrh
binary
MD5: 09ede88a8114f7446e3cd94f82f5c257
SHA256: 53a842ca07c38a9f13b70398a153a3c35079a60406fe6eb2bcb32def29896996
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat.zyrrh
binary
MD5: 259cac9880ad0c145203bae31a4d2be6
SHA256: edc2f9e0292d067665ba6ab5e1e2fd9fdc16144628b60224730c7725bbe41e5f
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Opera\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml.zyrrh
binary
MD5: e8b7c91a5c8cb19ebd5f36baf29d77a5
SHA256: 8acd4ffc4b7d226ef66578eb6df64a5375a4a33e697e17b25b6f4f7527ecbc59
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml.zyrrh
binary
MD5: a11c85c7b90f8ba01d61a347f90c5f92
SHA256: 141046f3f71dfdbd07cbe4bc0db267b9f688a6cf690fe5a091261b7bf07edced
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml.zyrrh
binary
MD5: 725bae44801865636abc10642ccf397c
SHA256: 17b871c4de0f9a2c2a5250b3ce0d5e3e5f68c7ef04667a75dc1715921d046bed
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml.zyrrh
binary
MD5: 18bb552086aa34ee45c303e410ff9048
SHA256: 808b952c5e095e733e289e8ea8a7169afbcef35c975cd2edfd684e1305171e99
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml.zyrrh
binary
MD5: 1d1a5aee741b567d5a4c2b9a046cc686
SHA256: c50cc27839a13547313e29059af17382f186bea08c0e84a21a354922eec7ae68
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml.zyrrh
binary
MD5: c8a443f0e0b7e4ad1242d4bb36256594
SHA256: 4d9fa24f54b26b3ab1a71cd980b598de8f571d36da9e653e551b82ed0b8b514d
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml.zyrrh
binary
MD5: 23b89d67693ec7cf2d2bda7e06de7384
SHA256: 5092d94861bd1e0ce9f0ebac994ca2b60d706f23d2cd4b38b075e127959f3256
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml.zyrrh
binary
MD5: 89bc9a94415aef00e9085499902f01fa
SHA256: 3266860c6b76add3028a121ed0506565eab82f7980c9a7ad7d724bb68ea3934f
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml.zyrrh
binary
MD5: 91aab15d3e12c9026bfc4c1682d6647a
SHA256: 4315c40ceeddb201d186e96b5285f9cdb5f18074ea43983b797149b7e4272b83
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml.zyrrh
binary
MD5: 82ca595914f63fa39798ca62aa74bbf4
SHA256: e9b3ebc042fbcfa4ba66175fa1cffeac5a62ce7b133639ac16e7ec66aa809c10
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml.zyrrh
binary
MD5: da74671077d6c5033d157da17dc857a0
SHA256: c55a7820aa3eeedcdee6fa14901f9b05db0cd8746c35ac11f8e9a865a50b0bbd
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml.zyrrh
binary
MD5: c02c8589dd55245341b776caceebca15
SHA256: e3a93be4c3425648fd1d36d05c3664b234acf600949d751a01daef06856fc346
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml.zyrrh
binary
MD5: 6039e18eba8cbfa344e2e184dc0d002c
SHA256: a265cd3971eaa639b4c9ae8fe6d3cb4c3edfb7e93adc3bda53724f71c97f513b
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml.zyrrh
binary
MD5: d0a961e7af61534e11c83b0c266193c1
SHA256: dbae660529c5964843df015f256b3926d3c745ac0a4e74984620fc40d697375f
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml.zyrrh
pgc
MD5: f9dde163efa228031709dba130b4dbe7
SHA256: 713be303899004d2e727cd2da1d3119ef783085e61ade295e3301ebe318b6b32
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml.zyrrh
binary
MD5: 491db7f56cb84d1151d8d7912f9e32fc
SHA256: 4270c8f97416b1c2987ab77b0839c57a87306b869a66e0c3577e94dc5393db67
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml.zyrrh
binary
MD5: cb4de09e70969abb1ac07593104b1fd5
SHA256: 8f6f239bdcd8c85fdfe79fd009d7d6dc54388931b53bad7bcad67f69b128692e
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml.zyrrh
binary
MD5: 4a10b03e3380ea376337e781958730bf
SHA256: ce2ef268c45dc601bf586165df498ecca54d464113dfd0abda6051396cecb01e
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml.zyrrh
binary
MD5: 11522a3c7d9b8581cc1d5f3abe0cfc4b
SHA256: b8223cc5356ffbe39a7720a8e4db132b0b4676cf39bf114d9889acd596c6f7ec
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml.zyrrh
binary
MD5: bbce712fd4a224e417f41441d16bf823
SHA256: a2faa8e3950b776d93b82953e48b58d2f139479db1136f56919828e77b4b2a45
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\config\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml.zyrrh
binary
MD5: 2005a826f48042fb8b3cb666108550f7
SHA256: 528181e6b566b2ecf3891bab14523271b6a60a8b7e25a5a6ffdff26a9146c613
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml.zyrrh
binary
MD5: 795bf1240a82564c16f035b28816305c
SHA256: 6fdc4e98eb6a918fdc29e1e33646ba19f77ce31ca26782e68157aca0e9a132e7
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\SystemExtensionsDev\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Notepad++\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini.zyrrh
binary
MD5: 7dc6c83b1d536232a2ee1eadec018eaf
SHA256: 1a56c00b598c7adce5af82ca29d0b554b2cd766331c8e53f7e05f2b784f2e348
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json.zyrrh
binary
MD5: 6a3a9adb13451f04f36032d9a857189f
SHA256: e5b1f531b480448b1d07870a2e70735cb20a526d6830a709686d979c8a7ed613
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite.zyrrh
binary
MD5: dc27c8efa4ec134123af82daea6f5e7e
SHA256: 81e1606e1392868ae096c932da57930ef430a89f4795d9d329b1875b10b5d998
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json.zyrrh
binary
MD5: 9bad2bf06052e1dbd6c4de73443d4265
SHA256: 4808d0255ed1fafd1e9658eaefefc3a9e27301fd9fe5ae85622a1803e49fac55
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json.zyrrh
binary
MD5: 2503fae7769a95931e938bc248dbb81e
SHA256: 535678cdb744edf5e139023047a03902d49843e9bcfd4cfc80220d839242a9ef
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json.zyrrh
binary
MD5: 992263766372a07a3261bc74d756579b
SHA256: b834ebd33a157dfd329987c841e8ab6389325b99841d8f69749b64670ebc9b0d
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite.zyrrh
binary
MD5: 19fe57238b4b89e8b42cffdaf9265d1b
SHA256: 148d995fd9517b33705e553955b5c1ad6b11f4d0e1ed623ea148864198583330
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite.zyrrh
binary
MD5: 0524c80dd4b015d021db2ffb5031b84e
SHA256: 9ffdfe90777d8702fb85a0ad690c89b291e53732001bad85bb5e353bbb985b1c
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\temporary\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite.zyrrh
binary
MD5: b0b7594fee14595cf26dea8ff7c340ae
SHA256: fdbc528420c891e7c86d6c21fc48217d4b46fa5d32d7afcbaf46a32d2dc9096c
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.files\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.files\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.zyrrh
binary
MD5: 1612c6a457dbc880bbca9b8625eac402
SHA256: 407a63c917f5cde2118f57a1370f48938d294e4e6948c63855dc0698e998d45e
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.files\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite.zyrrh
binary
MD5: df5c9006cba86bb3c04763ebec6ccfb1
SHA256: f38813b61d7a13217320e94fea6eb235383a40a932af0ab264db4f6ce4e1e450
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite.zyrrh
binary
MD5: 44b1bc472b0e944e20f7e19153284cec
SHA256: 514fbf5bef12ff16b70c01af4e38ba62024d326f7d2788cf61340fed38a05376
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.files\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite.zyrrh
binary
MD5: 3dab221aa1b646ad3ccf461c00b07f16
SHA256: 98a2019b25e59facc48806d2873037bfad149266d9e3ee7d242deb8ea113eb71
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.files\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.zyrrh
binary
MD5: 10a54e6fd75711facce347a2dcfdd7fc
SHA256: a296a4804cf7f81ca0c98c0b54f7f83264750a8f314af3eb665a192d0ecfb685
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.files\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.zyrrh
binary
MD5: dbae0e4a21233254762b1cba22a853c2
SHA256: 1d62a5addc2953b827e12fe35d4e257bfbd2a50b9293ee73e702def0e2dca654
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite.zyrrh
binary
MD5: 9b7f884f4d72f48aa6f959a44c8c4c64
SHA256: 5671b817ff837fbed5b359a1331ea7dd23e956ddbf23553d6d47c6d7849b06a9
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.files\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2.zyrrh
binary
MD5: 0ccde9c24999c900cd77499e823e53db
SHA256: 72688eef7361333bb3d1e1995dcc5309a3fbecb0b8e933dc92a3d081fe812906
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2
––
MD5:  ––
SHA256:  ––
3984
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[3].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.sqlite.zyrrh
binary
MD5: b45d22fcea111ad7450425616872f96a
SHA256: a107c976ce69ed380bddc74ab08c2654536cc9e3c36ba20233de470dce0f195d
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\journals\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\1.zyrrh
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\1
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata-v2.zyrrh
binary
MD5: 480adf2b29473505f73ec1f4e8718744
SHA256: 2427097b7e562a896bee95052272d61485ac06f544766c065c17898a31cb6573
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata-v2
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata.zyrrh
binary
MD5: f4f69bcf4da829e00c7078a3b9697798
SHA256: 03886ffbc91a3128aef1585d1f645da731d1d52ed94c51d5332d0f7fee45f56e
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.sqlite.zyrrh
binary
MD5: d2d284a57f3d665d0e99132366307449
SHA256: 9ee7d34ad14bdd3248a6b6af64b944bc5a91b8aa4e901a5ee1d10a24678b8f83
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\journals\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\1.zyrrh
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\1
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata-v2.zyrrh
binary
MD5: 36741691b69616f49a41c88a28f49a9d
SHA256: c05fd33b3814d79ddcdeeaf52c1df0ff7d83c3abae65e26d0dcf7149ff4b58c5
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata-v2
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata.zyrrh
flc
MD5: 09d85c878ef3359eb884c569a15a16c3
SHA256: 620fae481c5db647c91f87dd4d086bcc2c82801b2c4c4f4291e1db07663ec976
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\SiteSecurityServiceState.txt.zyrrh
binary
MD5: aa9907a6b608020feac60e22b7138845
SHA256: e3d34fb6f8d6641dcf1f7b0ea0293d59358c194f5621d04f296389deec020787
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\SiteSecurityServiceState.txt
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4.zyrrh
binary
MD5: 6c51d6c3e3e410637eb3bb9c961d20f5
SHA256: 8a9b835dcb052ce0a072505f3c2fc27e1338d5fe97d96baee2bd1340d0310cef
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\previous.jsonlz4.zyrrh
binary
MD5: 3dcbaa4076da0502e2000de6379cd248
SHA256: c248368263d6afd0996ba019dac6506d893449c3a4c71db3b0874dd9e4a272c3
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\previous.jsonlz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.zyrrh
binary
MD5: 2387672f5bd8221d41b0358371d16b04
SHA256: af3b58d4123eba2e5f8f4f905f827d0aaaadd91506f3bf6cd569e651ddb5d0ef
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.zyrrh
binary
MD5: bf72e05b6b3120397510aa21c9e90d0e
SHA256: ec84954a779e7a929f5896bdda4453bd4b6cc3e4cbc4b7b62cbbaaa6d05c7d29
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\saved-telemetry-pings\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\revocations.txt.zyrrh
binary
MD5: 8a3f0282b885c38b71fd1650a5b30477
SHA256: ddfe096bf0d1beef3b1a5be280d77ff5ce42b560937a3b9d3ff42955c9dc5bd0
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\revocations.txt
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js.zyrrh
binary
MD5: 9644bde4121538a8e6e05108319d465a
SHA256: 80de6ef8c4d16ff7a04d14e48abe0274f51115dc67afa24251dc7aae887a0e97
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat.zyrrh
binary
MD5: 6ae09de35b32fd7104023741069b6b25
SHA256: d0c76202f0a2f0cf7687e608809aaab47f1a9118e081bbbae957246933f86056
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite.zyrrh
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pkcs11.txt.zyrrh
binary
MD5: f3ffd254c1c83cc3cacc5fbb586f1391
SHA256: 9d1c66a3ca384c21668df5039662d6582f18b4f11d486790171651454f5b1615
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pkcs11.txt
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\permissions.sqlite.zyrrh
binary
MD5: 18c29b28270f166c333e6475fbfc5267
SHA256: 9c48160dd3a9a22f9ad18148efb030a6ed9c64df23a7b43a85358de6666b9370
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\permissions.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\minidumps\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\logins.json.zyrrh
binary
MD5: ff34f30f9d9fe17820a23ac6cf1605bf
SHA256: c9c745f7f85dd12c692f1ab5a0367183b64db59b7a56681259beb1226efe3448
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\logins.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db.zyrrh
binary
MD5: b8612fc2ff8a5f5acce4ceee0a34d7b6
SHA256: bcb868b507cbc1fc13d50130b9a57cae433b24067b781e2522a898cb37003f51
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\handlers.json.zyrrh
binary
MD5: 97970f11cd8527c14aac990799add4a2
SHA256: ed20cf59ba1bd702ff2d9ed33dd922bf7d2d81bfda630187de886578de462162
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\handlers.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.sig.zyrrh
binary
MD5: 72ce3f8e41a325b80ba56e70e173375a
SHA256: abe509b3f9d723505b53880c75991386f3eff8f6d18a8727662661b1acaaa6a0
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.sig
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.lib.zyrrh
binary
MD5: d0e0a254cdef5fdea54e36689ba9e2d8
SHA256: 26950906e04786f8b2e52505a8151266ce3dada04a7075bdfbbef4028dd8d599
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.lib
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\manifest.json.zyrrh
binary
MD5: 6cf5643c3a9b90b5a8a732361f077a34
SHA256: 1bbb5d99ca3b40478b82fbffe6083ec5c35e3a1e713a4db0d73884ec1ba831ee
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\manifest.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\LICENSE.txt.zyrrh
binary
MD5: 71e051baf81c805d2538676746d1771c
SHA256: 4055562de08a4d07894b8ddff2d265007b69018f02d669c6e6c08b41043b5066
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\LICENSE.txt
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\gmpopenh264.info.zyrrh
binary
MD5: d9f499d98e5cc417a6479f20a8279985
SHA256: a47b906c0ff53382b899961e8d07328a76a0faa3f09ce478a2d6654181eafc76
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\gmpopenh264.info
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\formhistory.sqlite.zyrrh
binary
MD5: 58a6d3cb8b1d0e2a3adb9388436b4a5e
SHA256: 5ac32d1f4f0240a05a8cbea7b8abdc9f9181ddf69bbb1168cfe99d8ea06ebdd5
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp\WINNT_x86-msvc\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\formhistory.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite.zyrrh
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\extensions.json.zyrrh
binary
MD5: e86421f6929fb04afa8105e149e9c40e
SHA256: 837efd089fa55c4d398f1f31a693a86bbec4e5270c586f809b658cc02d8d321e
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\extensions.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\state.json.zyrrh
binary
MD5: 7f4d100e65a665b7f21dd6cce18c1330
SHA256: e4c521ee714b5d2cbd2bee7647d7579ef5d67ed817532587a54906457759ff94
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\state.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json.zyrrh
binary
MD5: 0c890c1176245bbba28faeb6f2a024f2
SHA256: c76a1cfb93c1efc7ece73723d83a20d0961b4d34d86dca5d2d5734753e18637d
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536511076670.6fb1a61f-96c8-4004-a260-a8d32e45a07f.main.jsonlz4.zyrrh
binary
MD5: a2ad424e21b5e0ac1ef62cdfb7f838ae
SHA256: e12807e41939b499c95454d9e0ec750f11766daf69749f4d9244bcca59a68d36
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536511076670.6fb1a61f-96c8-4004-a260-a8d32e45a07f.main.jsonlz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510890757.0bd2c0b0-6051-4678-a27c-37f3c0a0c3bf.main.jsonlz4.zyrrh
binary
MD5: a9f746e28e2cf6affe2ae538b33c8211
SHA256: d9cabe2a101dfcb192fbb7d99750501a391203827aa00f0f3a55054a9c7c69b5
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510890757.0bd2c0b0-6051-4678-a27c-37f3c0a0c3bf.main.jsonlz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535455254239.6a6d1f6c-b378-42bd-83d4-6375a8d83c94.main.jsonlz4.zyrrh
binary
MD5: ee1889c44ff21b300fdc788c68087aba
SHA256: cb752f0d5211122aa8f42ee73742fb003d293d9fc78ee41df3aac1078dcc2121
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510464398.048632c6-c96b-486d-b119-7e1a7a9c9e9a.main.jsonlz4.zyrrh
binary
MD5: a1d108c7023bbc85f53b915738d5a20d
SHA256: 120fbb7f99578f8a4e71b5cfe3dcb29032944cc208d45c19201af4cfe303f43a
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535455254239.6a6d1f6c-b378-42bd-83d4-6375a8d83c94.main.jsonlz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510464398.048632c6-c96b-486d-b119-7e1a7a9c9e9a.main.jsonlz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589777.8901d324-d310-406e-8d96-2ba1529e4bea.first-shutdown.jsonlz4.zyrrh
vc
MD5: 0f64caf2327d420ce5217569f42c0240
SHA256: 91fa7b83f9376992aaea3686e3527fad41f4175014139338b64a0e93934043e4
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589776.07f73e80-2b12-40ae-97b0-fa87f3167670.main.jsonlz4.zyrrh
binary
MD5: f9250b4c58309dea6af985640b517503
SHA256: cc922e996c15442a9acd795ea76d765f0ccfa7a374d1d93ce0e1db06eaa8dd69
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589777.8901d324-d310-406e-8d96-2ba1529e4bea.first-shutdown.jsonlz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589776.07f73e80-2b12-40ae-97b0-fa87f3167670.main.jsonlz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454581431.ff499cec-8d4b-47de-a059-a9aea3d69a66.main.jsonlz4.zyrrh
binary
MD5: f9ac39031e7984de90697703219a2efb
SHA256: 6726a2e46425f3c6618acb0f86d4ee4574f80038a6d1396c11b24b307c340bf2
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589752.05c13197-8f39-40a1-b976-59f6f9c1cc5f.new-profile.jsonlz4.zyrrh
bs
MD5: b3baa5b4bf39e2392750934cbfa58c23
SHA256: 1db111550613c69789319cbcf061a64aabf2bdfa2cfc88fe935955ced57d5f48
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589752.05c13197-8f39-40a1-b976-59f6f9c1cc5f.new-profile.jsonlz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454581431.ff499cec-8d4b-47de-a059-a9aea3d69a66.main.jsonlz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\store.json.mozlz4.zyrrh
binary
MD5: 7db9f572187b4dbb88b5eeb63cbb349c
SHA256: 0e4c6ab760bbb11eace1b5c7a17ab36408ecd9ee57414f11e9e8d0af8f01db83
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite.zyrrh
binary
MD5: ef5741b1e89d4381f59c8b10635294fd
SHA256: fee2c3b8fd82949f56cf3fbbb93769667ba72d166b00db946fc24541a17c4310
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\events\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\store.json.mozlz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\content-prefs.sqlite.zyrrh
binary
MD5: 2638fd8b7b30796778b784fdbf19579a
SHA256: 4c07a004f2630fc6cefdb19ed9a5cc40bc5522e20f94d45535f28d1503222be7
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\content-prefs.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\containers.json.zyrrh
binary
MD5: 0836d63ce1a654657c3a5389669af86e
SHA256: e51c6149bba215999a70d5cd017e20e6ac8afe0c4e1d7a6de1483813817e34c6
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\compatibility.ini.zyrrh
binary
MD5: 3251503bd3ab71d0f4a74ffc829f6e7d
SHA256: d5cf3b50f7730aea3a49649aa18b4edc3d525a4e724be6799e7132421e2fe380
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\containers.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\compatibility.ini
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db.zyrrh
binary
MD5: 6138a74a652fa047c44e94cb97b232dc
SHA256: 40530b9d969f0b1209cd364a305feb174986ba1c8590df3ec5b967853eb9adcd
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\bookmarks-2018-08-28_14_uZyx1cMFmZ7ZpL4NneCk2A==.jsonlz4.zyrrh
binary
MD5: 52e584364840e394ab4c56af1ed88e60
SHA256: e82f15300749adbc5d7b0eb70b44e24c2af4df57ec2bf293e09e2a1b81991213
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\plugins.json.zyrrh
binary
MD5: d9dbabfd7a93115d6010a9d2150e2320
SHA256: bc01d46d961365ff536d3afc2f6c00ca6604da7b2624ede93eb6e3f2f2ecf159
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\bookmarks-2018-08-28_14_uZyx1cMFmZ7ZpL4NneCk2A==.jsonlz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\addons.json.zyrrh
binary
MD5: a3569b1ddb32573227371abd2969daa9
SHA256: f8b635022367d3169475afdb63ec1aa5615c18c81a3c1940e1ccc042c4236dc6
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\plugins.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\addons.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklist.xml.zyrrh
binary
MD5: 352ceb50da4be1b56b6cb059f2bbda8c
SHA256: a93c10840332542be89b80123a098cdb1f1abe70d14690fb47700c81ce47d14c
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4.zyrrh
binary
MD5: b700ef703f7178057c447803dcc07dff
SHA256: 7f74ad97072882a46e08ce136ba35c6276548c02af18af5b1053ca97bbc56d05
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklist.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addons.json.zyrrh
binary
MD5: a80f2be0beb7ec799e49fc0fe7632b4e
SHA256: a22070a34157be8d24f6911ff277f4df8c4ec0d876636f64e9c4eac5da4a464c
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addons.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Pending Pings\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20180807170231.zyrrh
binary
MD5: 946ee336b4393a86a75d98b2ca677b6d
SHA256: ec6c0400fce249ccea58df09dc6f71f798c6a60a074873e74df97e431850ae38
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Extensions\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20180807170231
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Vault\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Word\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\UProof\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC.zyrrh
binary
MD5: ad2cd77951fa3db8aac53453a759b370
SHA256: a4f7d7b3434626df1f8628aeb5131c669c81819fe45c687a6847fb38328f6389
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm.zyrrh
binary
MD5: 1ca325e9ea51e308c41159c4256adad5
SHA256: 82ca36d536fb8c9b71d3adafdaff15371ff13d4a05e9e2a14fbfee7e6b476e84
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Word\STARTUP\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.zyrrh
binary
MD5: ae879d13419e34dcf2e48a0781247f9c
SHA256: d8e3cb53f0fedac73f0feb73d79d1abc16b72d17202e1940cc375e3cdac3b0c9
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Access Parts\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Access Parts\1033\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\ECCD4BA46722CB4F92060701865DDF09D8AF68B4.zyrrh
binary
MD5: db39ed3c2a0b320019a48506d931a3ef
SHA256: 76ef5f5653a59967612663636c711bed68a1b40a5cddf96875d028c45cd4e6ac
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\ECCD4BA46722CB4F92060701865DDF09D8AF68B4
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Stationery\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70.zyrrh
binary
MD5: 530d39b7a309753a4b6d495991f49a17
SHA256: ccf23bed4d8b97065542d4b262967d90e245f387b2a333f8785a897e1076282d
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\shared.xml.zyrrh
binary
MD5: d638af2c314861daa54c4791443ed7bf
SHA256: 290dd51c70a70774aa658fafcd689b33959cf86a596eb334ac91b22a53c02e01
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-4223384469.blog.zyrrh
binary
MD5: 5df3bea0763e142d4e76437039bdaddf
SHA256: cf5a6ee81cb42a1672df8f04069b9b2fbecaea2a9f73c86436a511ec463ec404
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Speech\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-4223384469.blog
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\shared.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db.zyrrh
binary
MD5: bbdaf93564d20be4e0e738636b17cdb5
SHA256: 6346067ed49cf1df15e58f73950656fa194f6aee280917984bc7ef4816c5d501
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db-journal.zyrrh
binary
MD5: ca0d9edcde30930fbe6d786f4bb21006
SHA256: 4233150c2b476de2e0a46ff53f83ec13f23a81f8774d2a1c4ba5d5a7c34ef068
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db-journal
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\config.xml.zyrrh
binary
MD5: 17f03079b49277baf21f04b27876761b
SHA256: eb192eef96b324a0bca437dc7113f0dc5150c085b3a8b6ebf14af04ed62059e0
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-wal.zyrrh
binary
MD5: 3d6565bd7f1c1b87707784228d949d16
SHA256: 0db1a409bcc22fa74475fc65586bfd353f9c31432b59e72fcd680381a14ec3ad
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\config.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-wal
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-shm.zyrrh
binary
MD5: 5ab2647bdde0eaeead45e6e9de8d45f7
SHA256: e2178c41491fee94029f5c1c315109f0958d46b32cf51f70728d198504ec87bd
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data.zyrrh
binary
MD5: d2a2dacbd9d79454c5db4c5702f62002
SHA256: 6e2f1d2ccd3f190b4b7dd5efd54b783babf893a6b322b90c1e7855b282682b40
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-shm
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json.zyrrh
binary
MD5: 8d74a67296c235e4cf0f7329be442dcb
SHA256: a86b7064a9ca02f5ce70d1b8a1874d14dad239124a584c13142c5ef0853a26dc
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\QuotaManager.zyrrh
binary
MD5: 705460cafa3210f014d04f085d8375ee
SHA256: 71849f385d751bd9cc6c7de8e7f3aef5d6ae2fbee0219c819cfa0f39dd87143d
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Preferences.zyrrh
binary
MD5: 1ed1b8faf6c00cf577c6e79663026311
SHA256: 0f3ed3f15504e9fbc2a64c801ec8f1c22d88c970335394e02d5bc844555584fc
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\QuotaManager
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Preferences
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.bak.zyrrh
binary
MD5: aac63116800ae953c7feefc932aae778
SHA256: f3ea8fa8701379c0438abf54323867e3fd478fb19d731f37ac7586ebd4c24a57
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.zyrrh
binary
MD5: 7b9a07a84e91e3994e5509f580799061
SHA256: 974e9501ea2c02775616c074a777516bdf2ed7849bf2640cc0c11ed3ed14e4d2
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.bak
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-0-2576771366.blog.zyrrh
binary
MD5: 7e2cabbda11b7c959b8083f63190f9d5
SHA256: e2fc49ee68ff9b964d53317fccec7436d1ee426884b7f0dc5342724912f8e3ee
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-1-1870167131.blog.zyrrh
binary
MD5: b97cc4e87d84e1bf2975439efcc8a640
SHA256: 4efcb996a27c38aac5fef684b4833ba556e4aca8b052c20006e3bc7ee3415206
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-1-1870167131.blog
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-0-2576771366.blog
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\logs\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\MANIFEST-000001.zyrrh
binary
MD5: 142065084c99fa1c3587b8b1884fac92
SHA256: c77f2925c6fd650d5b1e1cdf3bb2a8eace1e00cf88a368c908504c90759aabf4
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\MANIFEST-000001
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old.zyrrh
binary
MD5: 638538ffda2c33779d6c6a2c11d6b79b
SHA256: eb33329a33196ba7c0617ef55b3620f80f85ce565f408608ed0a60cf0fde4f7e
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.zyrrh
binary
MD5: d6afd11e3063e499f089bb67342a2227
SHA256: 099f1a5caeddbeb5777054ac4fe92b684af80662a343bf88ba2446eb30aa7a0f
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000017.log.zyrrh
binary
MD5: 267bda6ff1f313cba147e79d3671b2a6
SHA256: e25e5b838769ea0489dce7d9e53a2538ebe8ad28def3f1be1e22e29e12eb1a82
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\CURRENT.zyrrh
binary
MD5: 4896a0ff39d36a38f96849795f51a235
SHA256: d0de46946113dc314715d2359737830e929a73448b62fc3b6436866ab545daec
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000018.ldb.zyrrh
binary
MD5: 1d7708fdcc13ee8a915181fe98c28ea7
SHA256: d3e4c33fc8e1fc0c49b90f3fcf70737478daf8d060dd901cb74d834fc9827c43
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\CURRENT
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000018.ldb
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000005.ldb.zyrrh
binary
MD5: 8c23be804e727fd853c955fd8d488059
SHA256: 62d50bbd5b53568b5923f6d76ff75cd3ab475bedb7d74e5aade523c5f97cd9fa
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000017.log
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000005.ldb
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.old.zyrrh
binary
MD5: 337d793379a09e5a49321f6e560c6c63
SHA256: 5ba9be6588ddace82864f8d5741e31b742ae9cd1d947fca0831d3e906794080b
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001.zyrrh
binary
MD5: 751db95c450dfa968f1c119ff5ab1831
SHA256: 23c74430ef4de6558734cafc7a31b1efd40d55533977934f151c97a26d49ca5a
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.old
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\000003.log.zyrrh
binary
MD5: 28493e9ced4d11b73011b7c8c8223cb0
SHA256: f37f26580ddd1fb708b5d35010d8bb22e18af2235a07c07a760c027ea534c32a
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\CURRENT.zyrrh
binary
MD5: 9828394747bcf09caa1b073d901ce111
SHA256: f93638ce977558ee5b9a60cfd5d5ea6fcf62a8fb21312ff3fac6d1b80a23ac3a
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.zyrrh
binary
MD5: 617a4feab5db1257738d32ac149b5b28
SHA256: 528a9520d3fdcd50c42da18bf1816bfdaee85146d15390e407c696f2b8f6ff23
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\CURRENT
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\000003.log
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json.zyrrh
binary
MD5: 21313e791d7047910d376d9700ecef7c
SHA256: 57f4582e562f247f54980f9133e0172e6bac3e76e89dfbdd81c00a43c0edcc9d
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\en-US.bdic.zyrrh
binary
MD5: 5c73967310e57f763fe1c8c4ec35a0f5
SHA256: 29420860770a4138640d3d02ce07f5db04362e73054fdc2441405059fe2353e5
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\en-US.bdic
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\Databases.db.zyrrh
binary
MD5: c1492ddbd66dbdc456f19d644f850fb6
SHA256: 2a5c26322996eba193a1363c8a0e62d20c511bed939f70b30aab08e50cd98200
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\device-info.json.zyrrh
binary
MD5: 215eba9105f8e7cd1958097b759ec4d3
SHA256: 664bb6f1b0d18a124693abe6c97f1007cf8213714093444db5baa7da1d7fdcf5
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\device-info.json
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\Databases.db
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cookies.zyrrh
binary
MD5: 1f46bc6255c90c0e70220f1728f8aad2
SHA256: 41e8e218f0772c3bb75c2677db5f8f1ab5f04ae76e8d9b1d3f268757195e6f4d
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\index.zyrrh
binary
MD5: b7c93afd391e36196c4faa6fc4ba6fa0
SHA256: 96db5db7752e506110d63882cdcfa357918914ef537c2f1b4859833f79c7c457
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cookies
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\index
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000004.zyrrh
binary
MD5: 157ea7ab35b517c86a526085ce3fcc08
SHA256: cd004d90e4070b5ca51cacc78bbfe5f699cf60cde8569f98d703dc0393055e2a
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000003.zyrrh
binary
MD5: ed23a611ccbe6529500dce0554997292
SHA256: 69bd1836b85b6ad6fed1ab0cfc9d4d29537f1a3e6d847a9dd04878c87810387a
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000004
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000003
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000001.zyrrh
binary
MD5: ca12d3dba9507add04b91333dd352660
SHA256: 7b0d7518e28f8129ed265cfa799fa2ae85f1adcd1184b441370aaf0cbd358beb
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000002.zyrrh
binary
MD5: b6589e66cb715a1572d370ab0ceaa163
SHA256: de43b01a7bd3de2d73b892a1d83398e1d85174abc89681106f16974f18a25064
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000002
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000001
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_3.zyrrh
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_3
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_2.zyrrh
binary
MD5: 0f35399e46590c1b9a6b45b7ee1bfbf9
SHA256: 77ea5362aa13a6064d60a04a81c046f54b11a7db98f564fb7b4b0ee4009ed25e
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_2
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_1.zyrrh
binary
MD5: 366951a74b4f93422028029a1f7b7594
SHA256: fca9b24ad02dd8d57e963274fd4319d0f4b358e4e4e2d9563e771d7a91e981cd
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_1
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_0.zyrrh
binary
MD5: 19ed16c46e95a88e5abba172b9b4fbc3
SHA256: 0bd7711cd5f8bab0f48750dd28bd111a52a61c3dff049be992a58a11710c6df6
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_0
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml.zyrrh
binary
MD5: 75313460fc63ed62a23d07947048aee5
SHA256: 853b60b29c20a6285a5aae3d3a83c41555d19adffab32692e04cdab22b053192
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Signatures\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\Preferred.zyrrh
binary
MD5: 5446f7bc1d6a5582fe8982ec070b2146
SHA256: b84c3e165cbbcec0b05fb22ddf6af218636d9c0103d9960c17a4880403211edb
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\945b204e-4a75-442e-b98b-85c98ef84f4d.zyrrh
binary
MD5: 692b5ba80639c79fa85c64c23f2ce827
SHA256: 8591e0eaa4e7ee14f5d60d0b470684dfeb236c2ac3bb2e1df5f9bdb01f84794c
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\945b204e-4a75-442e-b98b-85c98ef84f4d
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\Preferred
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\54ba308a-6a9a-4e0e-b137-b89d3579498b.zyrrh
binary
MD5: 0d486407a6c04c704bc1fb9c5a2046b7
SHA256: 0aed3f9fae8481afeaee49a3cedd3941d9bc2a85288d43655b07fedb1962219d
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\29fd2168-360f-422a-a685-e6961ea74ba8.zyrrh
binary
MD5: b9cb21bfecf38cfb61196236382abe01
SHA256: 9d0d512bf682cf6a7de7f6f4d3a34817113e50bfb980db428887aae486478dec
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\29fd2168-360f-422a-a685-e6961ea74ba8
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\54ba308a-6a9a-4e0e-b137-b89d3579498b
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\CREDHIST.zyrrh
binary
MD5: 19c4e1c974c4e861ba3218c4679ab79e
SHA256: c6d21c04cb7fd3b6332ff0bbbf3b8f4f55d2e58c026e5467ad1e79f92e1a8fb7
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Proof\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\PowerPoint\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.xml.zyrrh
binary
MD5: eb885254b679539c324e7a5d4266e842
SHA256: e91d4434f436dc7163d478bf3b9de147a058cb8c44e5a8f72a0d90d6ae1f16cd
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\CREDHIST
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.xml.zyrrh
binary
MD5: ad98a1fc39659514899e081bbac001d8
SHA256: 92b180bcb23ef4775c39cbbabb20ac1e1a247dd97adbb56e99c9b8996aedab74
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.srs.zyrrh
binary
MD5: 9e92f68867cdcf7fde370ee97c36f0c7
SHA256: 1df7e2806cb7bfa7768a2a007a81a8bf7069c6a6eb617e787e52c0540ed7332b
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.srs
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.srs.zyrrh
binary
MD5: 3be7e354686c0956f2571980b8983707
SHA256: a3d73b2aa9136bda1d121d899c36d03fb3a22bceed07fc1527ed29c586a965e6
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.srs
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\NoMail.xml.zyrrh
binary
MD5: 59ba38790cbf529592394afdacb8c546
SHA256: 8c97732eb9ed3eb0d13c2195249af9bace93c5fced3538b961009a0e25ee6904
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\NoMail.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\Preferences.dat.zyrrh
binary
MD5: 843e6574ead87bf8ee3e8aa4bf61ebbb
SHA256: b7c27a7aff7891ae2611151a3c61b8a189b12f48386568c00eaac26ee82d8763
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\Preferences.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Office\MSO1033.acl.zyrrh
binary
MD5: bcb41171780cf59e23c5161386082cc1
SHA256: cfb506b064869579964d6fe3d96dd22475fbd42175c777a7795f9785628c49d2
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Office\MSO1033.acl
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Network\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Office\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschd.zyrrh
binary
MD5: 65ec0e441cf686ee4b38ed1eb130a40e
SHA256: 7038a11886482bb1cf89a0374f8cb5970a09732bfb60a31e21a20e4241aae6b7
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschd
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\MMC\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.dat.zyrrh
binary
MD5: d0add79f2504573875dd9d1c39709c33
SHA256: f68b0c9a4027c8c35000b2b7d412e2aba6861d6fc100b420df25ff10c6536199
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.dat
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Excel\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx.zyrrh
binary
MD5: 1538dbe4d64af7211b52313b36faf313
SHA256: bb31fe27f0448f3bbe4c322d387214ea3f3687e025c1fcbbcd9223507d745a0a
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\e3f86d7936454598ef98443d4fd3260d_90059c37-1320-41a4-b58d-2b75a9850d2f.zyrrh
binary
MD5: 19605fdbbf8d2357f34eb325d5fa02fb
SHA256: d33c512af75ea71aebdbea6e654a00882c07c1878a83164fbc2c18954197ef4b
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\c43c9d3341c1ddc712bbe39db3c78fa5_90059c37-1320-41a4-b58d-2b75a9850d2f.zyrrh
binary
MD5: 2380896b0bb32a65bf8624f374873f26
SHA256: 089dcf60e10bd94174ef4fa58faf0b40ee1ee7751cda14a15abe5f3ba1262878
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\e3f86d7936454598ef98443d4fd3260d_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\c43c9d3341c1ddc712bbe39db3c78fa5_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\7be1242ebc44e45985bd1ffa382e997c_90059c37-1320-41a4-b58d-2b75a9850d2f.zyrrh
binary
MD5: 4715b9b1bd5270b80874ffcd427a5615
SHA256: 004648dde4b8150751e2340059ff2e5a4cf9eabb882ae3f97b6c48adcc30da62
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\a551dda6b1d5ee0d0c4637af6c004413_90059c37-1320-41a4-b58d-2b75a9850d2f.zyrrh
binary
MD5: 41bdf85645c19cd216ddf62920fdaa3b
SHA256: b2c26afa5daa66feea58d26fe917826a16dac1fe4e9eb08089a8bb4c96f3b79c
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\a551dda6b1d5ee0d0c4637af6c004413_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\7be1242ebc44e45985bd1ffa382e997c_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\1f91d2d17ea675d4c2c3192e241743f9_90059c37-1320-41a4-b58d-2b75a9850d2f.zyrrh
binary
MD5: b79b7ffbe08d86daf5752e1553de3cee
SHA256: edb2db79beefe76bcb27fd261417b65b63368344cc0eb8b0d8c4f9d537033da5
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\1f91d2d17ea675d4c2c3192e241743f9_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f.zyrrh
binary
MD5: 090c93c0afe70d6b871c1b6ab8f34c4d
SHA256: a36503593b71dbf44545b13375350f821228127fa8fe58aa5ef6cb9c45a6af06
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\AddIns\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Credentials\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Media Center Programs\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Identities\{E4CE17A7-FC47-4CD1-8FF6-45436C8F45DB}\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\FileZilla\queue.sqlite3.zyrrh
binary
MD5: bacac761c0f2a41a42d84cda01a075b0
SHA256: 136a90a8c0f125151369bb3b210257e649a78bf9f2e305facb6e4d139efeff5d
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Microsoft\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Identities\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\FileZilla\queue.sqlite3
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\FileZilla\layout.xml.zyrrh
binary
MD5: 20ef4d93f438046a554fe11cbc995d34
SHA256: 75ae3eec992611ab945a7a8bb41e8835a9e5cee2c2aec9a5de36002c87a8b3ab
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\FileZilla\layout.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml.zyrrh
binary
MD5: 28b1ecde10e9778706b20a004538eee1
SHA256: 50eb9da2fdf2eba9b56fb600e01a0d597797cf7e4592eb87dda4828fe2876ff8
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.zyrrh
binary
MD5: 7affff36b38dc064dfaba610d21f3af9
SHA256: 97f10dad7d224ff0b53d4f84cc1c43b0cefea00ef1465a85c12aaba5b91aeeaa
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\FileZilla\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Sonar\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.zyrrh
binary
MD5: e028fd0d995506d4f162e33ed04c00a4
SHA256: 5206901318cf5024d9c3dea6823d0815f669a6d8ff285b003ea57a58a0c43732
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_HeadlightsOptinProductFamily_HeadlightsOptinProduct_00000000-0000-0000-0000-000000000000_dc2ece58-8a8b-40bf-98c2-48039a3392bd.log.zyrrh
binary
MD5: 9ebf73d7fec4554c856cd420ae64bab1
SHA256: 1ec0ad9e18ab066ea9c31ae3f19361c262ffe35b1de4243975fca068b335dd7f
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_HeadlightsOptinProductFamily_HeadlightsOptinProduct_00000000-0000-0000-0000-000000000000_dc2ece58-8a8b-40bf-98c2-48039a3392bd.log
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_02f147fa-0489-4885-b993-ed9936fcacc0_0.rdy.zyrrh
binary
MD5: bfa446fe8171d8b0167c464f7984ab71
SHA256: f7ee388a473ce655110387c89261fcea6c25c9bcec13f35af4892a8a92c5d6e9
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_02f147fa-0489-4885-b993-ed9936fcacc0_0.rdy
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_ARM2Update_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_fea03e67-af51-4fcb-b57f-c238867edb9b_0.log.zyrrh
binary
MD5: 823c6858ca5b9e3a63a8c6b99dbf200c
SHA256: 4be1afb26f888e62d2c9c3193c8a3449c9c505bd28e8c8aedbb5353bd6db64ad
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_ARM2Update_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_fea03e67-af51-4fcb-b57f-c238867edb9b_0.log
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Headlights\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Linguistics\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\AssetCache\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\AssetCache\J7D4H966\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.zyrrh
binary
MD5: c105a6e0c1a86a879ac1e3ccd792606a
SHA256: 07ae370e290ad8460b00cc87cf09a14de0d926a1b5193f83daf8efe8dfa247fd
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.zyrrh
binary
MD5: 504b0ed633610a3d5bb24dbf71d2507f
SHA256: 477a1dd4451315a9e04feb476f2c7cda973dbe89183e01e4960040c0d833d368
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.zyrrh
binary
MD5: 559398acfb9989b6f45c2530429af4f1
SHA256: b0f1065fc3ae26e661d543596201f7ed8907adf83cd4a1cf65e9b1cbee72ff56
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings.zyrrh
binary
MD5: ebf16900935b75f1ec85f47a1ec84ddb
SHA256: ee6e65ac53c5e5eab7b5cfbafd85791c8adf34dbdf30875bca8f679d893bb317
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.zyrrh
binary
MD5: f17c3a8c4141d9141e230339102c354a
SHA256: a73750abba41fa810c4e347ef332962e9538baa4e10c65983c9d5e67af56b115
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.zyrrh
binary
MD5: 62155faa210ac466c721821d8184456f
SHA256: 0a1daf9237a8cfc21e9d209dcaff74dc2e30a2a52e39764975e5f567fc457478
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Forms\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
––
MD5:  ––
SHA256:  ––
3068
GandCrab.exe
C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894
3068
GandCrab.exe
C:\Users\admin\.oracle_jre_usage\ZYRRH-DECRYPT.html
html
MD5: 0f7992f2a96c688c8381d8c3964e9dd3
SHA256: 4f401a5fed9635f9a1c66b73aa503d2c126c7f6c4db23b2f93ef123069246894

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
32
TCP/UDP connections
42
DNS requests
23
Threats
29

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3068 GandCrab.exe GET 302 217.160.0.234:80 http://www.billerimpex.com/ DE
html
malicious
3068 GandCrab.exe GET 301 217.70.184.50:80 http://www.macartegrise.eu/ FR
html
malicious
3068 GandCrab.exe GET 301 198.54.121.193:80 http://www.poketeg.com/ US
––
––
malicious
3068 GandCrab.exe GET 200 92.53.96.201:80 http://perovaphoto.ru/ RU
html
malicious
3068 GandCrab.exe POST 404 92.53.96.201:80 http://perovaphoto.ru/static/images/imde.png RU
text
html
malicious
3068 GandCrab.exe GET –– 87.236.16.31:80 http://asl-company.ru/ RU
––
––
malicious
3068 GandCrab.exe POST 404 87.236.16.31:80 http://asl-company.ru/includes/pics/zuderuhe.jpg RU
text
html
malicious
3068 GandCrab.exe GET –– 77.104.171.238:80 http://www.fabbfoundation.gm/ US
––
––
malicious
3068 GandCrab.exe POST 404 77.104.171.238:80 http://www.fabbfoundation.gm/news/assets/heruzumezu.bmp US
text
html
malicious
3068 GandCrab.exe GET –– 146.66.72.87:80 http://www.perfectfunnelblueprint.com/ US
––
––
malicious
3068 GandCrab.exe POST –– 146.66.72.87:80 http://www.perfectfunnelblueprint.com/includes/tmp/thes.bmp US
text
––
––
malicious
3068 GandCrab.exe GET 403 69.73.180.151:80 http://www.wash-wear.com/ US
html
malicious
3068 GandCrab.exe POST 403 69.73.180.151:80 http://www.wash-wear.com/data/images/imamth.bmp US
text
html
malicious
3068 GandCrab.exe GET 200 87.236.16.219:80 http://pp-panda74.ru/ RU
html
malicious
3068 GandCrab.exe POST –– 87.236.16.219:80 http://pp-panda74.ru/static/images/imthesimso.gif RU
text
––
––
malicious
3068 GandCrab.exe GET –– 199.250.210.64:80 http://cevent.net/ US
––
––
malicious
3068 GandCrab.exe POST 404 199.250.210.64:80 http://cevent.net/uploads/pics/thsefufuam.jpg US
text
html
malicious
3068 GandCrab.exe GET 403 188.165.53.185:80 http://alem.be/ FR
html
malicious
3068 GandCrab.exe POST 403 188.165.53.185:80 http://alem.be/wp-content/image/deso.bmp FR
text
html
malicious
3068 GandCrab.exe GET 302 107.178.113.162:80 http://boatshowradio.com/ US
html
malicious
–– –– GET 301 23.236.62.147:80 http://dna-cp.com/ US
––
––
whitelisted
3068 GandCrab.exe GET 301 213.186.33.3:80 http://acbt.fr/ FR
––
––
malicious
3068 GandCrab.exe GET 200 50.87.58.165:80 http://wpakademi.com/ US
html
malicious
3068 GandCrab.exe POST 404 50.87.58.165:80 http://wpakademi.com/static/pictures/sezumo.png US
text
html
malicious
3068 GandCrab.exe GET 200 185.6.139.26:80 http://www.cakav.hu/ HU
html
malicious
3068 GandCrab.exe POST 404 185.6.139.26:80 http://www.cakav.hu/wp-content/assets/some.png HU
text
html
malicious
3068 GandCrab.exe GET –– 178.238.37.162:80 http://www.mimid.cz/ CZ
––
––
malicious
3068 GandCrab.exe POST –– 178.238.37.162:80 http://www.mimid.cz/wp-content/image/thzudaim.bmp CZ
text
––
––
malicious
3068 GandCrab.exe GET 200 47.75.206.148:80 http://6chen.cn/ US
html
malicious
3068 GandCrab.exe POST 404 47.75.206.148:80 http://6chen.cn/includes/imgs/seamheru.jpg US
text
html
malicious
3068 GandCrab.exe GET –– 184.168.221.54:80 http://oceanlinen.com/ US
––
––
malicious
3984 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3068 GandCrab.exe 217.160.0.234:80 1&1 Internet SE DE suspicious
3068 GandCrab.exe 217.160.0.234:443 1&1 Internet SE DE suspicious
3068 GandCrab.exe 217.70.184.50:80 GANDI SAS FR malicious
3068 GandCrab.exe 217.70.184.50:443 GANDI SAS FR malicious
3068 GandCrab.exe 198.54.121.193:80 Namecheap, Inc. US unknown
3068 GandCrab.exe 198.54.121.193:443 Namecheap, Inc. US unknown
3068 GandCrab.exe 92.53.96.201:80 TimeWeb Ltd. RU suspicious
3068 GandCrab.exe 87.236.16.31:80 Beget Ltd RU suspicious
3068 GandCrab.exe 77.104.171.238:80 SoftLayer Technologies Inc. US malicious
3068 GandCrab.exe 146.66.72.87:80 US suspicious
3068 GandCrab.exe 69.73.180.151:80 Global Net Access, LLC US suspicious
3068 GandCrab.exe 87.236.16.219:80 Beget Ltd RU suspicious
3068 GandCrab.exe 199.250.210.64:80 US malicious
3068 GandCrab.exe 188.165.53.185:80 OVH SAS FR malicious
3068 GandCrab.exe 107.178.113.162:80 Input Output Flood LLC US suspicious
3068 GandCrab.exe 107.178.113.162:443 Input Output Flood LLC US suspicious
–– –– 107.178.113.162:443 Input Output Flood LLC US suspicious
–– –– 23.236.62.147:80 Google Inc. US whitelisted
3068 GandCrab.exe 23.236.62.147:443 Google Inc. US whitelisted
3068 GandCrab.exe 213.186.33.3:80 OVH SAS FR suspicious
3068 GandCrab.exe 213.186.33.3:443 OVH SAS FR suspicious
3068 GandCrab.exe 50.87.58.165:80 Unified Layer US suspicious
3068 GandCrab.exe 185.6.139.26:80 Szervernet Ltd HU malicious
3068 GandCrab.exe 178.238.37.162:80 Master Internet s.r.o. CZ malicious
3068 GandCrab.exe 47.75.206.148:80 US malicious
3068 GandCrab.exe 184.168.221.54:80 GoDaddy.com, LLC US malicious
3068 GandCrab.exe 184.168.221.54:443 GoDaddy.com, LLC US malicious
3984 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted

DNS requests

Domain IP Reputation
www.billerimpex.com 217.160.0.234
malicious
www.macartegrise.eu 217.70.184.50
malicious
www.poketeg.com 198.54.121.193
malicious
perovaphoto.ru 92.53.96.201
malicious
asl-company.ru 87.236.16.31
malicious
www.fabbfoundation.gm 77.104.171.238
malicious
www.perfectfunnelblueprint.com 146.66.72.87
malicious
www.wash-wear.com 69.73.180.151
malicious
pp-panda74.ru 87.236.16.219
malicious
cevent.net 199.250.210.64
malicious
alem.be 188.165.53.185
malicious
bellytobabyphotographyseattle.com No response unknown
boatshowradio.com 107.178.113.162
malicious
dna-cp.com 23.236.62.147
whitelisted
acbt.fr 213.186.33.3
malicious
wpakademi.com 50.87.58.165
malicious
www.cakav.hu 185.6.139.26
malicious
www.mimid.cz 178.238.37.162
malicious
6chen.cn 47.75.206.148
malicious
goodapd.website No response unknown
oceanlinen.com 184.168.221.54
77.104.144.25
malicious
www.bing.com 204.79.197.200
13.107.21.200
whitelisted

Threats

PID Process Class Message
3068 GandCrab.exe A Network Trojan was detected ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] GandCrab Ransomware HTTP
3068 GandCrab.exe A Network Trojan was detected ET POLICY Data POST to an image file (jpg)
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] GandCrab Ransomware HTTP
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] GandCrab Ransomware HTTP
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] GandCrab Ransomware HTTP
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] GandCrab Ransomware HTTP
3068 GandCrab.exe A Network Trojan was detected ET POLICY Data POST to an image file (gif)
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] GandCrab Ransomware HTTP
3068 GandCrab.exe A Network Trojan was detected ET POLICY Data POST to an image file (jpg)
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] GandCrab Ransomware HTTP
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] GandCrab Ransomware HTTP
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] GandCrab Ransomware HTTP
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] GandCrab Ransomware HTTP
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] GandCrab Ransomware HTTP
3068 GandCrab.exe A Network Trojan was detected ET POLICY Data POST to an image file (jpg)
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3068 GandCrab.exe A Network Trojan was detected MALWARE [PTsecurity] GandCrab Ransomware HTTP

Debug output strings

No debug info.