Analysis Overview
SHA256
792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738
Threat Level: Known bad
The file Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe was found to be: Known bad.
Malicious Activity Summary
Mimikatz
BadRabbit
Wannacry
Modifies WinLogon for persistence
Troldesh, Shade, Encoder.858
mimikatz is an open source tool to dump credentials on Windows
Disables RegEdit via registry modification
Modifies Windows Firewall
Executes dropped EXE
Downloads MZ/PE file
UPX packed file
Disables Task Manager via registry modification
Stops running service(s)
Sets file execution options in registry
Identifies Wine through registry keys
Loads dropped DLL
Themida packer
Checks computer location settings
Modifies file permissions
Drops startup file
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Modifies WinLogon
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Program crash
Enumerates physical storage devices
NSIS installer
Modifies Internet Explorer start page
Runs net.exe
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Kills process with taskkill
Modifies registry key
System policy modification
Creates scheduled task(s)
Suspicious use of UnmapMainImage
Script User-Agent
Suspicious use of SendNotifyMessage
Modifies Control Panel
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Modifies registry class
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-29 12:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-29 12:38
Reported
2022-09-29 12:40
Platform
win7-20220812-en
Max time kernel
117s
Max time network
154s
Command Line
Signatures
BadRabbit
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Troldesh, Shade, Encoder.858
Wannacry
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "calc.exe" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Stops running service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aIQowQoU.exe = "C:\\ProgramData\\tkUQYEIg\\aIQowQoU.exe" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aIQowQoU.exe = "C:\\ProgramData\\tkUQYEIg\\aIQowQoU.exe" | C:\ProgramData\tkUQYEIg\aIQowQoU.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\keUowsok.exe = "C:\\Users\\Admin\\NegQYIUk\\keUowsok.exe" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\keUowsok.exe = "C:\\Users\\Admin\\NegQYIUk\\keUowsok.exe" | C:\Users\Admin\NegQYIUk\keUowsok.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\libltdl3.dll | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\AnVi\splash.mp3 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\bzip2.dll | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\libltdl3.dll | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\AnVi\virus.mp3 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_7173269 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\bzip2.dll | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\HjuTygFcvX | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_7173440 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\WINDOWS\Web | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\__tmp_rar_sfx_access_check_7173378 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\COMCTL32.OCX | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\COMCTL32.OCX | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\dispci.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\antivirus-platinum.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\MSCOMCTL.OCX | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\302746537.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\A593.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\antivirus-platinum.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\MSCOMCTL.OCX | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\302746537.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\cscc.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\A593.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WallpaperOriginX = "210" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WallpaperOriginY = "187" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\MenuShowDelay = "9999" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://poetry.rotten.com/lightning/" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\REGFILE\SHELL\OPEN\COMMAND | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp" /SL4 $101DC "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\NegQYIUk\keUowsok.exe
"C:\Users\Admin\NegQYIUk\keUowsok.exe"
C:\ProgramData\tkUQYEIg\aIQowQoU.exe
"C:\ProgramData\tkUQYEIg\aIQowQoU.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1908 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\[email protected]" & start C:\Users\Admin\AppData\Local\qabsbnuj.exe -f
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 152
C:\Users\Admin\AppData\Local\Temp\ose00000.exe
"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 1908
C:\WINDOWS\302746537.exe
"C:\WINDOWS\302746537.exe"
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2935895650 && exit"
C:\Windows\SysWOW64\attrib.exe
attrib +h .
C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FQIkIgQw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:57:00
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
C:\Windows\A593.tmp
"C:\Windows\A593.tmp" \\.\pipe\{10650376-FE2C-4ECF-B705-8C989E15919B}
C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 512
C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\qabsbnuj.exe
C:\Users\Admin\AppData\Local\qabsbnuj.exe -f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMAkMIYI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1648 -s 1004
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2652 -s 564
C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 552
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\wrkE651.tmp", start install worker
C:\Windows\SysWOW64\net.exe
net stop wscsvc
C:\Windows\SysWOW64\net.exe
net stop winmgmt /y
C:\Windows\SysWOW64\net.exe
net start winmgmt
C:\Windows\SysWOW64\net.exe
net start wscsvc
C:\Windows\SysWOW64\Wbem\mofcomp.exe
mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| N/A | 127.0.0.1:49303 | tcp | |
| DE | 193.23.244.244:443 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| SE | 171.25.193.9:80 | tcp | |
| FR | 51.91.73.194:9001 | tcp | |
| DE | 176.9.40.131:443 | tcp | |
| BE | 45.128.133.206:443 | tcp | |
| NL | 142.250.179.142:80 | google.com | tcp |
| NL | 142.250.179.142:80 | google.com | tcp |
| US | 8.8.8.8:53 | www.vikingwebscanner.com | udp |
| DE | 185.53.177.53:80 | www.vikingwebscanner.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| US | 45.35.130.46:443 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| N/A | 127.0.0.1:63292 | tcp | |
| LV | 83.99.147.75:22 | tcp | |
| N/A | 127.0.0.1:63292 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp |
Files
memory/1928-54-0x0000000000240000-0x000000000026C000-memory.dmp
memory/1928-55-0x0000000000270000-0x0000000000286000-memory.dmp
memory/1928-56-0x0000000000280000-0x0000000000286000-memory.dmp
memory/1928-57-0x00000000004F0000-0x0000000000528000-memory.dmp
memory/2032-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | c7e9746b1b039b8bd1106bca3038c38f |
| SHA1 | cb93ac887876bafe39c5f9aa64970d5e747fb191 |
| SHA256 | b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4 |
| SHA512 | cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724 |
memory/2032-60-0x00000000762B1000-0x00000000762B3000-memory.dmp
memory/944-61-0x0000000000000000-mapping.dmp
memory/696-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 7dfbfba1e4e64a946cb096bfc937fbad |
| SHA1 | 9180d2ce387314cd4a794d148ea6b14084c61e1b |
| SHA256 | 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94 |
| SHA512 | f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4 |
memory/1740-66-0x0000000000000000-mapping.dmp
memory/456-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 382430dd7eae8945921b7feab37ed36b |
| SHA1 | c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128 |
| SHA256 | 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b |
| SHA512 | 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 382430dd7eae8945921b7feab37ed36b |
| SHA1 | c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128 |
| SHA256 | 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b |
| SHA512 | 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 910dd666c83efd3496f21f9f211cdc1f |
| SHA1 | 77cd736ee1697beda0ac65da24455ec566ba7440 |
| SHA256 | 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45 |
| SHA512 | 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da |
| SHA512 | 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 910dd666c83efd3496f21f9f211cdc1f |
| SHA1 | 77cd736ee1697beda0ac65da24455ec566ba7440 |
| SHA256 | 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45 |
| SHA512 | 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47 |
memory/320-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fe1bc60a95b2c2d77cd5d232296a7fa4 |
| SHA1 | c07dfdea8da2da5bad036e7c2f5d37582e1cf684 |
| SHA256 | b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d |
| SHA512 | 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89 |
memory/1460-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 41789c704a0eecfdd0048b4b4193e752 |
| SHA1 | fb1e8385691fa3293b7cbfb9b2656cf09f20e722 |
| SHA256 | b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23 |
| SHA512 | 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea |
memory/1572-77-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0a7b70efba0aa93d4bc0857b87ac2fcb |
| SHA1 | 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd |
| SHA256 | 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309 |
| SHA512 | 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 248aadd395ffa7ffb1670392a9398454 |
| SHA1 | c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5 |
| SHA256 | 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc |
| SHA512 | 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e |
memory/2040-80-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da |
| SHA512 | 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87 |
memory/1692-86-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | b805db8f6a84475ef76b795b0d1ed6ae |
| SHA1 | 7711cb4873e58b7adcf2a2b047b090e78d10c75b |
| SHA256 | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf |
| SHA512 | 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416 |
memory/320-89-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1676-88-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | cb02c0438f3f4ddabce36f8a26b0b961 |
| SHA1 | 48c4fcb17e93b74030415996c0ec5c57b830ea53 |
| SHA256 | 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32 |
| SHA512 | 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 87ccd6f4ec0e6b706d65550f90b0e3c7 |
| SHA1 | 213e6624bff6064c016b9cdc15d5365823c01f5f |
| SHA256 | e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4 |
| SHA512 | a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990 |
memory/1876-92-0x0000000000000000-mapping.dmp
memory/1952-91-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | cb02c0438f3f4ddabce36f8a26b0b961 |
| SHA1 | 48c4fcb17e93b74030415996c0ec5c57b830ea53 |
| SHA256 | 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32 |
| SHA512 | 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0a7b70efba0aa93d4bc0857b87ac2fcb |
| SHA1 | 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd |
| SHA256 | 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309 |
| SHA512 | 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 87ccd6f4ec0e6b706d65550f90b0e3c7 |
| SHA1 | 213e6624bff6064c016b9cdc15d5365823c01f5f |
| SHA256 | e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4 |
| SHA512 | a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | b805db8f6a84475ef76b795b0d1ed6ae |
| SHA1 | 7711cb4873e58b7adcf2a2b047b090e78d10c75b |
| SHA256 | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf |
| SHA512 | 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 248aadd395ffa7ffb1670392a9398454 |
| SHA1 | c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5 |
| SHA256 | 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc |
| SHA512 | 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e |
memory/1492-102-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 2eb3ce80b26345bd139f7378330b19c1 |
| SHA1 | 10122bd8dd749e20c132d108d176794f140242b0 |
| SHA256 | 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2 |
| SHA512 | e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | d0deb2644c9435ea701e88537787ea6e |
| SHA1 | 866e47ecd80da89c4f56557659027a3aee897132 |
| SHA256 | ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3 |
| SHA512 | 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf |
memory/320-105-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1908-104-0x0000000000000000-mapping.dmp
memory/1472-108-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 63210f8f1dde6c40a7f3643ccf0ff313 |
| SHA1 | 57edd72391d710d71bead504d44389d0462ccec9 |
| SHA256 | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f |
| SHA512 | 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11 |
memory/320-110-0x0000000000400000-0x0000000000438000-memory.dmp
memory/320-107-0x0000000000220000-0x0000000000226000-memory.dmp
memory/696-112-0x0000000000400000-0x0000000000A06000-memory.dmp
C:\Windows\infpub.dat
| MD5 | 1d724f95c61f1055f0d02c2154bbccd3 |
| SHA1 | 79116fe99f2b421c52ef64097f0f39b815b20907 |
| SHA256 | 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 |
| SHA512 | f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | c7e9746b1b039b8bd1106bca3038c38f |
| SHA1 | cb93ac887876bafe39c5f9aa64970d5e747fb191 |
| SHA256 | b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4 |
| SHA512 | cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724 |
memory/1064-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e4d4a59494265949993e26dee7b077d1 |
| SHA1 | 83e3d0c7e544117d6054e7d55932a7d2dbaf1163 |
| SHA256 | 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd |
| SHA512 | efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718 |
memory/1668-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | af2379cc4d607a45ac44d62135fb7015 |
| SHA1 | 39b6d40906c7f7f080e6befa93324dddadcbd9fa |
| SHA256 | 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739 |
| SHA512 | 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99 |
memory/1812-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 3ed3fb296a477156bc51aba43d825fc0 |
| SHA1 | 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6 |
| SHA256 | 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423 |
| SHA512 | dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e4d4a59494265949993e26dee7b077d1 |
| SHA1 | 83e3d0c7e544117d6054e7d55932a7d2dbaf1163 |
| SHA256 | 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd |
| SHA512 | efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718 |
memory/1940-126-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0002dddba512e20c3f82aaab8bad8b4d |
| SHA1 | 493286b108822ba636cc0e53b8259e4f06ecf900 |
| SHA256 | 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7 |
| SHA512 | 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b |
memory/1648-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
| MD5 | 87e4959fefec297ebbf42de79b5c88f6 |
| SHA1 | eba50d6b266b527025cd624003799bdda9a6bc86 |
| SHA256 | 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61 |
| SHA512 | 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9 |
\Users\Admin\AppData\Local\6AdwCleaner.exe
| MD5 | 87e4959fefec297ebbf42de79b5c88f6 |
| SHA1 | eba50d6b266b527025cd624003799bdda9a6bc86 |
| SHA256 | 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61 |
| SHA512 | 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9 |
memory/1472-132-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1472-133-0x0000000000320000-0x00000000003EE000-memory.dmp
memory/1812-134-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1908-136-0x0000000001000000-0x00000000010CE000-memory.dmp
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
| MD5 | 87e4959fefec297ebbf42de79b5c88f6 |
| SHA1 | eba50d6b266b527025cd624003799bdda9a6bc86 |
| SHA256 | 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61 |
| SHA512 | 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9 |
memory/1472-138-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1648-137-0x0000000000BB0000-0x0000000000BDE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | d0deb2644c9435ea701e88537787ea6e |
| SHA1 | 866e47ecd80da89c4f56557659027a3aee897132 |
| SHA256 | ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3 |
| SHA512 | 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf |
memory/696-141-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/1940-143-0x0000000000400000-0x0000000000415000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0002dddba512e20c3f82aaab8bad8b4d |
| SHA1 | 493286b108822ba636cc0e53b8259e4f06ecf900 |
| SHA256 | 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7 |
| SHA512 | 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 2eb3ce80b26345bd139f7378330b19c1 |
| SHA1 | 10122bd8dd749e20c132d108d176794f140242b0 |
| SHA256 | 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2 |
| SHA512 | e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 02f471d1fefbdc07af5555dbfd6ea918 |
| SHA1 | 2a8f93dd21628933de8bea4a9abc00dbb215df0b |
| SHA256 | 36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba |
| SHA512 | 287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559 |
\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp
| MD5 | 19672882daf21174647509b74a406a8c |
| SHA1 | e3313b8741bd9bbe212fe53fcc55b342af5ae849 |
| SHA256 | 34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8 |
| SHA512 | eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f |
memory/524-146-0x0000000000000000-mapping.dmp
memory/860-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp
| MD5 | 19672882daf21174647509b74a406a8c |
| SHA1 | e3313b8741bd9bbe212fe53fcc55b342af5ae849 |
| SHA256 | 34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8 |
| SHA512 | eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f |
memory/804-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 63210f8f1dde6c40a7f3643ccf0ff313 |
| SHA1 | 57edd72391d710d71bead504d44389d0462ccec9 |
| SHA256 | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f |
| SHA512 | 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0315c3149c7dc1d865dc5a89043d870d |
| SHA1 | f74546dda99891ca688416b1a61c9637b3794108 |
| SHA256 | 90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9 |
| SHA512 | 7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112 |
C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp
| MD5 | 19672882daf21174647509b74a406a8c |
| SHA1 | e3313b8741bd9bbe212fe53fcc55b342af5ae849 |
| SHA256 | 34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8 |
| SHA512 | eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f |
\Users\Admin\AppData\Local\Temp\is-KIFKL.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-KIFKL.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\NegQYIUk\keUowsok.exe
| MD5 | 0b6f371fbfdea58bdf6271cc237001d5 |
| SHA1 | d56a75a9ff7bbb2eddc953b768c509f81c64bc32 |
| SHA256 | 640a9570498c76d53001f7d0d0c4c4777953ac3fef79423cc29fffa916fc02ab |
| SHA512 | b55f1fbc055abda1ae8262182f6a2cfed0ed49d9f6028a0d19fd5b83c4a36f2327d93f19b7d8b7342962f4e41d0380acab0d738a60e5f0ab87fbf8769b27412e |
memory/996-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\NegQYIUk\keUowsok.exe
| MD5 | 0b6f371fbfdea58bdf6271cc237001d5 |
| SHA1 | d56a75a9ff7bbb2eddc953b768c509f81c64bc32 |
| SHA256 | 640a9570498c76d53001f7d0d0c4c4777953ac3fef79423cc29fffa916fc02ab |
| SHA512 | b55f1fbc055abda1ae8262182f6a2cfed0ed49d9f6028a0d19fd5b83c4a36f2327d93f19b7d8b7342962f4e41d0380acab0d738a60e5f0ab87fbf8769b27412e |
memory/1460-162-0x0000000000150000-0x0000000000181000-memory.dmp
\Users\Admin\NegQYIUk\keUowsok.exe
| MD5 | 0b6f371fbfdea58bdf6271cc237001d5 |
| SHA1 | d56a75a9ff7bbb2eddc953b768c509f81c64bc32 |
| SHA256 | 640a9570498c76d53001f7d0d0c4c4777953ac3fef79423cc29fffa916fc02ab |
| SHA512 | b55f1fbc055abda1ae8262182f6a2cfed0ed49d9f6028a0d19fd5b83c4a36f2327d93f19b7d8b7342962f4e41d0380acab0d738a60e5f0ab87fbf8769b27412e |
memory/1460-164-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1940-165-0x0000000000400000-0x0000000000415000-memory.dmp
memory/696-167-0x0000000000400000-0x0000000000A06000-memory.dmp
\ProgramData\tkUQYEIg\aIQowQoU.exe
| MD5 | 1207141b9a5e9f700332a69d0b4195f7 |
| SHA1 | 3e9efd9e629ef5f99fd49ab76aea838b98308595 |
| SHA256 | 8774f2cf6beb9ccbe4f42a2eb36a1cffaec1fa5904c975f59ffb34e9a0d478c1 |
| SHA512 | b8c88ddf6499b6fbffc8bfb41853f7bfde11e268a1493a3a161c58b1a8eae4aed9963e488d5a9dd2b919139b65b45121a1f87427ebd646e54969b1c2354a6126 |
memory/976-169-0x0000000000000000-mapping.dmp
\ProgramData\tkUQYEIg\aIQowQoU.exe
| MD5 | 1207141b9a5e9f700332a69d0b4195f7 |
| SHA1 | 3e9efd9e629ef5f99fd49ab76aea838b98308595 |
| SHA256 | 8774f2cf6beb9ccbe4f42a2eb36a1cffaec1fa5904c975f59ffb34e9a0d478c1 |
| SHA512 | b8c88ddf6499b6fbffc8bfb41853f7bfde11e268a1493a3a161c58b1a8eae4aed9963e488d5a9dd2b919139b65b45121a1f87427ebd646e54969b1c2354a6126 |
C:\ProgramData\tkUQYEIg\aIQowQoU.exe
| MD5 | 1207141b9a5e9f700332a69d0b4195f7 |
| SHA1 | 3e9efd9e629ef5f99fd49ab76aea838b98308595 |
| SHA256 | 8774f2cf6beb9ccbe4f42a2eb36a1cffaec1fa5904c975f59ffb34e9a0d478c1 |
| SHA512 | b8c88ddf6499b6fbffc8bfb41853f7bfde11e268a1493a3a161c58b1a8eae4aed9963e488d5a9dd2b919139b65b45121a1f87427ebd646e54969b1c2354a6126 |
memory/524-171-0x0000000000400000-0x0000000000CFB000-memory.dmp
memory/1812-173-0x0000000000470000-0x000000000049E000-memory.dmp
memory/524-174-0x0000000000400000-0x0000000000CFB000-memory.dmp
memory/1812-175-0x0000000000470000-0x00000000004A4000-memory.dmp
memory/548-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e1b69c058131e1593eccd4fbcdbb72b2 |
| SHA1 | 6d319439cac072547edd7cf2019855fa25092006 |
| SHA256 | b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f |
| SHA512 | 161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c |
memory/556-179-0x0000000000000000-mapping.dmp
memory/1292-178-0x0000000000000000-mapping.dmp
memory/268-181-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | d5e5853f5a2a5a7413f26c625c0e240b |
| SHA1 | 0ced68483e7f3742a963f2507937bb7089de3ffe |
| SHA256 | 415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3 |
| SHA512 | 49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e1b69c058131e1593eccd4fbcdbb72b2 |
| SHA1 | 6d319439cac072547edd7cf2019855fa25092006 |
| SHA256 | b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f |
| SHA512 | 161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c |
memory/996-186-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1812-187-0x0000000000470000-0x00000000004A4000-memory.dmp
memory/976-188-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1668-189-0x0000000000400000-0x000000000043F000-memory.dmp
memory/548-191-0x0000000000630000-0x0000000000777000-memory.dmp
memory/1668-190-0x0000000000230000-0x0000000000242000-memory.dmp
memory/268-185-0x0000000001370000-0x00000000014AB000-memory.dmp
memory/568-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 7dde6427dcf06d0c861693b96ad053a0 |
| SHA1 | 086008ecfe06ad06f4c0eee2b13530897146ae01 |
| SHA256 | 077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf |
| SHA512 | 8cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9 |
memory/1756-196-0x0000000000000000-mapping.dmp
memory/2116-197-0x0000000000000000-mapping.dmp
memory/568-198-0x0000000000400000-0x0000000000843000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 03baeba6b4224371cca7fa6f95ae61c0 |
| SHA1 | 8731202d2f954421a37b5c9e01d971131bd515f1 |
| SHA256 | 61a9e3278b6bcc29a2a0405b06fb2a3bbcb1751c3dd564a8f94cc89ea957ec35 |
| SHA512 | 386643b0a52b6b1a53e81a8500d040b6415e532ebaffd1be8d1afd4ccb10f6c0342cf734b688ec803b960339284c8d9669e638b1648d9cc734cf7367659c7fd0 |
memory/2148-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 8cd7c19b6dc76c116cdb84e369fd5d9a |
| SHA1 | 5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc |
| SHA256 | 47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645 |
| SHA512 | 909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a |
memory/2176-202-0x0000000000000000-mapping.dmp
memory/2192-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 8803d517ac24b157431d8a462302b400 |
| SHA1 | b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e |
| SHA256 | 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786 |
| SHA512 | 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 84c82835a5d21bbcf75a61706d8ab549 |
| SHA1 | 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 |
| SHA256 | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa |
| SHA512 | 90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244 |
memory/2212-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 9d15a3b314600b4c08682b0202700ee7 |
| SHA1 | 208e79cdb96328d5929248bb8a4dd622cf0684d1 |
| SHA256 | 3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15 |
| SHA512 | 9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3 |
memory/2224-208-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 8cd7c19b6dc76c116cdb84e369fd5d9a |
| SHA1 | 5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc |
| SHA256 | 47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645 |
| SHA512 | 909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a |
C:\Users\Admin\AppData\Local\Temp\Fantom.exe
| MD5 | 7d80230df68ccba871815d68f016c282 |
| SHA1 | e10874c6108a26ceedfc84f50881824462b5b6b6 |
| SHA256 | f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b |
| SHA512 | 64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540 |
memory/2092-211-0x0000000000000000-mapping.dmp
memory/2160-215-0x0000000000000000-mapping.dmp
memory/2268-216-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 7dde6427dcf06d0c861693b96ad053a0 |
| SHA1 | 086008ecfe06ad06f4c0eee2b13530897146ae01 |
| SHA256 | 077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf |
| SHA512 | 8cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9 |
memory/524-219-0x0000000000400000-0x0000000000CFB000-memory.dmp
memory/2148-221-0x0000000000400000-0x0000000000423000-memory.dmp
memory/568-225-0x0000000000320000-0x0000000000380000-memory.dmp
memory/2212-224-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2176-223-0x0000000000400000-0x0000000000432000-memory.dmp
C:\ProgramData\tkUQYEIg\aIQowQoU.inf
| MD5 | e9924fd5e0e1fa35e4989687a6611c9a |
| SHA1 | 33f31a3d3d8d9b931342033aa87b70eae58449ba |
| SHA256 | 214fdbebecbf099bd6af4e607badba8812215d1eecdd383601b861b9015a3c55 |
| SHA512 | 7b821b245563e70a2739e0160344559b731aa4049f33bb5d29628991d17662976dd533d355a002dc4df1ba6cae767af25abe496cbe12f68c65f97fadee292ef4 |
memory/2528-227-0x0000000000000000-mapping.dmp
memory/2480-226-0x0000000000000000-mapping.dmp
memory/2448-228-0x0000000000000000-mapping.dmp
memory/568-229-0x00000000034C0000-0x00000000034C3000-memory.dmp
memory/524-230-0x0000000000400000-0x0000000000CFB000-memory.dmp
memory/2620-232-0x0000000000000000-mapping.dmp
C:\Users\Admin\NegQYIUk\keUowsok.inf
| MD5 | f52d93ee078a11254df6875fea5e518e |
| SHA1 | 2b97d3a1863cabc4fca49c670be2cf5ea7f1956d |
| SHA256 | 256bf5c9363aaf85197fb8efc0b2157e4110fb25faa04f6fdb67358dd51018c1 |
| SHA512 | 9fff1521da0764fc1a13da83292acc250f244c571cf4ca3746c2c9467fa57cfb7961ae69c7b79b3974ad294b1c928a04c2e4abb502a77a192d22701b617999f7 |
memory/2652-234-0x0000000000000000-mapping.dmp
memory/1876-236-0x0000000000B10000-0x0000000000B78000-memory.dmp
memory/556-242-0x0000000000400000-0x0000000000439000-memory.dmp
memory/556-243-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2212-244-0x0000000000220000-0x0000000000223000-memory.dmp
memory/1876-248-0x0000000000B10000-0x0000000000B78000-memory.dmp
memory/2660-247-0x0000000000000000-mapping.dmp
memory/2620-246-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2728-245-0x0000000000000000-mapping.dmp
memory/2788-251-0x0000000000000000-mapping.dmp
memory/2212-249-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2772-250-0x0000000000000000-mapping.dmp
memory/2820-252-0x0000000000000000-mapping.dmp
memory/2812-255-0x0000000000000000-mapping.dmp
memory/2872-257-0x0000000000000000-mapping.dmp
memory/2652-260-0x0000000000270000-0x0000000000286000-memory.dmp
memory/1908-259-0x0000000001000000-0x00000000010CE000-memory.dmp
memory/2912-258-0x0000000000000000-mapping.dmp
memory/2940-261-0x0000000000000000-mapping.dmp
memory/1572-263-0x0000000000D80000-0x0000000000E02000-memory.dmp
memory/1692-262-0x0000000000D00000-0x0000000000EF2000-memory.dmp
memory/1676-264-0x00000000003C0000-0x00000000003FC000-memory.dmp
memory/2912-265-0x0000000000400000-0x0000000000432000-memory.dmp
memory/944-266-0x0000000000960000-0x0000000000966000-memory.dmp
memory/2116-267-0x0000000001D20000-0x0000000001D87000-memory.dmp
memory/944-268-0x0000000000B40000-0x0000000000B50000-memory.dmp
memory/2148-269-0x0000000000240000-0x0000000000263000-memory.dmp
memory/2148-270-0x0000000000240000-0x0000000000263000-memory.dmp
memory/2148-271-0x0000000000240000-0x0000000000263000-memory.dmp
memory/2820-272-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2528-273-0x0000000000160000-0x0000000000192000-memory.dmp
memory/2528-274-0x0000000000160000-0x0000000000192000-memory.dmp
memory/2224-275-0x0000000000550000-0x0000000000582000-memory.dmp
memory/2832-276-0x0000000000000000-mapping.dmp
memory/2116-278-0x0000000000400000-0x000000000054F000-memory.dmp
memory/2176-279-0x0000000000400000-0x0000000000432000-memory.dmp
memory/320-280-0x0000000000400000-0x0000000000438000-memory.dmp
memory/696-281-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2116-283-0x0000000000400000-0x000000000054F000-memory.dmp
memory/1472-282-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/524-284-0x0000000000400000-0x0000000000CFB000-memory.dmp
memory/1460-285-0x0000000000400000-0x0000000000450000-memory.dmp
memory/524-286-0x0000000000400000-0x0000000000CFB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-29 12:38
Reported
2022-09-29 12:40
Platform
win10v2004-20220812-en
Max time kernel
38s
Max time network
90s
Command Line
Signatures
BadRabbit
Mimikatz
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Troldesh, Shade, Encoder.858
mimikatz is an open source tool to dump credentials on Windows
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Stops running service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\WINDOWS\302746537.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vUkoMAkg.exe = "C:\\Users\\Admin\\rCAEUsck\\vUkoMAkg.exe" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jScUEcko.exe = "C:\\ProgramData\\TygIoQoY\\jScUEcko.exe" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vUkoMAkg.exe = "C:\\Users\\Admin\\rCAEUsck\\vUkoMAkg.exe" | C:\Users\Admin\rCAEUsck\vUkoMAkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jScUEcko.exe = "C:\\ProgramData\\TygIoQoY\\jScUEcko.exe" | C:\ProgramData\TygIoQoY\jScUEcko.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\AnVi\virus.mp3 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\HjuTygFcvX | C:\Windows\SysWOW64\net.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\bzip2.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\libltdl3.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | C:\Windows\SysWOW64\net.exe | N/A |
| File created | C:\Program Files (x86)\AnVi\splash.mp3 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\bzip2.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\libltdl3.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Reader_DC.helpcfg.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_240574531 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_240577328 | C:\Windows\SysWOW64\net.exe | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | C:\Windows\SysWOW64\net.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\MSCOMCTL.OCX | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\dispci.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\MSCOMCTL.OCX | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\302746537.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\F477.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\WINDOWS\Web | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\cscc.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\__tmp_rar_sfx_access_check_240573890 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\antivirus-platinum.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\COMCTL32.OCX | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\COMCTL32.OCX | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\antivirus-platinum.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\302746537.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\WallpaperOriginX = "210" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\WallpaperOriginY = "187" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\MenuShowDelay = "9999" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\6AdwCleaner.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\rCAEUsck\vUkoMAkg.exe
"C:\Users\Admin\rCAEUsck\vUkoMAkg.exe"
C:\ProgramData\TygIoQoY\jScUEcko.exe
"C:\ProgramData\TygIoQoY\jScUEcko.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 880466745 && exit"
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECD6.tmp\302746537.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:56:00
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAIgYkAE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\F477.tmp
"C:\Windows\F477.tmp" \\.\pipe\{6585464F-839D-47B2-B7BD-756B959F407A}
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 584
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2544 -ip 2544
C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
C:\WINDOWS\302746537.exe
"C:\WINDOWS\302746537.exe"
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall reset
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 880466745 && exit"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:56:00
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5708 -ip 5708
C:\Users\Admin\AppData\Local\Temp\is-U44IH.tmp\is-M3VKK.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U44IH.tmp\is-M3VKK.tmp" /SL4 $20168 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 492
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcAcgMko.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaEMscow.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
C:\Users\Admin\AppData\Roaming\qfubqe.exe
C:\Users\Admin\AppData\Roaming\qfubqe.exe
C:\Users\Admin\AppData\Local\Temp\winsp2up.exe
"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6036 -s 448
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6036 -ip 6036
C:\Windows\SysWOW64\attrib.exe
attrib +h .
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"
C:\Windows\SysWOW64\net.exe
net stop wscsvc
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\ProgramData\0a51d5ab-9f5b-4d21-8b20-abb07c2ea2ba_31.avi", start
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 3632 -ip 3632
C:\Windows\SysWOW64\net.exe
net stop winmgmt /y
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3632 -s 788
C:\Windows\SysWOW64\net.exe
net start wscsvc
C:\Windows\SysWOW64\taskkill.exe
taskkill /FI "USERNAME eq Admin" /F /IM jScUEcko.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3664 -ip 3664
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5676 -ip 5676
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3664 -s 1544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5980 -ip 5980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3960 -ip 3960
C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
C:\Windows\SysWOW64\Wbem\mofcomp.exe
mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5676 -ip 5676
C:\ProgramData\TygIoQoY\jScUEcko.exe
"C:\ProgramData\TygIoQoY\jScUEcko.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 2812 -ip 2812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5676 -ip 5676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 712
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2828 -ip 2828
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s c:\windows\comctl32.ocx
C:\Windows\SysWOW64\net.exe
net start winmgmt
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\wrk34FC.tmp", start install worker
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s c:\windows\mscomctl.ocx
C:\Windows\SysWOW64\attrib.exe
attrib +h c:\windows\antivirus-platinum.exe
\??\c:\windows\antivirus-platinum.exe
c:\windows\antivirus-platinum.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| NL | 142.250.179.142:80 | google.com | tcp |
| NL | 142.250.179.142:80 | google.com | tcp |
| US | 8.8.8.8:53 | frequentwin.com | udp |
| US | 8.8.8.8:53 | highway-traffic.com | udp |
| US | 8.8.8.8:53 | searchdusty.com | udp |
| FR | 37.187.79.168:80 | searchdusty.com | tcp |
| FR | 37.187.79.168:80 | searchdusty.com | tcp |
| FR | 40.79.141.153:443 | tcp | |
| US | 8.8.8.8:53 | www.vikingwebscanner.com | udp |
| DE | 185.53.177.53:80 | www.vikingwebscanner.com | tcp |
| US | 8.8.8.8:53 | google.ru | udp |
| US | 8.8.8.8:53 | yandex.ru | udp |
| US | 8.8.8.8:53 | fastsofgeld.com | udp |
| NL | 142.250.179.142:445 | google.com | tcp |
| FR | 40.79.141.153:445 | tcp | |
| US | 185.199.108.133:445 | raw.githubusercontent.com | tcp |
| N/A | 10.127.0.1:445 | tcp | |
| US | 93.184.221.240:445 | tcp | |
| US | 128.31.0.39:9101 | tcp | |
| US | 8.8.8.8:53 | arizonacode.bplaced.net | udp |
| FR | 40.79.141.153:139 | tcp | |
| NL | 142.250.179.142:139 | google.com | tcp |
| N/A | 10.127.0.1:139 | tcp | |
| US | 185.199.108.133:139 | raw.githubusercontent.com | tcp |
| US | 93.184.221.240:139 | tcp | |
| SG | 76.73.17.194:9090 | tcp | |
| RU | 77.88.55.55:80 | yandex.ru | tcp |
| NL | 142.251.36.35:80 | google.ru | tcp |
| DE | 162.55.0.137:80 | arizonacode.bplaced.net | tcp |
| N/A | 10.127.0.1:445 | tcp | |
| RU | 77.88.55.55:443 | yandex.ru | tcp |
| N/A | 10.127.0.1:139 | tcp | |
| DE | 78.159.97.210:80 | 78.159.97.210 | tcp |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.2:139 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.3:139 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.4:139 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| N/A | 10.127.0.5:139 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| AT | 86.59.21.38:443 | tcp | |
| NL | 77.174.164.37:9001 | tcp | |
| DE | 37.114.40.104:8080 | tcp | |
| CA | 192.160.102.165:9001 | tcp | |
| N/A | 10.127.0.6:139 | tcp | |
| DE | 162.55.0.137:80 | arizonacode.bplaced.net | tcp |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.7:139 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.8:139 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 127.0.0.1:49891 | tcp |
Files
memory/4456-132-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp
memory/4456-133-0x000002BA4C140000-0x000002BA4C16C000-memory.dmp
memory/4456-134-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp
memory/1288-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | c7e9746b1b039b8bd1106bca3038c38f |
| SHA1 | cb93ac887876bafe39c5f9aa64970d5e747fb191 |
| SHA256 | b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4 |
| SHA512 | cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724 |
memory/3600-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 382430dd7eae8945921b7feab37ed36b |
| SHA1 | c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128 |
| SHA256 | 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b |
| SHA512 | 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b |
memory/4276-139-0x0000000000000000-mapping.dmp
memory/2520-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 910dd666c83efd3496f21f9f211cdc1f |
| SHA1 | 77cd736ee1697beda0ac65da24455ec566ba7440 |
| SHA256 | 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45 |
| SHA512 | 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47 |
memory/1464-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 41789c704a0eecfdd0048b4b4193e752 |
| SHA1 | fb1e8385691fa3293b7cbfb9b2656cf09f20e722 |
| SHA256 | b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23 |
| SHA512 | 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fe1bc60a95b2c2d77cd5d232296a7fa4 |
| SHA1 | c07dfdea8da2da5bad036e7c2f5d37582e1cf684 |
| SHA256 | b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d |
| SHA512 | 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89 |
memory/4276-157-0x0000000000400000-0x0000000000A06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fe1bc60a95b2c2d77cd5d232296a7fa4 |
| SHA1 | c07dfdea8da2da5bad036e7c2f5d37582e1cf684 |
| SHA256 | b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d |
| SHA512 | 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0a7b70efba0aa93d4bc0857b87ac2fcb |
| SHA1 | 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd |
| SHA256 | 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309 |
| SHA512 | 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 248aadd395ffa7ffb1670392a9398454 |
| SHA1 | c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5 |
| SHA256 | 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc |
| SHA512 | 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0a7b70efba0aa93d4bc0857b87ac2fcb |
| SHA1 | 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd |
| SHA256 | 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309 |
| SHA512 | 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14 |
memory/736-156-0x0000000000000000-mapping.dmp
memory/2040-166-0x0000000000550000-0x0000000000556000-memory.dmp
memory/3128-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | cb02c0438f3f4ddabce36f8a26b0b961 |
| SHA1 | 48c4fcb17e93b74030415996c0ec5c57b830ea53 |
| SHA256 | 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32 |
| SHA512 | 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3 |
memory/1504-171-0x0000000000030000-0x00000000000B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | cb02c0438f3f4ddabce36f8a26b0b961 |
| SHA1 | 48c4fcb17e93b74030415996c0ec5c57b830ea53 |
| SHA256 | 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32 |
| SHA512 | 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3 |
memory/4552-168-0x0000000000400000-0x0000000000450000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 248aadd395ffa7ffb1670392a9398454 |
| SHA1 | c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5 |
| SHA256 | 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc |
| SHA512 | 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e |
memory/2040-162-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2040-161-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1504-153-0x0000000000000000-mapping.dmp
memory/4512-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | b805db8f6a84475ef76b795b0d1ed6ae |
| SHA1 | 7711cb4873e58b7adcf2a2b047b090e78d10c75b |
| SHA256 | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf |
| SHA512 | 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | b805db8f6a84475ef76b795b0d1ed6ae |
| SHA1 | 7711cb4873e58b7adcf2a2b047b090e78d10c75b |
| SHA256 | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf |
| SHA512 | 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416 |
memory/3856-180-0x0000000000000000-mapping.dmp
memory/1504-181-0x0000000004AA0000-0x0000000004B32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 87ccd6f4ec0e6b706d65550f90b0e3c7 |
| SHA1 | 213e6624bff6064c016b9cdc15d5365823c01f5f |
| SHA256 | e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4 |
| SHA512 | a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990 |
memory/4512-186-0x0000000000B20000-0x0000000000B5C000-memory.dmp
C:\Windows\infpub.dat
| MD5 | 1d724f95c61f1055f0d02c2154bbccd3 |
| SHA1 | 79116fe99f2b421c52ef64097f0f39b815b20907 |
| SHA256 | 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 |
| SHA512 | f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 2eb3ce80b26345bd139f7378330b19c1 |
| SHA1 | 10122bd8dd749e20c132d108d176794f140242b0 |
| SHA256 | 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2 |
| SHA512 | e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a |
C:\Windows\infpub.dat
| MD5 | 1d724f95c61f1055f0d02c2154bbccd3 |
| SHA1 | 79116fe99f2b421c52ef64097f0f39b815b20907 |
| SHA256 | 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 |
| SHA512 | f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113 |
memory/1928-192-0x0000000000000000-mapping.dmp
memory/2544-193-0x0000000000000000-mapping.dmp
memory/4408-198-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | d0deb2644c9435ea701e88537787ea6e |
| SHA1 | 866e47ecd80da89c4f56557659027a3aee897132 |
| SHA256 | ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3 |
| SHA512 | 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 63210f8f1dde6c40a7f3643ccf0ff313 |
| SHA1 | 57edd72391d710d71bead504d44389d0462ccec9 |
| SHA256 | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f |
| SHA512 | 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11 |
memory/1504-196-0x0000000004900000-0x000000000490A000-memory.dmp
memory/1856-195-0x00000000010F0000-0x0000000001158000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 2eb3ce80b26345bd139f7378330b19c1 |
| SHA1 | 10122bd8dd749e20c132d108d176794f140242b0 |
| SHA256 | 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2 |
| SHA512 | e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a |
memory/4276-191-0x0000000000400000-0x0000000000A06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 63210f8f1dde6c40a7f3643ccf0ff313 |
| SHA1 | 57edd72391d710d71bead504d44389d0462ccec9 |
| SHA256 | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f |
| SHA512 | 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | d0deb2644c9435ea701e88537787ea6e |
| SHA1 | 866e47ecd80da89c4f56557659027a3aee897132 |
| SHA256 | ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3 |
| SHA512 | 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf |
memory/1856-208-0x00000000010F0000-0x0000000001158000-memory.dmp
memory/2576-219-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
| MD5 | 87e4959fefec297ebbf42de79b5c88f6 |
| SHA1 | eba50d6b266b527025cd624003799bdda9a6bc86 |
| SHA256 | 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61 |
| SHA512 | 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9 |
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
| MD5 | c18a7323332b3292a8e0f1c81df65698 |
| SHA1 | bcb8f34cbe0137e888d06acbcb6508417851a087 |
| SHA256 | 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8 |
| SHA512 | 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad |
C:\WINDOWS\302746537.exe
| MD5 | 8703ff2e53c6fd3bc91294ef9204baca |
| SHA1 | 3dbb8f7f5dfe6b235486ab867a2844b1c2143733 |
| SHA256 | 3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035 |
| SHA512 | d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204 |
memory/1868-237-0x0000000000780000-0x00000000007AE000-memory.dmp
memory/1308-238-0x0000000000000000-mapping.dmp
memory/4708-239-0x0000000000000000-mapping.dmp
C:\ProgramData\TygIoQoY\jScUEcko.exe
| MD5 | f1b057a38c69267744b4901859f61a11 |
| SHA1 | 7a828b0713427b035bdf9e136e93a62a6129e42d |
| SHA256 | 2564db7de86b34d80a9937c9349493b8936012e03ade6a3deb97be919354ffd4 |
| SHA512 | f70bdf1a6545d96267c44619f23fe8531d8f8e61c086c2742a827ffaef5aca25255d0193918cf67cf830ac1f14eab13e2ac7f6cde81430bd8af71a1a6e0b0d6f |
memory/4380-245-0x0000000000000000-mapping.dmp
C:\ProgramData\TygIoQoY\jScUEcko.exe
| MD5 | f1b057a38c69267744b4901859f61a11 |
| SHA1 | 7a828b0713427b035bdf9e136e93a62a6129e42d |
| SHA256 | 2564db7de86b34d80a9937c9349493b8936012e03ade6a3deb97be919354ffd4 |
| SHA512 | f70bdf1a6545d96267c44619f23fe8531d8f8e61c086c2742a827ffaef5aca25255d0193918cf67cf830ac1f14eab13e2ac7f6cde81430bd8af71a1a6e0b0d6f |
memory/4904-252-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3100-251-0x0000000000000000-mapping.dmp
memory/1308-253-0x0000000000400000-0x0000000000431000-memory.dmp
memory/4548-254-0x0000000000400000-0x0000000000439000-memory.dmp
memory/4440-249-0x0000000000000000-mapping.dmp
memory/400-248-0x0000000000000000-mapping.dmp
memory/4548-250-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3076-255-0x0000000000000000-mapping.dmp
memory/1868-247-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp
memory/4188-256-0x0000000000000000-mapping.dmp
C:\Windows\F477.tmp
| MD5 | 347ac3b6b791054de3e5720a7144a977 |
| SHA1 | 413eba3973a15c1a6429d9f170f3e8287f98c21c |
| SHA256 | 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c |
| SHA512 | 9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787 |
memory/4024-246-0x0000000000000000-mapping.dmp
memory/1296-242-0x0000000000000000-mapping.dmp
C:\Users\Admin\rCAEUsck\vUkoMAkg.exe
| MD5 | 7090b2738e7f8b0e9e8a1c144c83b26c |
| SHA1 | 6448095a8217136c04978d9d97b2ff2204dda3e5 |
| SHA256 | b8a197eb2ed3fe9e8b3a85d0566c4e0c4132c75a8e0822448b523fbc8fd51862 |
| SHA512 | 43762dcbe29c4e782665439613da5ae52943e5d814d09824feea2fdbafb5b0bc94628162751eb75cd4fef68757c2c9b0190b39dc1a884335ad864ee172cbcdcb |
C:\Users\Admin\rCAEUsck\vUkoMAkg.exe
| MD5 | 7090b2738e7f8b0e9e8a1c144c83b26c |
| SHA1 | 6448095a8217136c04978d9d97b2ff2204dda3e5 |
| SHA256 | b8a197eb2ed3fe9e8b3a85d0566c4e0c4132c75a8e0822448b523fbc8fd51862 |
| SHA512 | 43762dcbe29c4e782665439613da5ae52943e5d814d09824feea2fdbafb5b0bc94628162751eb75cd4fef68757c2c9b0190b39dc1a884335ad864ee172cbcdcb |
C:\Windows\302746537.exe
| MD5 | 8703ff2e53c6fd3bc91294ef9204baca |
| SHA1 | 3dbb8f7f5dfe6b235486ab867a2844b1c2143733 |
| SHA256 | 3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035 |
| SHA512 | d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 3ed3fb296a477156bc51aba43d825fc0 |
| SHA1 | 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6 |
| SHA256 | 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423 |
| SHA512 | dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 3ed3fb296a477156bc51aba43d825fc0 |
| SHA1 | 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6 |
| SHA256 | 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423 |
| SHA512 | dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e |
C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll
| MD5 | 0ab7d0e87f3843f8104b3670f5a9af62 |
| SHA1 | 10c09a12e318f0fbebf70c4c42ad6ee31d9df2e5 |
| SHA256 | 8aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b |
| SHA512 | e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375 |
C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll
| MD5 | 0ab7d0e87f3843f8104b3670f5a9af62 |
| SHA1 | 10c09a12e318f0fbebf70c4c42ad6ee31d9df2e5 |
| SHA256 | 8aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b |
| SHA512 | e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375 |
C:\Program Files (x86)\antiviruspc2009\bzip2.dll
| MD5 | 4143d4973e0f5a5180e114bdd868d4d2 |
| SHA1 | b47fd2cf9db0f37c04e4425085fb953cbce81478 |
| SHA256 | da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76 |
| SHA512 | e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc |
C:\Program Files (x86)\antiviruspc2009\bzip2.dll
| MD5 | 4143d4973e0f5a5180e114bdd868d4d2 |
| SHA1 | b47fd2cf9db0f37c04e4425085fb953cbce81478 |
| SHA256 | da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76 |
| SHA512 | e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc |
C:\Program Files (x86)\antiviruspc2009\libltdl3.dll
| MD5 | 00a71b4afda8033235432b1c433fecc7 |
| SHA1 | d7b0c218aa8fec1c60ada26a09d9e0d9601985ca |
| SHA256 | f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd |
| SHA512 | 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a |
C:\Program Files (x86)\antiviruspc2009\libltdl3.dll
| MD5 | 00a71b4afda8033235432b1c433fecc7 |
| SHA1 | d7b0c218aa8fec1c60ada26a09d9e0d9601985ca |
| SHA256 | f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd |
| SHA512 | 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a |
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
| MD5 | c18a7323332b3292a8e0f1c81df65698 |
| SHA1 | bcb8f34cbe0137e888d06acbcb6508417851a087 |
| SHA256 | 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8 |
| SHA512 | 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad |
memory/4548-222-0x0000000000000000-mapping.dmp
memory/4904-221-0x0000000000000000-mapping.dmp
memory/4368-258-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
| MD5 | 87e4959fefec297ebbf42de79b5c88f6 |
| SHA1 | eba50d6b266b527025cd624003799bdda9a6bc86 |
| SHA256 | 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61 |
| SHA512 | 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9 |
memory/4408-218-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4408-217-0x0000000000400000-0x00000000005DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | af2379cc4d607a45ac44d62135fb7015 |
| SHA1 | 39b6d40906c7f7f080e6befa93324dddadcbd9fa |
| SHA256 | 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739 |
| SHA512 | 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99 |
memory/1868-216-0x0000000000000000-mapping.dmp
memory/4408-215-0x0000000002280000-0x000000000234E000-memory.dmp
memory/5004-214-0x0000000000000000-mapping.dmp
memory/628-211-0x0000000000000000-mapping.dmp
memory/1388-210-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e4d4a59494265949993e26dee7b077d1 |
| SHA1 | 83e3d0c7e544117d6054e7d55932a7d2dbaf1163 |
| SHA256 | 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd |
| SHA512 | efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e4d4a59494265949993e26dee7b077d1 |
| SHA1 | 83e3d0c7e544117d6054e7d55932a7d2dbaf1163 |
| SHA256 | 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd |
| SHA512 | efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718 |
memory/4512-207-0x00000000056D0000-0x0000000005726000-memory.dmp
memory/1016-205-0x0000000000000000-mapping.dmp
memory/4708-259-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
| MD5 | 2e6360eeebcafd207ad6f4cfc81afdb3 |
| SHA1 | 6d85d48c8c809ad0ee5f7b1b20ef79e871466072 |
| SHA256 | 3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b |
| SHA512 | 36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4 |
C:\Windows\F477.tmp
| MD5 | 347ac3b6b791054de3e5720a7144a977 |
| SHA1 | 413eba3973a15c1a6429d9f170f3e8287f98c21c |
| SHA256 | 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c |
| SHA512 | 9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787 |
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
| MD5 | 2e6360eeebcafd207ad6f4cfc81afdb3 |
| SHA1 | 6d85d48c8c809ad0ee5f7b1b20ef79e871466072 |
| SHA256 | 3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b |
| SHA512 | 36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4 |
memory/5176-261-0x0000000000000000-mapping.dmp
memory/1168-260-0x0000000000000000-mapping.dmp
memory/2040-187-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4184-185-0x0000000000000000-mapping.dmp
memory/4552-184-0x0000000001520000-0x0000000001551000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 87ccd6f4ec0e6b706d65550f90b0e3c7 |
| SHA1 | 213e6624bff6064c016b9cdc15d5365823c01f5f |
| SHA256 | e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4 |
| SHA512 | a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990 |
memory/1504-177-0x0000000004FB0000-0x0000000005554000-memory.dmp
memory/5424-265-0x0000000000000000-mapping.dmp
memory/3128-176-0x00000000002E0000-0x00000000004D2000-memory.dmp
memory/5452-267-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 3ed3fb296a477156bc51aba43d825fc0 |
| SHA1 | 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6 |
| SHA256 | 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423 |
| SHA512 | dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e |
memory/1856-175-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da |
| SHA512 | 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87 |
memory/1504-172-0x0000000004930000-0x00000000049CC000-memory.dmp
memory/5472-269-0x0000000000000000-mapping.dmp
memory/5464-268-0x0000000000000000-mapping.dmp
memory/5424-270-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0002dddba512e20c3f82aaab8bad8b4d |
| SHA1 | 493286b108822ba636cc0e53b8259e4f06ecf900 |
| SHA256 | 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7 |
| SHA512 | 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b |
memory/4276-152-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/4552-151-0x0000000000000000-mapping.dmp
memory/2040-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da |
| SHA512 | 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 910dd666c83efd3496f21f9f211cdc1f |
| SHA1 | 77cd736ee1697beda0ac65da24455ec566ba7440 |
| SHA256 | 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45 |
| SHA512 | 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 7dfbfba1e4e64a946cb096bfc937fbad |
| SHA1 | 9180d2ce387314cd4a794d148ea6b14084c61e1b |
| SHA256 | 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94 |
| SHA512 | f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | c7e9746b1b039b8bd1106bca3038c38f |
| SHA1 | cb93ac887876bafe39c5f9aa64970d5e747fb191 |
| SHA256 | b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4 |
| SHA512 | cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 382430dd7eae8945921b7feab37ed36b |
| SHA1 | c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128 |
| SHA256 | 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b |
| SHA512 | 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 7dfbfba1e4e64a946cb096bfc937fbad |
| SHA1 | 9180d2ce387314cd4a794d148ea6b14084c61e1b |
| SHA256 | 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94 |
| SHA512 | f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4 |
memory/5544-272-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 02f471d1fefbdc07af5555dbfd6ea918 |
| SHA1 | 2a8f93dd21628933de8bea4a9abc00dbb215df0b |
| SHA256 | 36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba |
| SHA512 | 287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0002dddba512e20c3f82aaab8bad8b4d |
| SHA1 | 493286b108822ba636cc0e53b8259e4f06ecf900 |
| SHA256 | 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7 |
| SHA512 | 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0315c3149c7dc1d865dc5a89043d870d |
| SHA1 | f74546dda99891ca688416b1a61c9637b3794108 |
| SHA256 | 90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9 |
| SHA512 | 7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112 |
memory/5708-279-0x0000000000000000-mapping.dmp
memory/5676-277-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 02f471d1fefbdc07af5555dbfd6ea918 |
| SHA1 | 2a8f93dd21628933de8bea4a9abc00dbb215df0b |
| SHA256 | 36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba |
| SHA512 | 287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559 |
memory/5708-280-0x0000000000DF0000-0x0000000000F2B000-memory.dmp
memory/5620-275-0x0000000000000000-mapping.dmp
memory/5544-281-0x0000000000400000-0x0000000000CFB000-memory.dmp
memory/5004-283-0x0000000000400000-0x000000000043F000-memory.dmp
memory/5796-285-0x0000000000000000-mapping.dmp
memory/5004-284-0x00000000006B0000-0x00000000006C2000-memory.dmp
memory/5836-286-0x0000000000000000-mapping.dmp
memory/5812-289-0x0000000000000000-mapping.dmp
memory/5880-290-0x0000000000000000-mapping.dmp
memory/6000-296-0x0000000000000000-mapping.dmp
memory/5956-294-0x0000000000000000-mapping.dmp
memory/5924-293-0x0000000000000000-mapping.dmp
memory/5912-292-0x0000000000000000-mapping.dmp
memory/5464-287-0x0000000000400000-0x0000000000415000-memory.dmp
memory/5528-288-0x0000000000000000-mapping.dmp
memory/6072-300-0x0000000000000000-mapping.dmp
memory/5544-298-0x0000000000400000-0x0000000000CFB000-memory.dmp
memory/5980-295-0x0000000000000000-mapping.dmp
memory/6096-302-0x0000000000000000-mapping.dmp
memory/6064-299-0x0000000000000000-mapping.dmp
memory/5796-304-0x0000000000AF0000-0x0000000000B50000-memory.dmp
memory/5796-303-0x0000000000400000-0x0000000000843000-memory.dmp
memory/5464-306-0x0000000000400000-0x0000000000415000-memory.dmp
memory/5796-309-0x00000000035D0000-0x00000000035D3000-memory.dmp
memory/1912-310-0x0000000000000000-mapping.dmp
memory/5880-312-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4068-308-0x0000000000000000-mapping.dmp
memory/4048-307-0x0000000000000000-mapping.dmp
memory/5676-305-0x0000000001400000-0x0000000001547000-memory.dmp
memory/6036-297-0x0000000000000000-mapping.dmp
memory/5424-314-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1168-315-0x00007FF888EF0000-0x00007FF889926000-memory.dmp
memory/5912-318-0x0000000000400000-0x0000000000432000-memory.dmp
memory/5980-319-0x0000000010000000-0x0000000010010000-memory.dmp
memory/4456-321-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp
memory/5836-328-0x0000000000400000-0x000000000054F000-memory.dmp
memory/2828-330-0x0000000000400000-0x0000000000A35000-memory.dmp
memory/6036-329-0x0000000000400000-0x000000000044F000-memory.dmp
memory/6036-327-0x0000000000480000-0x0000000000483000-memory.dmp
memory/2828-323-0x0000000000400000-0x0000000000A35000-memory.dmp
memory/1120-325-0x0000000000400000-0x0000000000843000-memory.dmp
memory/2828-331-0x0000000000400000-0x0000000000A35000-memory.dmp
memory/5836-317-0x0000000000400000-0x000000000054F000-memory.dmp
memory/3632-332-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp
memory/1120-333-0x00000000023B0000-0x0000000002410000-memory.dmp
memory/3744-334-0x0000000000400000-0x000000000054F000-memory.dmp
memory/5836-316-0x00000000009D0000-0x0000000000A37000-memory.dmp
memory/4612-311-0x0000000000000000-mapping.dmp
memory/2828-335-0x0000000000400000-0x0000000000A35000-memory.dmp
memory/2040-336-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4552-337-0x0000000000400000-0x0000000000450000-memory.dmp
memory/5676-338-0x0000000003D10000-0x0000000003DD1000-memory.dmp
memory/4276-339-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/4408-340-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1868-341-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp
memory/4900-346-0x0000000000400000-0x0000000000432000-memory.dmp
memory/5676-347-0x0000000003D10000-0x0000000003DD1000-memory.dmp
memory/5796-345-0x0000000000400000-0x0000000000843000-memory.dmp
memory/1672-348-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5796-344-0x0000000000AF0000-0x0000000000B50000-memory.dmp
memory/3744-343-0x0000000010000000-0x0000000010126000-memory.dmp
memory/3744-342-0x00000000027B0000-0x0000000002809000-memory.dmp