Malware Analysis Report

2024-10-19 00:02

Sample ID 220929-pt342abhbp
Target Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
SHA256 792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738
Tags
badrabbit troldesh wannacry bootkit discovery evasion persistence ransomware themida trojan upx worm mimikatz
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738

Threat Level: Known bad

The file Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe was found to be: Known bad.

Malicious Activity Summary

badrabbit troldesh wannacry bootkit discovery evasion persistence ransomware themida trojan upx worm mimikatz

Mimikatz

BadRabbit

Wannacry

Modifies WinLogon for persistence

Troldesh, Shade, Encoder.858

mimikatz is an open source tool to dump credentials on Windows

Disables RegEdit via registry modification

Modifies Windows Firewall

Executes dropped EXE

Downloads MZ/PE file

UPX packed file

Disables Task Manager via registry modification

Stops running service(s)

Sets file execution options in registry

Identifies Wine through registry keys

Loads dropped DLL

Themida packer

Checks computer location settings

Modifies file permissions

Drops startup file

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Modifies WinLogon

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Program crash

Enumerates physical storage devices

NSIS installer

Modifies Internet Explorer start page

Runs net.exe

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Kills process with taskkill

Modifies registry key

System policy modification

Creates scheduled task(s)

Suspicious use of UnmapMainImage

Script User-Agent

Suspicious use of SendNotifyMessage

Modifies Control Panel

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-29 12:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-29 12:38

Reported

2022-09-29 12:40

Platform

win7-20220812-en

Max time kernel

117s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"

Signatures

BadRabbit

ransomware badrabbit

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Wannacry

ransomware worm wannacry

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\NegQYIUk\keUowsok.exe N/A
N/A N/A C:\ProgramData\tkUQYEIg\aIQowQoU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fantom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\WINDOWS\302746537.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe N/A
N/A N/A C:\Windows\A593.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\qabsbnuj.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "calc.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\NegQYIUk\keUowsok.exe N/A
N/A N/A C:\Users\Admin\NegQYIUk\keUowsok.exe N/A
N/A N/A C:\Users\Admin\NegQYIUk\keUowsok.exe N/A
N/A N/A C:\Users\Admin\NegQYIUk\keUowsok.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aIQowQoU.exe = "C:\\ProgramData\\tkUQYEIg\\aIQowQoU.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aIQowQoU.exe = "C:\\ProgramData\\tkUQYEIg\\aIQowQoU.exe" C:\ProgramData\tkUQYEIg\aIQowQoU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\keUowsok.exe = "C:\\Users\\Admin\\NegQYIUk\\keUowsok.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\keUowsok.exe = "C:\\Users\\Admin\\NegQYIUk\\keUowsok.exe" C:\Users\Admin\NegQYIUk\keUowsok.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\f: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Legitimate hosting services abused for malware hosting/C2

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\antiviruspc2009\libltdl3.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\AnVi\splash.mp3 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\bzip2.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\avpc2009.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\libltdl3.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\AnVi\virus.mp3 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_7173269 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\bzip2.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\HjuTygFcvX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_7173440 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\avpc2009.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\infpub.dat C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\WINDOWS\Web C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\__tmp_rar_sfx_access_check_7173378 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\dispci.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\A593.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\infpub.dat C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\cscc.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\A593.tmp C:\Windows\SysWOW64\rundll32.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WallpaperOriginX = "210" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WallpaperOriginY = "187" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\MenuShowDelay = "9999" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://poetry.rotten.com/lightning/" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\REGFILE\SHELL\OPEN\COMMAND C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1928 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 456 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 456 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 456 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 456 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 456 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 456 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 456 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"

C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp" /SL4 $101DC "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\NegQYIUk\keUowsok.exe

"C:\Users\Admin\NegQYIUk\keUowsok.exe"

C:\ProgramData\tkUQYEIg\aIQowQoU.exe

"C:\ProgramData\tkUQYEIg\aIQowQoU.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1908 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\[email protected]" & start C:\Users\Admin\AppData\Local\qabsbnuj.exe -f

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 152

C:\Users\Admin\AppData\Local\Temp\ose00000.exe

"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /pid 1908

C:\WINDOWS\302746537.exe

"C:\WINDOWS\302746537.exe"

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Delete /F /TN rhaegal

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2935895650 && exit"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FQIkIgQw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:57:00

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"

C:\Windows\A593.tmp

"C:\Windows\A593.tmp" \\.\pipe\{10650376-FE2C-4ECF-B705-8C989E15919B}

C:\Windows\SysWOW64\sc.exe

sc config WinDefend start= disabled

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 512

C:\Windows\SysWOW64\PING.EXE

ping -n 3 127.1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\qabsbnuj.exe

C:\Users\Admin\AppData\Local\qabsbnuj.exe -f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMAkMIYI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1648 -s 1004

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2652 -s 564

C:\Windows\SysWOW64\schtasks.exe

schtasks /Delete /F /TN rhaegal

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 552

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\wrkE651.tmp", start install worker

C:\Windows\SysWOW64\net.exe

net stop wscsvc

C:\Windows\SysWOW64\net.exe

net stop winmgmt /y

C:\Windows\SysWOW64\net.exe

net start winmgmt

C:\Windows\SysWOW64\net.exe

net start wscsvc

C:\Windows\SysWOW64\Wbem\mofcomp.exe

mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 140.82.114.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
N/A 127.0.0.1:49303 tcp
DE 193.23.244.244:443 tcp
US 8.8.8.8:53 google.com udp
SE 171.25.193.9:80 tcp
FR 51.91.73.194:9001 tcp
DE 176.9.40.131:443 tcp
BE 45.128.133.206:443 tcp
NL 142.250.179.142:80 google.com tcp
NL 142.250.179.142:80 google.com tcp
US 8.8.8.8:53 www.vikingwebscanner.com udp
DE 185.53.177.53:80 www.vikingwebscanner.com tcp
BO 200.119.204.12:9999 tcp
US 45.35.130.46:443 tcp
BO 200.119.204.12:9999 tcp
N/A 127.0.0.1:63292 tcp
LV 83.99.147.75:22 tcp
N/A 127.0.0.1:63292 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1928-54-0x0000000000240000-0x000000000026C000-memory.dmp

memory/1928-55-0x0000000000270000-0x0000000000286000-memory.dmp

memory/1928-56-0x0000000000280000-0x0000000000286000-memory.dmp

memory/1928-57-0x00000000004F0000-0x0000000000528000-memory.dmp

memory/2032-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 c7e9746b1b039b8bd1106bca3038c38f
SHA1 cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256 b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512 cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

memory/2032-60-0x00000000762B1000-0x00000000762B3000-memory.dmp

memory/944-61-0x0000000000000000-mapping.dmp

memory/696-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 7dfbfba1e4e64a946cb096bfc937fbad
SHA1 9180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512 f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

memory/1740-66-0x0000000000000000-mapping.dmp

memory/456-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 382430dd7eae8945921b7feab37ed36b
SHA1 c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA256 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA512 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 382430dd7eae8945921b7feab37ed36b
SHA1 c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA256 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA512 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 910dd666c83efd3496f21f9f211cdc1f
SHA1 77cd736ee1697beda0ac65da24455ec566ba7440
SHA256 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 910dd666c83efd3496f21f9f211cdc1f
SHA1 77cd736ee1697beda0ac65da24455ec566ba7440
SHA256 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

memory/320-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/1460-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 41789c704a0eecfdd0048b4b4193e752
SHA1 fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256 b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA512 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

memory/1572-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 248aadd395ffa7ffb1670392a9398454
SHA1 c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA256 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

memory/2040-80-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

memory/1692-86-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

memory/320-89-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1676-88-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 cb02c0438f3f4ddabce36f8a26b0b961
SHA1 48c4fcb17e93b74030415996c0ec5c57b830ea53
SHA256 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 87ccd6f4ec0e6b706d65550f90b0e3c7
SHA1 213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256 e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512 a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

memory/1876-92-0x0000000000000000-mapping.dmp

memory/1952-91-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 cb02c0438f3f4ddabce36f8a26b0b961
SHA1 48c4fcb17e93b74030415996c0ec5c57b830ea53
SHA256 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 87ccd6f4ec0e6b706d65550f90b0e3c7
SHA1 213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256 e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512 a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 248aadd395ffa7ffb1670392a9398454
SHA1 c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA256 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

memory/1492-102-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 2eb3ce80b26345bd139f7378330b19c1
SHA1 10122bd8dd749e20c132d108d176794f140242b0
SHA256 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
SHA512 e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 d0deb2644c9435ea701e88537787ea6e
SHA1 866e47ecd80da89c4f56557659027a3aee897132
SHA256 ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA512 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

memory/320-105-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1908-104-0x0000000000000000-mapping.dmp

memory/1472-108-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

memory/320-110-0x0000000000400000-0x0000000000438000-memory.dmp

memory/320-107-0x0000000000220000-0x0000000000226000-memory.dmp

memory/696-112-0x0000000000400000-0x0000000000A06000-memory.dmp

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 c7e9746b1b039b8bd1106bca3038c38f
SHA1 cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256 b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512 cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

memory/1064-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e4d4a59494265949993e26dee7b077d1
SHA1 83e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA256 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512 efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

memory/1668-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 af2379cc4d607a45ac44d62135fb7015
SHA1 39b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA256 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA512 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

memory/1812-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 3ed3fb296a477156bc51aba43d825fc0
SHA1 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512 dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e4d4a59494265949993e26dee7b077d1
SHA1 83e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA256 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512 efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

memory/1940-126-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0002dddba512e20c3f82aaab8bad8b4d
SHA1 493286b108822ba636cc0e53b8259e4f06ecf900
SHA256 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

memory/1648-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

memory/1472-132-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1472-133-0x0000000000320000-0x00000000003EE000-memory.dmp

memory/1812-134-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1908-136-0x0000000001000000-0x00000000010CE000-memory.dmp

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

memory/1472-138-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1648-137-0x0000000000BB0000-0x0000000000BDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 d0deb2644c9435ea701e88537787ea6e
SHA1 866e47ecd80da89c4f56557659027a3aee897132
SHA256 ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA512 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

memory/696-141-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/1940-143-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0002dddba512e20c3f82aaab8bad8b4d
SHA1 493286b108822ba636cc0e53b8259e4f06ecf900
SHA256 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 2eb3ce80b26345bd139f7378330b19c1
SHA1 10122bd8dd749e20c132d108d176794f140242b0
SHA256 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
SHA512 e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 02f471d1fefbdc07af5555dbfd6ea918
SHA1 2a8f93dd21628933de8bea4a9abc00dbb215df0b
SHA256 36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
SHA512 287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp

MD5 19672882daf21174647509b74a406a8c
SHA1 e3313b8741bd9bbe212fe53fcc55b342af5ae849
SHA256 34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8
SHA512 eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

memory/524-146-0x0000000000000000-mapping.dmp

memory/860-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp

MD5 19672882daf21174647509b74a406a8c
SHA1 e3313b8741bd9bbe212fe53fcc55b342af5ae849
SHA256 34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8
SHA512 eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

memory/804-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0315c3149c7dc1d865dc5a89043d870d
SHA1 f74546dda99891ca688416b1a61c9637b3794108
SHA256 90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9
SHA512 7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

C:\Users\Admin\AppData\Local\Temp\is-9M2HP.tmp\is-8P6QP.tmp

MD5 19672882daf21174647509b74a406a8c
SHA1 e3313b8741bd9bbe212fe53fcc55b342af5ae849
SHA256 34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8
SHA512 eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

\Users\Admin\AppData\Local\Temp\is-KIFKL.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-KIFKL.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\NegQYIUk\keUowsok.exe

MD5 0b6f371fbfdea58bdf6271cc237001d5
SHA1 d56a75a9ff7bbb2eddc953b768c509f81c64bc32
SHA256 640a9570498c76d53001f7d0d0c4c4777953ac3fef79423cc29fffa916fc02ab
SHA512 b55f1fbc055abda1ae8262182f6a2cfed0ed49d9f6028a0d19fd5b83c4a36f2327d93f19b7d8b7342962f4e41d0380acab0d738a60e5f0ab87fbf8769b27412e

memory/996-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\NegQYIUk\keUowsok.exe

MD5 0b6f371fbfdea58bdf6271cc237001d5
SHA1 d56a75a9ff7bbb2eddc953b768c509f81c64bc32
SHA256 640a9570498c76d53001f7d0d0c4c4777953ac3fef79423cc29fffa916fc02ab
SHA512 b55f1fbc055abda1ae8262182f6a2cfed0ed49d9f6028a0d19fd5b83c4a36f2327d93f19b7d8b7342962f4e41d0380acab0d738a60e5f0ab87fbf8769b27412e

memory/1460-162-0x0000000000150000-0x0000000000181000-memory.dmp

\Users\Admin\NegQYIUk\keUowsok.exe

MD5 0b6f371fbfdea58bdf6271cc237001d5
SHA1 d56a75a9ff7bbb2eddc953b768c509f81c64bc32
SHA256 640a9570498c76d53001f7d0d0c4c4777953ac3fef79423cc29fffa916fc02ab
SHA512 b55f1fbc055abda1ae8262182f6a2cfed0ed49d9f6028a0d19fd5b83c4a36f2327d93f19b7d8b7342962f4e41d0380acab0d738a60e5f0ab87fbf8769b27412e

memory/1460-164-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1940-165-0x0000000000400000-0x0000000000415000-memory.dmp

memory/696-167-0x0000000000400000-0x0000000000A06000-memory.dmp

\ProgramData\tkUQYEIg\aIQowQoU.exe

MD5 1207141b9a5e9f700332a69d0b4195f7
SHA1 3e9efd9e629ef5f99fd49ab76aea838b98308595
SHA256 8774f2cf6beb9ccbe4f42a2eb36a1cffaec1fa5904c975f59ffb34e9a0d478c1
SHA512 b8c88ddf6499b6fbffc8bfb41853f7bfde11e268a1493a3a161c58b1a8eae4aed9963e488d5a9dd2b919139b65b45121a1f87427ebd646e54969b1c2354a6126

memory/976-169-0x0000000000000000-mapping.dmp

\ProgramData\tkUQYEIg\aIQowQoU.exe

MD5 1207141b9a5e9f700332a69d0b4195f7
SHA1 3e9efd9e629ef5f99fd49ab76aea838b98308595
SHA256 8774f2cf6beb9ccbe4f42a2eb36a1cffaec1fa5904c975f59ffb34e9a0d478c1
SHA512 b8c88ddf6499b6fbffc8bfb41853f7bfde11e268a1493a3a161c58b1a8eae4aed9963e488d5a9dd2b919139b65b45121a1f87427ebd646e54969b1c2354a6126

C:\ProgramData\tkUQYEIg\aIQowQoU.exe

MD5 1207141b9a5e9f700332a69d0b4195f7
SHA1 3e9efd9e629ef5f99fd49ab76aea838b98308595
SHA256 8774f2cf6beb9ccbe4f42a2eb36a1cffaec1fa5904c975f59ffb34e9a0d478c1
SHA512 b8c88ddf6499b6fbffc8bfb41853f7bfde11e268a1493a3a161c58b1a8eae4aed9963e488d5a9dd2b919139b65b45121a1f87427ebd646e54969b1c2354a6126

memory/524-171-0x0000000000400000-0x0000000000CFB000-memory.dmp

memory/1812-173-0x0000000000470000-0x000000000049E000-memory.dmp

memory/524-174-0x0000000000400000-0x0000000000CFB000-memory.dmp

memory/1812-175-0x0000000000470000-0x00000000004A4000-memory.dmp

memory/548-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e1b69c058131e1593eccd4fbcdbb72b2
SHA1 6d319439cac072547edd7cf2019855fa25092006
SHA256 b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f
SHA512 161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c

memory/556-179-0x0000000000000000-mapping.dmp

memory/1292-178-0x0000000000000000-mapping.dmp

memory/268-181-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 d5e5853f5a2a5a7413f26c625c0e240b
SHA1 0ced68483e7f3742a963f2507937bb7089de3ffe
SHA256 415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3
SHA512 49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e1b69c058131e1593eccd4fbcdbb72b2
SHA1 6d319439cac072547edd7cf2019855fa25092006
SHA256 b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f
SHA512 161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c

memory/996-186-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1812-187-0x0000000000470000-0x00000000004A4000-memory.dmp

memory/976-188-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1668-189-0x0000000000400000-0x000000000043F000-memory.dmp

memory/548-191-0x0000000000630000-0x0000000000777000-memory.dmp

memory/1668-190-0x0000000000230000-0x0000000000242000-memory.dmp

memory/268-185-0x0000000001370000-0x00000000014AB000-memory.dmp

memory/568-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 7dde6427dcf06d0c861693b96ad053a0
SHA1 086008ecfe06ad06f4c0eee2b13530897146ae01
SHA256 077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf
SHA512 8cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9

memory/1756-196-0x0000000000000000-mapping.dmp

memory/2116-197-0x0000000000000000-mapping.dmp

memory/568-198-0x0000000000400000-0x0000000000843000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 03baeba6b4224371cca7fa6f95ae61c0
SHA1 8731202d2f954421a37b5c9e01d971131bd515f1
SHA256 61a9e3278b6bcc29a2a0405b06fb2a3bbcb1751c3dd564a8f94cc89ea957ec35
SHA512 386643b0a52b6b1a53e81a8500d040b6415e532ebaffd1be8d1afd4ccb10f6c0342cf734b688ec803b960339284c8d9669e638b1648d9cc734cf7367659c7fd0

memory/2148-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 8cd7c19b6dc76c116cdb84e369fd5d9a
SHA1 5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA256 47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512 909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a

memory/2176-202-0x0000000000000000-mapping.dmp

memory/2192-204-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 8803d517ac24b157431d8a462302b400
SHA1 b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA512 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 84c82835a5d21bbcf75a61706d8ab549
SHA1 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512 90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

memory/2212-207-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 9d15a3b314600b4c08682b0202700ee7
SHA1 208e79cdb96328d5929248bb8a4dd622cf0684d1
SHA256 3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15
SHA512 9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

memory/2224-208-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 8cd7c19b6dc76c116cdb84e369fd5d9a
SHA1 5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA256 47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512 909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

MD5 7d80230df68ccba871815d68f016c282
SHA1 e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512 64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

memory/2092-211-0x0000000000000000-mapping.dmp

memory/2160-215-0x0000000000000000-mapping.dmp

memory/2268-216-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 7dde6427dcf06d0c861693b96ad053a0
SHA1 086008ecfe06ad06f4c0eee2b13530897146ae01
SHA256 077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf
SHA512 8cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9

memory/524-219-0x0000000000400000-0x0000000000CFB000-memory.dmp

memory/2148-221-0x0000000000400000-0x0000000000423000-memory.dmp

memory/568-225-0x0000000000320000-0x0000000000380000-memory.dmp

memory/2212-224-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2176-223-0x0000000000400000-0x0000000000432000-memory.dmp

C:\ProgramData\tkUQYEIg\aIQowQoU.inf

MD5 e9924fd5e0e1fa35e4989687a6611c9a
SHA1 33f31a3d3d8d9b931342033aa87b70eae58449ba
SHA256 214fdbebecbf099bd6af4e607badba8812215d1eecdd383601b861b9015a3c55
SHA512 7b821b245563e70a2739e0160344559b731aa4049f33bb5d29628991d17662976dd533d355a002dc4df1ba6cae767af25abe496cbe12f68c65f97fadee292ef4

memory/2528-227-0x0000000000000000-mapping.dmp

memory/2480-226-0x0000000000000000-mapping.dmp

memory/2448-228-0x0000000000000000-mapping.dmp

memory/568-229-0x00000000034C0000-0x00000000034C3000-memory.dmp

memory/524-230-0x0000000000400000-0x0000000000CFB000-memory.dmp

memory/2620-232-0x0000000000000000-mapping.dmp

C:\Users\Admin\NegQYIUk\keUowsok.inf

MD5 f52d93ee078a11254df6875fea5e518e
SHA1 2b97d3a1863cabc4fca49c670be2cf5ea7f1956d
SHA256 256bf5c9363aaf85197fb8efc0b2157e4110fb25faa04f6fdb67358dd51018c1
SHA512 9fff1521da0764fc1a13da83292acc250f244c571cf4ca3746c2c9467fa57cfb7961ae69c7b79b3974ad294b1c928a04c2e4abb502a77a192d22701b617999f7

memory/2652-234-0x0000000000000000-mapping.dmp

memory/1876-236-0x0000000000B10000-0x0000000000B78000-memory.dmp

memory/556-242-0x0000000000400000-0x0000000000439000-memory.dmp

memory/556-243-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2212-244-0x0000000000220000-0x0000000000223000-memory.dmp

memory/1876-248-0x0000000000B10000-0x0000000000B78000-memory.dmp

memory/2660-247-0x0000000000000000-mapping.dmp

memory/2620-246-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2728-245-0x0000000000000000-mapping.dmp

memory/2788-251-0x0000000000000000-mapping.dmp

memory/2212-249-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2772-250-0x0000000000000000-mapping.dmp

memory/2820-252-0x0000000000000000-mapping.dmp

memory/2812-255-0x0000000000000000-mapping.dmp

memory/2872-257-0x0000000000000000-mapping.dmp

memory/2652-260-0x0000000000270000-0x0000000000286000-memory.dmp

memory/1908-259-0x0000000001000000-0x00000000010CE000-memory.dmp

memory/2912-258-0x0000000000000000-mapping.dmp

memory/2940-261-0x0000000000000000-mapping.dmp

memory/1572-263-0x0000000000D80000-0x0000000000E02000-memory.dmp

memory/1692-262-0x0000000000D00000-0x0000000000EF2000-memory.dmp

memory/1676-264-0x00000000003C0000-0x00000000003FC000-memory.dmp

memory/2912-265-0x0000000000400000-0x0000000000432000-memory.dmp

memory/944-266-0x0000000000960000-0x0000000000966000-memory.dmp

memory/2116-267-0x0000000001D20000-0x0000000001D87000-memory.dmp

memory/944-268-0x0000000000B40000-0x0000000000B50000-memory.dmp

memory/2148-269-0x0000000000240000-0x0000000000263000-memory.dmp

memory/2148-270-0x0000000000240000-0x0000000000263000-memory.dmp

memory/2148-271-0x0000000000240000-0x0000000000263000-memory.dmp

memory/2820-272-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2528-273-0x0000000000160000-0x0000000000192000-memory.dmp

memory/2528-274-0x0000000000160000-0x0000000000192000-memory.dmp

memory/2224-275-0x0000000000550000-0x0000000000582000-memory.dmp

memory/2832-276-0x0000000000000000-mapping.dmp

memory/2116-278-0x0000000000400000-0x000000000054F000-memory.dmp

memory/2176-279-0x0000000000400000-0x0000000000432000-memory.dmp

memory/320-280-0x0000000000400000-0x0000000000438000-memory.dmp

memory/696-281-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2116-283-0x0000000000400000-0x000000000054F000-memory.dmp

memory/1472-282-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/524-284-0x0000000000400000-0x0000000000CFB000-memory.dmp

memory/1460-285-0x0000000000400000-0x0000000000450000-memory.dmp

memory/524-286-0x0000000000400000-0x0000000000CFB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-29 12:38

Reported

2022-09-29 12:40

Platform

win10v2004-20220812-en

Max time kernel

38s

Max time network

90s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"

Signatures

BadRabbit

ransomware badrabbit

Mimikatz

mimikatz

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\WINDOWS\302746537.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vUkoMAkg.exe = "C:\\Users\\Admin\\rCAEUsck\\vUkoMAkg.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jScUEcko.exe = "C:\\ProgramData\\TygIoQoY\\jScUEcko.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vUkoMAkg.exe = "C:\\Users\\Admin\\rCAEUsck\\vUkoMAkg.exe" C:\Users\Admin\rCAEUsck\vUkoMAkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jScUEcko.exe = "C:\\ProgramData\\TygIoQoY\\jScUEcko.exe" C:\ProgramData\TygIoQoY\jScUEcko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\f: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Legitimate hosting services abused for malware hosting/C2

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AnVi\virus.mp3 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\HjuTygFcvX C:\Windows\SysWOW64\net.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\bzip2.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\avpc2009.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\antiviruspc2009\libltdl3.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe C:\Windows\SysWOW64\net.exe N/A
File created C:\Program Files (x86)\AnVi\splash.mp3 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\avpc2009.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\bzip2.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\libltdl3.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Reader_DC.helpcfg.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_240574531 C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_240577328 C:\Windows\SysWOW64\net.exe N/A
File created C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe C:\Windows\SysWOW64\net.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt.C086BCC016634ED8E74CE378BD6E2337BCB4218D899AA74FAFE92975B77C8BAC C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\dispci.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\F477.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\WINDOWS\Web C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\cscc.dat C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\__tmp_rar_sfx_access_check_240573890 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\infpub.dat C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\infpub.dat C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\WallpaperOriginX = "210" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\WallpaperOriginY = "187" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\MenuShowDelay = "9999" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4456 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 2040 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 2040 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 2040 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 4552 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 4552 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 4552 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 1504 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 1504 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 1504 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 736 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 736 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 736 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 3128 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 3128 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 3128 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 4512 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 4512 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 4512 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1464 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 1464 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 1464 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 4456 wrote to memory of 3856 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 3856 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 3856 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 4184 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\net.exe
PID 4456 wrote to memory of 4184 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\net.exe
PID 4456 wrote to memory of 4184 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\net.exe
PID 2040 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\taskkill.exe
PID 2040 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\taskkill.exe
PID 2040 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\taskkill.exe
PID 4456 wrote to memory of 2544 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 2544 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 2544 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 4408 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 4408 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 4408 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 1016 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 1016 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 1016 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4552 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 4552 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 4552 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 1856 wrote to memory of 628 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 628 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 628 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 5004 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 5004 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4456 wrote to memory of 5004 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 736 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\AppData\Local\6AdwCleaner.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Delete /F /TN rhaegal

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\rCAEUsck\vUkoMAkg.exe

"C:\Users\Admin\rCAEUsck\vUkoMAkg.exe"

C:\ProgramData\TygIoQoY\jScUEcko.exe

"C:\ProgramData\TygIoQoY\jScUEcko.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 880466745 && exit"

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECD6.tmp\302746537.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:56:00

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAIgYkAE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\F477.tmp

"C:\Windows\F477.tmp" \\.\pipe\{6585464F-839D-47B2-B7BD-756B959F407A}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 584

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2544 -ip 2544

C:\Windows\SysWOW64\schtasks.exe

schtasks /Delete /F /TN rhaegal

C:\WINDOWS\302746537.exe

"C:\WINDOWS\302746537.exe"

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 880466745 && exit"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:56:00

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5708 -ip 5708

C:\Users\Admin\AppData\Local\Temp\is-U44IH.tmp\is-M3VKK.tmp

"C:\Users\Admin\AppData\Local\Temp\is-U44IH.tmp\is-M3VKK.tmp" /SL4 $20168 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\sc.exe

sc config WinDefend start= disabled

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 492

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcAcgMko.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaEMscow.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\AppData\Roaming\qfubqe.exe

C:\Users\Admin\AppData\Roaming\qfubqe.exe

C:\Users\Admin\AppData\Local\Temp\winsp2up.exe

"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6036 -s 448

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6036 -ip 6036

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe"

C:\Windows\SysWOW64\net.exe

net stop wscsvc

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\ProgramData\0a51d5ab-9f5b-4d21-8b20-abb07c2ea2ba_31.avi", start

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 416 -p 3632 -ip 3632

C:\Windows\SysWOW64\net.exe

net stop winmgmt /y

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3632 -s 788

C:\Windows\SysWOW64\net.exe

net start wscsvc

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "USERNAME eq Admin" /F /IM jScUEcko.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 552 -p 3664 -ip 3664

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5676 -ip 5676

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3664 -s 1544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5980 -ip 5980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3960 -ip 3960

C:\Windows\SysWOW64\sc.exe

sc config WinDefend start= disabled

C:\Windows\SysWOW64\Wbem\mofcomp.exe

mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5676 -ip 5676

C:\ProgramData\TygIoQoY\jScUEcko.exe

"C:\ProgramData\TygIoQoY\jScUEcko.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 636 -p 2812 -ip 2812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5676 -ip 5676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 712

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2828 -ip 2828

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s c:\windows\comctl32.ocx

C:\Windows\SysWOW64\net.exe

net start winmgmt

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\wrk34FC.tmp", start install worker

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s c:\windows\mscomctl.ocx

C:\Windows\SysWOW64\attrib.exe

attrib +h c:\windows\antivirus-platinum.exe

\??\c:\windows\antivirus-platinum.exe

c:\windows\antivirus-platinum.exe

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 github.com udp
US 140.82.114.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
NL 142.250.179.142:80 google.com tcp
NL 142.250.179.142:80 google.com tcp
US 8.8.8.8:53 frequentwin.com udp
US 8.8.8.8:53 highway-traffic.com udp
US 8.8.8.8:53 searchdusty.com udp
FR 37.187.79.168:80 searchdusty.com tcp
FR 37.187.79.168:80 searchdusty.com tcp
FR 40.79.141.153:443 tcp
US 8.8.8.8:53 www.vikingwebscanner.com udp
DE 185.53.177.53:80 www.vikingwebscanner.com tcp
US 8.8.8.8:53 google.ru udp
US 8.8.8.8:53 yandex.ru udp
US 8.8.8.8:53 fastsofgeld.com udp
NL 142.250.179.142:445 google.com tcp
FR 40.79.141.153:445 tcp
US 185.199.108.133:445 raw.githubusercontent.com tcp
N/A 10.127.0.1:445 tcp
US 93.184.221.240:445 tcp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 arizonacode.bplaced.net udp
FR 40.79.141.153:139 tcp
NL 142.250.179.142:139 google.com tcp
N/A 10.127.0.1:139 tcp
US 185.199.108.133:139 raw.githubusercontent.com tcp
US 93.184.221.240:139 tcp
SG 76.73.17.194:9090 tcp
RU 77.88.55.55:80 yandex.ru tcp
NL 142.251.36.35:80 google.ru tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.1:445 tcp
RU 77.88.55.55:443 yandex.ru tcp
N/A 10.127.0.1:139 tcp
DE 78.159.97.210:80 78.159.97.210 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
BO 200.119.204.12:9999 tcp
N/A 10.127.0.5:445 tcp
BO 200.119.204.12:9999 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
AT 86.59.21.38:443 tcp
NL 77.174.164.37:9001 tcp
DE 37.114.40.104:8080 tcp
CA 192.160.102.165:9001 tcp
N/A 10.127.0.6:139 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.0:445 tcp
N/A 127.0.0.1:49891 tcp

Files

memory/4456-132-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

memory/4456-133-0x000002BA4C140000-0x000002BA4C16C000-memory.dmp

memory/4456-134-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

memory/1288-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 c7e9746b1b039b8bd1106bca3038c38f
SHA1 cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256 b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512 cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

memory/3600-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 382430dd7eae8945921b7feab37ed36b
SHA1 c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA256 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA512 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

memory/4276-139-0x0000000000000000-mapping.dmp

memory/2520-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 910dd666c83efd3496f21f9f211cdc1f
SHA1 77cd736ee1697beda0ac65da24455ec566ba7440
SHA256 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

memory/1464-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 41789c704a0eecfdd0048b4b4193e752
SHA1 fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256 b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA512 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/4276-157-0x0000000000400000-0x0000000000A06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 248aadd395ffa7ffb1670392a9398454
SHA1 c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA256 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

memory/736-156-0x0000000000000000-mapping.dmp

memory/2040-166-0x0000000000550000-0x0000000000556000-memory.dmp

memory/3128-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 cb02c0438f3f4ddabce36f8a26b0b961
SHA1 48c4fcb17e93b74030415996c0ec5c57b830ea53
SHA256 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

memory/1504-171-0x0000000000030000-0x00000000000B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 cb02c0438f3f4ddabce36f8a26b0b961
SHA1 48c4fcb17e93b74030415996c0ec5c57b830ea53
SHA256 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

memory/4552-168-0x0000000000400000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 248aadd395ffa7ffb1670392a9398454
SHA1 c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA256 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

memory/2040-162-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2040-161-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1504-153-0x0000000000000000-mapping.dmp

memory/4512-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

memory/3856-180-0x0000000000000000-mapping.dmp

memory/1504-181-0x0000000004AA0000-0x0000000004B32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 87ccd6f4ec0e6b706d65550f90b0e3c7
SHA1 213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256 e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512 a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

memory/4512-186-0x0000000000B20000-0x0000000000B5C000-memory.dmp

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 2eb3ce80b26345bd139f7378330b19c1
SHA1 10122bd8dd749e20c132d108d176794f140242b0
SHA256 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
SHA512 e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

memory/1928-192-0x0000000000000000-mapping.dmp

memory/2544-193-0x0000000000000000-mapping.dmp

memory/4408-198-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 d0deb2644c9435ea701e88537787ea6e
SHA1 866e47ecd80da89c4f56557659027a3aee897132
SHA256 ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA512 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

memory/1504-196-0x0000000004900000-0x000000000490A000-memory.dmp

memory/1856-195-0x00000000010F0000-0x0000000001158000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 2eb3ce80b26345bd139f7378330b19c1
SHA1 10122bd8dd749e20c132d108d176794f140242b0
SHA256 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
SHA512 e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

memory/4276-191-0x0000000000400000-0x0000000000A06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 d0deb2644c9435ea701e88537787ea6e
SHA1 866e47ecd80da89c4f56557659027a3aee897132
SHA256 ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA512 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

memory/1856-208-0x00000000010F0000-0x0000000001158000-memory.dmp

memory/2576-219-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

MD5 c18a7323332b3292a8e0f1c81df65698
SHA1 bcb8f34cbe0137e888d06acbcb6508417851a087
SHA256 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8
SHA512 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad

C:\WINDOWS\302746537.exe

MD5 8703ff2e53c6fd3bc91294ef9204baca
SHA1 3dbb8f7f5dfe6b235486ab867a2844b1c2143733
SHA256 3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035
SHA512 d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

memory/1868-237-0x0000000000780000-0x00000000007AE000-memory.dmp

memory/1308-238-0x0000000000000000-mapping.dmp

memory/4708-239-0x0000000000000000-mapping.dmp

C:\ProgramData\TygIoQoY\jScUEcko.exe

MD5 f1b057a38c69267744b4901859f61a11
SHA1 7a828b0713427b035bdf9e136e93a62a6129e42d
SHA256 2564db7de86b34d80a9937c9349493b8936012e03ade6a3deb97be919354ffd4
SHA512 f70bdf1a6545d96267c44619f23fe8531d8f8e61c086c2742a827ffaef5aca25255d0193918cf67cf830ac1f14eab13e2ac7f6cde81430bd8af71a1a6e0b0d6f

memory/4380-245-0x0000000000000000-mapping.dmp

C:\ProgramData\TygIoQoY\jScUEcko.exe

MD5 f1b057a38c69267744b4901859f61a11
SHA1 7a828b0713427b035bdf9e136e93a62a6129e42d
SHA256 2564db7de86b34d80a9937c9349493b8936012e03ade6a3deb97be919354ffd4
SHA512 f70bdf1a6545d96267c44619f23fe8531d8f8e61c086c2742a827ffaef5aca25255d0193918cf67cf830ac1f14eab13e2ac7f6cde81430bd8af71a1a6e0b0d6f

memory/4904-252-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3100-251-0x0000000000000000-mapping.dmp

memory/1308-253-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4548-254-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4440-249-0x0000000000000000-mapping.dmp

memory/400-248-0x0000000000000000-mapping.dmp

memory/4548-250-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3076-255-0x0000000000000000-mapping.dmp

memory/1868-247-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

memory/4188-256-0x0000000000000000-mapping.dmp

C:\Windows\F477.tmp

MD5 347ac3b6b791054de3e5720a7144a977
SHA1 413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA512 9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

memory/4024-246-0x0000000000000000-mapping.dmp

memory/1296-242-0x0000000000000000-mapping.dmp

C:\Users\Admin\rCAEUsck\vUkoMAkg.exe

MD5 7090b2738e7f8b0e9e8a1c144c83b26c
SHA1 6448095a8217136c04978d9d97b2ff2204dda3e5
SHA256 b8a197eb2ed3fe9e8b3a85d0566c4e0c4132c75a8e0822448b523fbc8fd51862
SHA512 43762dcbe29c4e782665439613da5ae52943e5d814d09824feea2fdbafb5b0bc94628162751eb75cd4fef68757c2c9b0190b39dc1a884335ad864ee172cbcdcb

C:\Users\Admin\rCAEUsck\vUkoMAkg.exe

MD5 7090b2738e7f8b0e9e8a1c144c83b26c
SHA1 6448095a8217136c04978d9d97b2ff2204dda3e5
SHA256 b8a197eb2ed3fe9e8b3a85d0566c4e0c4132c75a8e0822448b523fbc8fd51862
SHA512 43762dcbe29c4e782665439613da5ae52943e5d814d09824feea2fdbafb5b0bc94628162751eb75cd4fef68757c2c9b0190b39dc1a884335ad864ee172cbcdcb

C:\Windows\302746537.exe

MD5 8703ff2e53c6fd3bc91294ef9204baca
SHA1 3dbb8f7f5dfe6b235486ab867a2844b1c2143733
SHA256 3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035
SHA512 d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 3ed3fb296a477156bc51aba43d825fc0
SHA1 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512 dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 3ed3fb296a477156bc51aba43d825fc0
SHA1 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512 dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll

MD5 0ab7d0e87f3843f8104b3670f5a9af62
SHA1 10c09a12e318f0fbebf70c4c42ad6ee31d9df2e5
SHA256 8aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b
SHA512 e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375

C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll

MD5 0ab7d0e87f3843f8104b3670f5a9af62
SHA1 10c09a12e318f0fbebf70c4c42ad6ee31d9df2e5
SHA256 8aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b
SHA512 e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375

C:\Program Files (x86)\antiviruspc2009\bzip2.dll

MD5 4143d4973e0f5a5180e114bdd868d4d2
SHA1 b47fd2cf9db0f37c04e4425085fb953cbce81478
SHA256 da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76
SHA512 e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc

C:\Program Files (x86)\antiviruspc2009\bzip2.dll

MD5 4143d4973e0f5a5180e114bdd868d4d2
SHA1 b47fd2cf9db0f37c04e4425085fb953cbce81478
SHA256 da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76
SHA512 e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc

C:\Program Files (x86)\antiviruspc2009\libltdl3.dll

MD5 00a71b4afda8033235432b1c433fecc7
SHA1 d7b0c218aa8fec1c60ada26a09d9e0d9601985ca
SHA256 f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd
SHA512 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a

C:\Program Files (x86)\antiviruspc2009\libltdl3.dll

MD5 00a71b4afda8033235432b1c433fecc7
SHA1 d7b0c218aa8fec1c60ada26a09d9e0d9601985ca
SHA256 f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd
SHA512 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

MD5 c18a7323332b3292a8e0f1c81df65698
SHA1 bcb8f34cbe0137e888d06acbcb6508417851a087
SHA256 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8
SHA512 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad

memory/4548-222-0x0000000000000000-mapping.dmp

memory/4904-221-0x0000000000000000-mapping.dmp

memory/4368-258-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

memory/4408-218-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/4408-217-0x0000000000400000-0x00000000005DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 af2379cc4d607a45ac44d62135fb7015
SHA1 39b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA256 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA512 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

memory/1868-216-0x0000000000000000-mapping.dmp

memory/4408-215-0x0000000002280000-0x000000000234E000-memory.dmp

memory/5004-214-0x0000000000000000-mapping.dmp

memory/628-211-0x0000000000000000-mapping.dmp

memory/1388-210-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e4d4a59494265949993e26dee7b077d1
SHA1 83e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA256 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512 efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e4d4a59494265949993e26dee7b077d1
SHA1 83e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA256 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512 efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

memory/4512-207-0x00000000056D0000-0x0000000005726000-memory.dmp

memory/1016-205-0x0000000000000000-mapping.dmp

memory/4708-259-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

MD5 2e6360eeebcafd207ad6f4cfc81afdb3
SHA1 6d85d48c8c809ad0ee5f7b1b20ef79e871466072
SHA256 3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b
SHA512 36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

C:\Windows\F477.tmp

MD5 347ac3b6b791054de3e5720a7144a977
SHA1 413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA512 9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

MD5 2e6360eeebcafd207ad6f4cfc81afdb3
SHA1 6d85d48c8c809ad0ee5f7b1b20ef79e871466072
SHA256 3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b
SHA512 36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

memory/5176-261-0x0000000000000000-mapping.dmp

memory/1168-260-0x0000000000000000-mapping.dmp

memory/2040-187-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4184-185-0x0000000000000000-mapping.dmp

memory/4552-184-0x0000000001520000-0x0000000001551000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 87ccd6f4ec0e6b706d65550f90b0e3c7
SHA1 213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256 e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512 a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

memory/1504-177-0x0000000004FB0000-0x0000000005554000-memory.dmp

memory/5424-265-0x0000000000000000-mapping.dmp

memory/3128-176-0x00000000002E0000-0x00000000004D2000-memory.dmp

memory/5452-267-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 3ed3fb296a477156bc51aba43d825fc0
SHA1 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512 dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

memory/1856-175-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

memory/1504-172-0x0000000004930000-0x00000000049CC000-memory.dmp

memory/5472-269-0x0000000000000000-mapping.dmp

memory/5464-268-0x0000000000000000-mapping.dmp

memory/5424-270-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0002dddba512e20c3f82aaab8bad8b4d
SHA1 493286b108822ba636cc0e53b8259e4f06ecf900
SHA256 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

memory/4276-152-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/4552-151-0x0000000000000000-mapping.dmp

memory/2040-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 910dd666c83efd3496f21f9f211cdc1f
SHA1 77cd736ee1697beda0ac65da24455ec566ba7440
SHA256 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 7dfbfba1e4e64a946cb096bfc937fbad
SHA1 9180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512 f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 c7e9746b1b039b8bd1106bca3038c38f
SHA1 cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256 b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512 cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 382430dd7eae8945921b7feab37ed36b
SHA1 c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA256 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA512 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 7dfbfba1e4e64a946cb096bfc937fbad
SHA1 9180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512 f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

memory/5544-272-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 02f471d1fefbdc07af5555dbfd6ea918
SHA1 2a8f93dd21628933de8bea4a9abc00dbb215df0b
SHA256 36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
SHA512 287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0002dddba512e20c3f82aaab8bad8b4d
SHA1 493286b108822ba636cc0e53b8259e4f06ecf900
SHA256 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0315c3149c7dc1d865dc5a89043d870d
SHA1 f74546dda99891ca688416b1a61c9637b3794108
SHA256 90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9
SHA512 7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

memory/5708-279-0x0000000000000000-mapping.dmp

memory/5676-277-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 02f471d1fefbdc07af5555dbfd6ea918
SHA1 2a8f93dd21628933de8bea4a9abc00dbb215df0b
SHA256 36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
SHA512 287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

memory/5708-280-0x0000000000DF0000-0x0000000000F2B000-memory.dmp

memory/5620-275-0x0000000000000000-mapping.dmp

memory/5544-281-0x0000000000400000-0x0000000000CFB000-memory.dmp

memory/5004-283-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5796-285-0x0000000000000000-mapping.dmp

memory/5004-284-0x00000000006B0000-0x00000000006C2000-memory.dmp

memory/5836-286-0x0000000000000000-mapping.dmp

memory/5812-289-0x0000000000000000-mapping.dmp

memory/5880-290-0x0000000000000000-mapping.dmp

memory/6000-296-0x0000000000000000-mapping.dmp

memory/5956-294-0x0000000000000000-mapping.dmp

memory/5924-293-0x0000000000000000-mapping.dmp

memory/5912-292-0x0000000000000000-mapping.dmp

memory/5464-287-0x0000000000400000-0x0000000000415000-memory.dmp

memory/5528-288-0x0000000000000000-mapping.dmp

memory/6072-300-0x0000000000000000-mapping.dmp

memory/5544-298-0x0000000000400000-0x0000000000CFB000-memory.dmp

memory/5980-295-0x0000000000000000-mapping.dmp

memory/6096-302-0x0000000000000000-mapping.dmp

memory/6064-299-0x0000000000000000-mapping.dmp

memory/5796-304-0x0000000000AF0000-0x0000000000B50000-memory.dmp

memory/5796-303-0x0000000000400000-0x0000000000843000-memory.dmp

memory/5464-306-0x0000000000400000-0x0000000000415000-memory.dmp

memory/5796-309-0x00000000035D0000-0x00000000035D3000-memory.dmp

memory/1912-310-0x0000000000000000-mapping.dmp

memory/5880-312-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4068-308-0x0000000000000000-mapping.dmp

memory/4048-307-0x0000000000000000-mapping.dmp

memory/5676-305-0x0000000001400000-0x0000000001547000-memory.dmp

memory/6036-297-0x0000000000000000-mapping.dmp

memory/5424-314-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1168-315-0x00007FF888EF0000-0x00007FF889926000-memory.dmp

memory/5912-318-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5980-319-0x0000000010000000-0x0000000010010000-memory.dmp

memory/4456-321-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

memory/5836-328-0x0000000000400000-0x000000000054F000-memory.dmp

memory/2828-330-0x0000000000400000-0x0000000000A35000-memory.dmp

memory/6036-329-0x0000000000400000-0x000000000044F000-memory.dmp

memory/6036-327-0x0000000000480000-0x0000000000483000-memory.dmp

memory/2828-323-0x0000000000400000-0x0000000000A35000-memory.dmp

memory/1120-325-0x0000000000400000-0x0000000000843000-memory.dmp

memory/2828-331-0x0000000000400000-0x0000000000A35000-memory.dmp

memory/5836-317-0x0000000000400000-0x000000000054F000-memory.dmp

memory/3632-332-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

memory/1120-333-0x00000000023B0000-0x0000000002410000-memory.dmp

memory/3744-334-0x0000000000400000-0x000000000054F000-memory.dmp

memory/5836-316-0x00000000009D0000-0x0000000000A37000-memory.dmp

memory/4612-311-0x0000000000000000-mapping.dmp

memory/2828-335-0x0000000000400000-0x0000000000A35000-memory.dmp

memory/2040-336-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4552-337-0x0000000000400000-0x0000000000450000-memory.dmp

memory/5676-338-0x0000000003D10000-0x0000000003DD1000-memory.dmp

memory/4276-339-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/4408-340-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1868-341-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

memory/4900-346-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5676-347-0x0000000003D10000-0x0000000003DD1000-memory.dmp

memory/5796-345-0x0000000000400000-0x0000000000843000-memory.dmp

memory/1672-348-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5796-344-0x0000000000AF0000-0x0000000000B50000-memory.dmp

memory/3744-343-0x0000000010000000-0x0000000010126000-memory.dmp

memory/3744-342-0x00000000027B0000-0x0000000002809000-memory.dmp