Analysis Overview
SHA256
72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503
Threat Level: Known bad
The file Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe was found to be: Known bad.
Malicious Activity Summary
Wannacry
Modifies WinLogon for persistence
Mimikatz
Cerber
BadRabbit
mimikatz is an open source tool to dump credentials on Windows
Modifies extensions of user files
Executes dropped EXE
Disables Task Manager via registry modification
Modifies Windows Firewall
Disables RegEdit via registry modification
UPX packed file
Checks computer location settings
Modifies file permissions
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Modifies WinLogon
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Modifies system certificate store
Modifies Internet Explorer start page
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies registry class
Runs net.exe
Kills process with taskkill
Modifies registry key
Modifies Internet Explorer settings
System policy modification
Checks processor information in registry
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-29 12:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-29 12:38
Reported
2022-09-29 12:40
Platform
win7-20220812-en
Max time kernel
101s
Max time network
107s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.113.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
memory/1652-54-0x00000000010B0000-0x00000000010DC000-memory.dmp
memory/1652-55-0x00000000004C0000-0x00000000004D6000-memory.dmp
memory/1652-56-0x0000000000560000-0x0000000000566000-memory.dmp
memory/1652-57-0x000000001A7D0000-0x000000001A808000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-29 12:38
Reported
2022-09-29 12:41
Platform
win10v2004-20220901-en
Max time kernel
82s
Max time network
111s
Command Line
Signatures
BadRabbit
Cerber
Mimikatz
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oper4cod.2v1\\[email protected]" | C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected] | N/A |
Wannacry
mimikatz is an open source tool to dump credentials on Windows
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\AddNew.tiff.deria | C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] | N/A |
| File opened for modification | C:\Users\Admin\Pictures\HideConnect.crw.deria | C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MoveDismount.tif.deria | C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PublishEnable.raw.deria | C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe | C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mwIoMAwQ.exe = "C:\\Users\\Admin\\ROMQEsAc\\mwIoMAwQ.exe" | C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icYgIkMc.exe = "C:\\ProgramData\\QGAUgUkc\\icYgIkMc.exe" | C:\ProgramData\QGAUgUkc\icYgIkMc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oper4cod.2v1\\[email protected]" | C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mwIoMAwQ.exe = "C:\\Users\\Admin\\ROMQEsAc\\mwIoMAwQ.exe" | C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icYgIkMc.exe = "C:\\ProgramData\\QGAUgUkc\\icYgIkMc.exe" | C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected] | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\[email protected] | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected] | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.dll.exe | C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | \??\c:\program files (x86)\microsoft sql server | C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\hyph_en_US.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | \??\c:\program files (x86)\microsoft\office | C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] | N/A |
| File opened for modification | \??\c:\program files (x86)\microsoft\outlook | C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\comdll.X.manifest.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | \??\c:\program files (x86)\microsoft\onenote | C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] | N/A |
| File opened for modification | \??\c:\program files (x86)\word | C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\ActionsPane3.xsd.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | \??\c:\program files (x86)\microsoft\microsoft sql server | C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | \??\c:\program files (x86)\onenote | C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll | C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | \??\c:\program files (x86)\microsoft\powerpoint | C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009 | C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\libltdl3.dll | C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\AddIns.store.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File created | C:\Program Files (x86)\AnVi\splash.mp3 | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| File created | C:\Program Files (x86)\AnVi\virus.mp3 | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll | C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\hyph_en_GB.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | \??\c:\program files (x86)\microsoft\excel | C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\hyph_en_CA.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\changelog.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | \??\c:\program files (x86)\steam | C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | \??\c:\program files (x86)\powerpoint | C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| File opened for modification | \??\c:\program files (x86)\microsoft\word | C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperOriginY = "187" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\MenuShowDelay = "9999" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperOriginX = "210" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected] | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" | C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe"
C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected]
"C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected]"
C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected]
"C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected]
"C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected]"
C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected]
"C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected]"
C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected]
"C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected]"
C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected]
"C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected]"
C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected]
"C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected]"
C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\[email protected]
"C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\[email protected]"
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]
"C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1835013906 && exit"
C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected]
"C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected]"
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe
"C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe"
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]
"C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
C:\ProgramData\QGAUgUkc\icYgIkMc.exe
"C:\ProgramData\QGAUgUkc\icYgIkMc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock"
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall reset
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1835013906 && exit"
C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\[email protected]
"C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\[email protected]"
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock"
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\[email protected]
"C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\[email protected]"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMEwkMEs.bat" "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]""
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgUcQAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]""
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKYQQgMY.bat" "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]""
C:\Windows\SysWOW64\attrib.exe
attrib +h .
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected]
"C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected]"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyYMMokg.bat" "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]""
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom
C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected]
"C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected]"
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:56:00
C:\Windows\41CC.tmp
"C:\Windows\41CC.tmp" \\.\pipe\{9668C2A0-7AE3-436A-B3A4-C45297891E27}
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\ljmyia5o.gcg\[email protected]
"C:\Users\Admin\AppData\Local\Temp\ljmyia5o.gcg\[email protected]"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAAkQMkk.bat" "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected]
"C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected]"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmgsQccs.bat" "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 720 -ip 720
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock"
C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected]
"C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected]"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSUIckso.bat" "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]""
C:\Users\Admin\AppData\Local\Temp\eewa04qc.hg4\[email protected]
"C:\Users\Admin\AppData\Local\Temp\eewa04qc.hg4\[email protected]"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEMIEUoU.bat" "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:56:00
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom
C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\taskdl.exe
taskdl.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1008 -ip 1008
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 2472 -ip 2472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 804
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5840 -ip 5840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 820
C:\Windows\SysWOW64\net.exe
net stop wscsvc
C:\Windows\SysWOW64\net.exe
net stop winmgmt /y
C:\Windows\SysWOW64\net.exe
net start winmgmt
C:\Windows\SysWOW64\net.exe
net start wscsvc
C:\Windows\SysWOW64\Wbem\mofcomp.exe
mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\taskdl.exe
taskdl.exe
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.114.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 20.189.173.4:443 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:80 | google.com | tcp |
| NL | 142.250.179.142:80 | google.com | tcp |
| US | 204.79.197.200:443 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.0:139 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.2:139 | tcp | |
| US | 209.197.3.8:445 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| US | 8.253.208.121:445 | ctldl.windowsupdate.com | tcp |
| IE | 20.82.209.183:445 | arc.msn.com | tcp |
| US | 140.82.114.4:445 | github.com | tcp |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.3:139 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| N/A | 10.127.0.4:139 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.5:139 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.6:139 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.7:139 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| NL | 154.61.71.51:445 | tcp | |
| NL | 142.250.179.142:445 | google.com | tcp |
| N/A | 10.127.0.8:139 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| N/A | 10.127.0.9:139 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.10:139 | tcp | |
| N/A | 10.127.0.11:445 | tcp |
Files
memory/4188-132-0x000001B133800000-0x000001B13382C000-memory.dmp
memory/4188-133-0x00007FFD41540000-0x00007FFD42001000-memory.dmp
memory/3776-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected]
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da |
| SHA512 | 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87 |
memory/3792-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected]
| MD5 | 41789c704a0eecfdd0048b4b4193e752 |
| SHA1 | fb1e8385691fa3293b7cbfb9b2656cf09f20e722 |
| SHA256 | b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23 |
| SHA512 | 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea |
C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected]
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da |
| SHA512 | 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87 |
memory/3468-140-0x0000000000000000-mapping.dmp
memory/4536-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected]
| MD5 | fe1bc60a95b2c2d77cd5d232296a7fa4 |
| SHA1 | c07dfdea8da2da5bad036e7c2f5d37582e1cf684 |
| SHA256 | b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d |
| SHA512 | 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89 |
C:\Windows\infpub.dat
| MD5 | 1d724f95c61f1055f0d02c2154bbccd3 |
| SHA1 | 79116fe99f2b421c52ef64097f0f39b815b20907 |
| SHA256 | 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 |
| SHA512 | f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113 |
C:\Windows\infpub.dat
| MD5 | 1d724f95c61f1055f0d02c2154bbccd3 |
| SHA1 | 79116fe99f2b421c52ef64097f0f39b815b20907 |
| SHA256 | 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 |
| SHA512 | f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113 |
memory/3792-145-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1876-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected]
| MD5 | 0a7b70efba0aa93d4bc0857b87ac2fcb |
| SHA1 | 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd |
| SHA256 | 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309 |
| SHA512 | 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14 |
memory/4536-149-0x0000000002520000-0x0000000002588000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected]
| MD5 | fe1bc60a95b2c2d77cd5d232296a7fa4 |
| SHA1 | c07dfdea8da2da5bad036e7c2f5d37582e1cf684 |
| SHA256 | b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d |
| SHA512 | 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89 |
memory/332-152-0x0000000000000000-mapping.dmp
memory/3792-157-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3792-154-0x00000000004B0000-0x00000000004B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe
| MD5 | 7d80230df68ccba871815d68f016c282 |
| SHA1 | e10874c6108a26ceedfc84f50881824462b5b6b6 |
| SHA256 | f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b |
| SHA512 | 64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540 |
memory/3192-164-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected]
| MD5 | b805db8f6a84475ef76b795b0d1ed6ae |
| SHA1 | 7711cb4873e58b7adcf2a2b047b090e78d10c75b |
| SHA256 | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf |
| SHA512 | 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416 |
C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected]
| MD5 | b805db8f6a84475ef76b795b0d1ed6ae |
| SHA1 | 7711cb4873e58b7adcf2a2b047b090e78d10c75b |
| SHA256 | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf |
| SHA512 | 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416 |
memory/4536-165-0x0000000002520000-0x0000000002588000-memory.dmp
memory/1876-166-0x00000000000F0000-0x0000000000172000-memory.dmp
memory/3468-162-0x0000000000400000-0x0000000000450000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe
| MD5 | 7d80230df68ccba871815d68f016c282 |
| SHA1 | e10874c6108a26ceedfc84f50881824462b5b6b6 |
| SHA256 | f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b |
| SHA512 | 64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540 |
memory/3028-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected]
| MD5 | 0a7b70efba0aa93d4bc0857b87ac2fcb |
| SHA1 | 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd |
| SHA256 | 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309 |
| SHA512 | 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14 |
memory/3792-150-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1876-170-0x00000000049D0000-0x0000000004A6C000-memory.dmp
memory/3404-169-0x0000000000000000-mapping.dmp
memory/3192-173-0x0000000000A10000-0x0000000000A4C000-memory.dmp
memory/1436-175-0x0000000000000000-mapping.dmp
memory/1876-176-0x0000000005020000-0x00000000055C4000-memory.dmp
memory/4424-174-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected]
| MD5 | 87ccd6f4ec0e6b706d65550f90b0e3c7 |
| SHA1 | 213e6624bff6064c016b9cdc15d5365823c01f5f |
| SHA256 | e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4 |
| SHA512 | a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990 |
C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected]
| MD5 | 87ccd6f4ec0e6b706d65550f90b0e3c7 |
| SHA1 | 213e6624bff6064c016b9cdc15d5365823c01f5f |
| SHA256 | e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4 |
| SHA512 | a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990 |
memory/4188-181-0x00007FFD41540000-0x00007FFD42001000-memory.dmp
memory/3468-182-0x0000000001640000-0x0000000001671000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\[email protected]
| MD5 | af2379cc4d607a45ac44d62135fb7015 |
| SHA1 | 39b6d40906c7f7f080e6befa93324dddadcbd9fa |
| SHA256 | 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739 |
| SHA512 | 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99 |
C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected]
| MD5 | 63210f8f1dde6c40a7f3643ccf0ff313 |
| SHA1 | 57edd72391d710d71bead504d44389d0462ccec9 |
| SHA256 | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f |
| SHA512 | 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11 |
memory/1876-184-0x0000000004A70000-0x0000000004A7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected]
| MD5 | 63210f8f1dde6c40a7f3643ccf0ff313 |
| SHA1 | 57edd72391d710d71bead504d44389d0462ccec9 |
| SHA256 | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f |
| SHA512 | 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11 |
memory/5096-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]
| MD5 | 3ed3fb296a477156bc51aba43d825fc0 |
| SHA1 | 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6 |
| SHA256 | 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423 |
| SHA512 | dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e |
memory/4428-180-0x0000000000000000-mapping.dmp
memory/1436-187-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/332-177-0x00000000049F0000-0x0000000004A82000-memory.dmp
memory/1436-188-0x0000000002290000-0x000000000235E000-memory.dmp
memory/1436-189-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/5096-190-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]
| MD5 | 3ed3fb296a477156bc51aba43d825fc0 |
| SHA1 | 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6 |
| SHA256 | 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423 |
| SHA512 | dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e |
memory/1876-193-0x0000000004CA0000-0x0000000004CF6000-memory.dmp
memory/2556-192-0x0000000000000000-mapping.dmp
memory/1560-194-0x0000000000000000-mapping.dmp
memory/3412-195-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected]
| MD5 | dbfbf254cfb84d991ac3860105d66fc6 |
| SHA1 | 893110d8c8451565caa591ddfccf92869f96c242 |
| SHA256 | 68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c |
| SHA512 | 5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d |
memory/4428-197-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4428-198-0x0000000000510000-0x0000000000522000-memory.dmp
memory/1036-201-0x0000000000000000-mapping.dmp
memory/3016-200-0x0000000000000000-mapping.dmp
memory/2480-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]
| MD5 | 8803d517ac24b157431d8a462302b400 |
| SHA1 | b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e |
| SHA256 | 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786 |
| SHA512 | 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50 |
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe
| MD5 | a7c96a585c886ea97d740c34d88b50fe |
| SHA1 | c06189d72afee45caafc83478e82a2bac61b730b |
| SHA256 | fe0d2a1d7ec776966d95a026869f9057fd690d60ecfa6d1f8546fe7088395dba |
| SHA512 | d0a3bcc1e18a24e0f201bffe6a01029eaade47cfff5ae9b0da4ca18f85d0a88ee7505f42dce1d11fa5130aeb5bafc8cc7193fe71de8f0b73c2886b1176ab353e |
memory/3016-204-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1036-205-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3860-206-0x0000000000000000-mapping.dmp
C:\ProgramData\QGAUgUkc\icYgIkMc.exe
| MD5 | ff7330d26dfb4a2c95098ff8d7ada9f3 |
| SHA1 | b4a2321f57204c2a7dceb82e2e1d92dca3741f7e |
| SHA256 | 3149b7cd456fbab1b5f1fa4f6b159b51e4075aa4224f02301a6d20e62c9048d1 |
| SHA512 | f0c66b1b73cbbf2b71a7bf06533b54688e35d26070c751850d7b284b4f7bf788c27035a90cc8c16194f15c381a89d3c7429ef9ddf42f4feb21e44c862d14bbd4 |
memory/3792-212-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3860-213-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]
| MD5 | 8803d517ac24b157431d8a462302b400 |
| SHA1 | b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e |
| SHA256 | 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786 |
| SHA512 | 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50 |
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe
| MD5 | a7c96a585c886ea97d740c34d88b50fe |
| SHA1 | c06189d72afee45caafc83478e82a2bac61b730b |
| SHA256 | fe0d2a1d7ec776966d95a026869f9057fd690d60ecfa6d1f8546fe7088395dba |
| SHA512 | d0a3bcc1e18a24e0f201bffe6a01029eaade47cfff5ae9b0da4ca18f85d0a88ee7505f42dce1d11fa5130aeb5bafc8cc7193fe71de8f0b73c2886b1176ab353e |
C:\ProgramData\QGAUgUkc\icYgIkMc.exe
| MD5 | ff7330d26dfb4a2c95098ff8d7ada9f3 |
| SHA1 | b4a2321f57204c2a7dceb82e2e1d92dca3741f7e |
| SHA256 | 3149b7cd456fbab1b5f1fa4f6b159b51e4075aa4224f02301a6d20e62c9048d1 |
| SHA512 | f0c66b1b73cbbf2b71a7bf06533b54688e35d26070c751850d7b284b4f7bf788c27035a90cc8c16194f15c381a89d3c7429ef9ddf42f4feb21e44c862d14bbd4 |
memory/428-208-0x0000000000000000-mapping.dmp
memory/3468-214-0x0000000000400000-0x0000000000450000-memory.dmp
memory/3344-215-0x0000000000000000-mapping.dmp
memory/4668-216-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]
| MD5 | 3ed3fb296a477156bc51aba43d825fc0 |
| SHA1 | 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6 |
| SHA256 | 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423 |
| SHA512 | dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e |
memory/4736-218-0x0000000000000000-mapping.dmp
memory/3168-219-0x0000000000000000-mapping.dmp
memory/2792-220-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\[email protected]
| MD5 | 84c82835a5d21bbcf75a61706d8ab549 |
| SHA1 | 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 |
| SHA256 | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa |
| SHA512 | 90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244 |
memory/2548-222-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]
| MD5 | 8803d517ac24b157431d8a462302b400 |
| SHA1 | b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e |
| SHA256 | 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786 |
| SHA512 | 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50 |
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom
| MD5 | 2fc0e096bf2f094cca883de93802abb6 |
| SHA1 | a4b51b3b4c645a8c082440a6abbc641c5d4ec986 |
| SHA256 | 14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3 |
| SHA512 | 7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978 |
memory/1940-225-0x0000000000000000-mapping.dmp
C:\ProgramData\QGAUgUkc\icYgIkMc.inf
| MD5 | 0d9f119b066f5b17e20e8b1de6990f6d |
| SHA1 | 56d16930f213f090d55bf7667b4065578389e712 |
| SHA256 | 794348adf765f002d715985705eb49e5b9cbb96a3ecc1ff5f7a740bf8a944698 |
| SHA512 | f8111a0d4db1021d11ab1296d56a5196c51c88a47c108df30ca27ae65440c20583835a3d786ad938b3647b5f5304ebdb4bf62ccfb681c0cbf972d8aac458fb61 |
memory/2548-226-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.inf
| MD5 | 0d9f119b066f5b17e20e8b1de6990f6d |
| SHA1 | 56d16930f213f090d55bf7667b4065578389e712 |
| SHA256 | 794348adf765f002d715985705eb49e5b9cbb96a3ecc1ff5f7a740bf8a944698 |
| SHA512 | f8111a0d4db1021d11ab1296d56a5196c51c88a47c108df30ca27ae65440c20583835a3d786ad938b3647b5f5304ebdb4bf62ccfb681c0cbf972d8aac458fb61 |
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock
| MD5 | 76e08b93985d60b82ddb4a313733345c |
| SHA1 | 273effbac9e1dc901a3f0ee43122d2bdb383adbf |
| SHA256 | 4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89 |
| SHA512 | 4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d |
memory/3904-230-0x0000000000000000-mapping.dmp
memory/4884-231-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]
| MD5 | 3ed3fb296a477156bc51aba43d825fc0 |
| SHA1 | 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6 |
| SHA256 | 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423 |
| SHA512 | dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e |
memory/2652-233-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]
| MD5 | 8803d517ac24b157431d8a462302b400 |
| SHA1 | b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e |
| SHA256 | 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786 |
| SHA512 | 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50 |
C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected]
| MD5 | dbfbf254cfb84d991ac3860105d66fc6 |
| SHA1 | 893110d8c8451565caa591ddfccf92869f96c242 |
| SHA256 | 68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c |
| SHA512 | 5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d |
memory/3680-238-0x0000000000000000-mapping.dmp
memory/1100-240-0x0000000000000000-mapping.dmp
memory/3796-237-0x0000000000000000-mapping.dmp
memory/2488-249-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\[email protected]
| MD5 | 9d15a3b314600b4c08682b0202700ee7 |
| SHA1 | 208e79cdb96328d5929248bb8a4dd622cf0684d1 |
| SHA256 | 3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15 |
| SHA512 | 9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3 |
memory/4884-256-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.inf
| MD5 | ca5f1bcf00493f15604b170b21df60d4 |
| SHA1 | f7ca8f7ec9fb6257d48d8cc61c4a14d0b8231b4c |
| SHA256 | 5f99c73a1411a85eee15b2f2ccbb7aeab0d414ee8e2c0a7e334381efc52a057c |
| SHA512 | 49fb34a892f25345ac96481fef0af4b551c8c137e8bdf37c07ee315b36c7b42d519953d5680874b3a4675afe9ece4f51ecdee1f53cf4a41cb01f17202220405c |
C:\ProgramData\QGAUgUkc\icYgIkMc.inf
| MD5 | ca5f1bcf00493f15604b170b21df60d4 |
| SHA1 | f7ca8f7ec9fb6257d48d8cc61c4a14d0b8231b4c |
| SHA256 | 5f99c73a1411a85eee15b2f2ccbb7aeab0d414ee8e2c0a7e334381efc52a057c |
| SHA512 | 49fb34a892f25345ac96481fef0af4b551c8c137e8bdf37c07ee315b36c7b42d519953d5680874b3a4675afe9ece4f51ecdee1f53cf4a41cb01f17202220405c |
memory/2084-253-0x0000000000000000-mapping.dmp
memory/4244-252-0x0000000000000000-mapping.dmp
memory/2652-257-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4880-260-0x0000000000000000-mapping.dmp
memory/1824-258-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\[email protected]
| MD5 | 9d15a3b314600b4c08682b0202700ee7 |
| SHA1 | 208e79cdb96328d5929248bb8a4dd622cf0684d1 |
| SHA256 | 3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15 |
| SHA512 | 9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3 |
memory/4252-248-0x0000000000000000-mapping.dmp
memory/3488-262-0x0000000000000000-mapping.dmp
memory/720-261-0x00000000004D0000-0x00000000004D3000-memory.dmp
memory/720-259-0x0000000000400000-0x000000000044F000-memory.dmp
memory/5020-247-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock
| MD5 | 76e08b93985d60b82ddb4a313733345c |
| SHA1 | 273effbac9e1dc901a3f0ee43122d2bdb383adbf |
| SHA256 | 4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89 |
| SHA512 | 4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d |
memory/3024-244-0x0000000000000000-mapping.dmp
memory/1376-243-0x0000000000000000-mapping.dmp
memory/4992-242-0x0000000000000000-mapping.dmp
memory/720-241-0x0000000000000000-mapping.dmp
memory/3776-245-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom
| MD5 | 2fc0e096bf2f094cca883de93802abb6 |
| SHA1 | a4b51b3b4c645a8c082440a6abbc641c5d4ec986 |
| SHA256 | 14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3 |
| SHA512 | 7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978 |
memory/4092-267-0x0000000000000000-mapping.dmp
memory/5096-272-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5184-273-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected]
| MD5 | c7e9746b1b039b8bd1106bca3038c38f |
| SHA1 | cb93ac887876bafe39c5f9aa64970d5e747fb191 |
| SHA256 | b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4 |
| SHA512 | cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724 |
memory/3016-276-0x0000000000400000-0x0000000000432000-memory.dmp
C:\ProgramData\QGAUgUkc\icYgIkMc.inf
| MD5 | 1493d913199bc77d25c9f705bbcf0467 |
| SHA1 | 3d60a637bf152cdd915cde9816e10802bb852c14 |
| SHA256 | b53186c993714c5eda538e0f9ea6e44c8ceb5176185e0aed35f190da0573c1aa |
| SHA512 | 8eab60577496ff16630f0a19622a559f693f59a5abe45045f0c3dd7a6899ac52f6c6acc89676172dde638cd48a37a2677feda1c0823c48ba2e0d8685d8387c56 |
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.inf
| MD5 | 1493d913199bc77d25c9f705bbcf0467 |
| SHA1 | 3d60a637bf152cdd915cde9816e10802bb852c14 |
| SHA256 | b53186c993714c5eda538e0f9ea6e44c8ceb5176185e0aed35f190da0573c1aa |
| SHA512 | 8eab60577496ff16630f0a19622a559f693f59a5abe45045f0c3dd7a6899ac52f6c6acc89676172dde638cd48a37a2677feda1c0823c48ba2e0d8685d8387c56 |
memory/1072-277-0x0000000000000000-mapping.dmp
memory/5272-274-0x0000000000000000-mapping.dmp
memory/5224-271-0x0000000000000000-mapping.dmp
memory/2548-270-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4668-268-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5172-269-0x0000000000000000-mapping.dmp
memory/2408-266-0x0000000000000000-mapping.dmp
memory/2280-265-0x0000000000000000-mapping.dmp
memory/4384-264-0x0000000000000000-mapping.dmp
memory/4732-263-0x0000000000000000-mapping.dmp
memory/1412-235-0x0000000000000000-mapping.dmp
memory/5460-281-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]
| MD5 | 3ed3fb296a477156bc51aba43d825fc0 |
| SHA1 | 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6 |
| SHA256 | 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423 |
| SHA512 | dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e |
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]
| MD5 | 8803d517ac24b157431d8a462302b400 |
| SHA1 | b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e |
| SHA256 | 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786 |
| SHA512 | 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50 |
memory/5464-280-0x0000000000000000-mapping.dmp
memory/4428-284-0x0000000000510000-0x0000000000522000-memory.dmp
memory/2792-289-0x0000000010000000-0x0000000010010000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected]
| MD5 | c7e9746b1b039b8bd1106bca3038c38f |
| SHA1 | cb93ac887876bafe39c5f9aa64970d5e747fb191 |
| SHA256 | b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4 |
| SHA512 | cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724 |
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll
| MD5 | 3531cf7755b16d38d5e9e3c43280e7d2 |
| SHA1 | 19981b17ae35b6e9a0007551e69d3e50aa1afffe |
| SHA256 | 76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089 |
| SHA512 | 7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd |
memory/5460-314-0x0000000000400000-0x0000000000439000-memory.dmp
memory/5464-315-0x0000000000400000-0x0000000000432000-memory.dmp
memory/5840-312-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/5840-316-0x0000000000400000-0x0000000000A06000-memory.dmp
C:\ProgramData\QGAUgUkc\icYgIkMc.inf
| MD5 | 8e93ff7439640abe97ccd045878ca3bc |
| SHA1 | 11166c68dcb6b8cb3b4d7d8b120e2b30c2d66726 |
| SHA256 | beb1caf816194847dab9d955a969ab803789bc1e3d85c59863372bbf8dee5fa5 |
| SHA512 | 3b9eb4fa49a02b40e701dea729aada9e532f9441277eb28a221f10fd73115de147b57f0be3bc3a6c8c2da2492df2eff5c9106c28e6286e0f13a4b99cc1378685 |
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.inf
| MD5 | 8e93ff7439640abe97ccd045878ca3bc |
| SHA1 | 11166c68dcb6b8cb3b4d7d8b120e2b30c2d66726 |
| SHA256 | beb1caf816194847dab9d955a969ab803789bc1e3d85c59863372bbf8dee5fa5 |
| SHA512 | 3b9eb4fa49a02b40e701dea729aada9e532f9441277eb28a221f10fd73115de147b57f0be3bc3a6c8c2da2492df2eff5c9106c28e6286e0f13a4b99cc1378685 |
memory/5840-307-0x0000000000400000-0x0000000000A06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HKYQQgMY.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Windows\41CC.tmp
| MD5 | 347ac3b6b791054de3e5720a7144a977 |
| SHA1 | 413eba3973a15c1a6429d9f170f3e8287f98c21c |
| SHA256 | 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c |
| SHA512 | 9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787 |
C:\Users\Admin\AppData\Local\Temp\hMEwkMEs.bat
| MD5 | bae1095f340720d965898063fede1273 |
| SHA1 | 455d8a81818a7e82b1490c949b32fa7ff98d5210 |
| SHA256 | ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a |
| SHA512 | 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024 |
C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock
| MD5 | 76e08b93985d60b82ddb4a313733345c |
| SHA1 | 273effbac9e1dc901a3f0ee43122d2bdb383adbf |
| SHA256 | 4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89 |
| SHA512 | 4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d |
C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected]
| MD5 | 7dfbfba1e4e64a946cb096bfc937fbad |
| SHA1 | 9180d2ce387314cd4a794d148ea6b14084c61e1b |
| SHA256 | 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94 |
| SHA512 | f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4 |
memory/4884-301-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected]
| MD5 | 7dfbfba1e4e64a946cb096bfc937fbad |
| SHA1 | 9180d2ce387314cd4a794d148ea6b14084c61e1b |
| SHA256 | 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94 |
| SHA512 | f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4 |
C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom
| MD5 | 2fc0e096bf2f094cca883de93802abb6 |
| SHA1 | a4b51b3b4c645a8c082440a6abbc641c5d4ec986 |
| SHA256 | 14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3 |
| SHA512 | 7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978 |
memory/2652-300-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected]
| MD5 | 382430dd7eae8945921b7feab37ed36b |
| SHA1 | c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128 |
| SHA256 | 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b |
| SHA512 | 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b |
C:\Users\Admin\ROMQEsAc\mwIoMAwQ.inf
| MD5 | 603b57c6f4fbfe4b823fa40a667f7276 |
| SHA1 | 360aad3994d9d02cd126c6f759269b4d9036ccc7 |
| SHA256 | b01555b61ee67c66d033dcf10ffef469428cfcad8807ce1ff3f35172e02e70cc |
| SHA512 | 7e3ea4d3a995d049432c83df0f13539cf43f8301fb2ff7899ab343ffefebbcb0f0022462a79adecd7acafb814e42b72a02e9c535961df7de2075a92c583e4d7b |
C:\ProgramData\QGAUgUkc\icYgIkMc.inf
| MD5 | 603b57c6f4fbfe4b823fa40a667f7276 |
| SHA1 | 360aad3994d9d02cd126c6f759269b4d9036ccc7 |
| SHA256 | b01555b61ee67c66d033dcf10ffef469428cfcad8807ce1ff3f35172e02e70cc |
| SHA512 | 7e3ea4d3a995d049432c83df0f13539cf43f8301fb2ff7899ab343ffefebbcb0f0022462a79adecd7acafb814e42b72a02e9c535961df7de2075a92c583e4d7b |
memory/5668-292-0x0000000000000000-mapping.dmp
memory/5304-291-0x0000000000000000-mapping.dmp
memory/5312-290-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected]
| MD5 | 382430dd7eae8945921b7feab37ed36b |
| SHA1 | c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128 |
| SHA256 | 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b |
| SHA512 | 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b |
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll
| MD5 | 3531cf7755b16d38d5e9e3c43280e7d2 |
| SHA1 | 19981b17ae35b6e9a0007551e69d3e50aa1afffe |
| SHA256 | 76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089 |
| SHA512 | 7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd |
memory/5496-285-0x0000000000000000-mapping.dmp
memory/1008-317-0x00000000003B0000-0x00000000005A2000-memory.dmp
memory/5840-318-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/5840-319-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/4188-320-0x00007FFD41540000-0x00007FFD42001000-memory.dmp
memory/3468-321-0x0000000000400000-0x0000000000433000-memory.dmp