Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29/09/2022, 12:40
Static task
static1
Behavioral task
behavioral1
Sample
UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
Resource
win7-20220901-en
General
-
Target
UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
-
Size
148KB
-
MD5
d197fad90535fb974db139537a091a5b
-
SHA1
5529175952d3fa0697124260e46ec1dbd0c63ae7
-
SHA256
a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6
-
SHA512
1d43209ee1d950a433b08a05a23c69f88b376db3f52f29c84301d5235febda52a37c690abec96c2dfd63d4917b731b5544a548ce1490d9cf36aba9a031bac35d
-
SSDEEP
3072:Gs6dE9I6+dZXlX1sZhuJHxleadYgJcuFsdazXflJv:GYpC16C6adXcFcz
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" [email protected] -
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest [email protected] -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 41 IoCs
pid Process 692 [email protected] 1000 [email protected] 1884 [email protected] 892 [email protected] 1200 [email protected] 1800 [email protected] 1492 [email protected] 964 [email protected] 1700 [email protected] 1748 [email protected] 2020 [email protected] 1608 [email protected] 860 [email protected] 1308 [email protected] 1440 6AdwCleaner.exe 1404 [email protected] 1192 [email protected] 1344 [email protected] 1464 [email protected] 1048 [email protected] 1536 [email protected] 952 [email protected] 832 [email protected] 2016 [email protected] 1648 [email protected] 1576 DikkIMsc.exe 1588 [email protected] 672 lwIEIUAw.exe 1676 [email protected] 1980 [email protected] 2060 [email protected] 2168 [email protected] 2244 [email protected] 2312 [email protected] 2360 [email protected] 2404 Fantom.exe 2580 is-PBJJ2.tmp 2780 winsp2up.exe 2164 conhost.exe 2140 taskdl.exe 2852 B56B.tmp -
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "calc.exe" [email protected] -
Stops running service(s) 3 TTPs
-
resource yara_rule behavioral1/memory/1800-94-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1800-78-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/files/0x000a0000000122db-74.dat upx behavioral1/files/0x0007000000012721-199.dat upx behavioral1/files/0x0007000000012721-202.dat upx behavioral1/memory/2060-208-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0007000000012721-212.dat upx behavioral1/files/0x0007000000012721-213.dat upx behavioral1/files/0x0007000000012721-214.dat upx behavioral1/files/0x00080000000122f1-230.dat upx behavioral1/memory/2360-236-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/1800-246-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1344-249-0x0000000000400000-0x00000000005DE000-memory.dmp upx -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine [email protected] -
Loads dropped DLL 22 IoCs
pid Process 1700 [email protected] 1536 [email protected] 1536 [email protected] 1536 [email protected] 1536 [email protected] 2060 [email protected] 2060 [email protected] 2060 [email protected] 952 [email protected] 1980 [email protected] 1980 [email protected] 1684 WerFault.exe 1684 WerFault.exe 2312 [email protected] 1684 WerFault.exe 2312 [email protected] 744 cmd.exe 744 cmd.exe 2244 [email protected] 2244 [email protected] 2780 winsp2up.exe 2712 cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2688 icacls.exe 3328 icacls.exe -
resource yara_rule behavioral1/memory/832-176-0x0000000000400000-0x0000000000CFB000-memory.dmp themida behavioral1/memory/832-242-0x0000000000400000-0x0000000000CFB000-memory.dmp themida behavioral1/memory/832-268-0x0000000000400000-0x0000000000CFB000-memory.dmp themida behavioral1/memory/832-294-0x0000000000400000-0x0000000000CFB000-memory.dmp themida behavioral1/memory/832-307-0x0000000000400000-0x0000000000CFB000-memory.dmp themida -
Adds Run key to start application 2 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\DikkIMsc.exe = "C:\\Users\\Admin\\WoIIwYkc\\DikkIMsc.exe" DikkIMsc.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce [email protected] Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\winsp2up.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winsp2up.exe" [email protected] Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\DikkIMsc.exe = "C:\\Users\\Admin\\WoIIwYkc\\DikkIMsc.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lwIEIUAw.exe = "C:\\ProgramData\\WuUIQoAs\\lwIEIUAw.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lwIEIUAw.exe = "C:\\ProgramData\\WuUIQoAs\\lwIEIUAw.exe" lwIEIUAw.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" [email protected] -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\S: [email protected] File opened (read-only) \??\N: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\E: [email protected] File opened (read-only) \??\G: [email protected] File opened (read-only) \??\H: [email protected] File opened (read-only) \??\J: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\F: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\Z: [email protected] -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 [email protected] File opened for modification \??\PhysicalDrive0 [email protected] -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 832 [email protected] -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\AnVi\splash.mp3 [email protected] File created C:\Program Files (x86)\AnVi\virus.mp3 [email protected] -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\B56B.tmp rundll32.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 948 sc.exe 2276 sc.exe 4564 sc.exe 4892 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 1684 1588 WerFault.exe 57 4008 1004 WerFault.exe 211 3040 2576 WerFault.exe 233 -
NSIS installer 4 IoCs
resource yara_rule behavioral1/files/0x0008000000012301-87.dat nsis_installer_1 behavioral1/files/0x0008000000012301-87.dat nsis_installer_2 behavioral1/files/0x0008000000012301-105.dat nsis_installer_1 behavioral1/files/0x0008000000012301-105.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 [email protected] Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString [email protected] -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2148 schtasks.exe 3308 schtasks.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2200 vssadmin.exe -
Kills process with taskkill 2 IoCs
pid Process 956 taskkill.exe 2224 taskkill.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" [email protected] Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main [email protected] -
Modifies registry key 1 TTPs 42 IoCs
pid Process 4688 reg.exe 2212 reg.exe 1864 reg.exe 4264 reg.exe 3508 reg.exe 3476 reg.exe 3056 reg.exe 4336 reg.exe 4472 reg.exe 2928 reg.exe 3004 reg.exe 3152 reg.exe 3428 reg.exe 3028 reg.exe 4364 reg.exe 4680 reg.exe 2856 reg.exe 2220 reg.exe 2628 reg.exe 2144 reg.exe 4700 reg.exe 2080 reg.exe 1408 reg.exe 2332 reg.exe 3540 reg.exe 1120 reg.exe 3408 reg.exe 2144 reg.exe 2636 reg.exe 3120 reg.exe 3644 reg.exe 2136 reg.exe 3128 reg.exe 2616 reg.exe 1816 reg.exe 2624 reg.exe 2068 reg.exe 2548 reg.exe 4404 reg.exe 3548 reg.exe 3924 reg.exe 4252 reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3032 PING.EXE -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1608 [email protected] 1536 [email protected] 1536 [email protected] 832 [email protected] 2168 [email protected] 2168 [email protected] 624 rundll32.exe 624 rundll32.exe 1344 [email protected] 1344 [email protected] 2780 winsp2up.exe 2780 winsp2up.exe 2780 winsp2up.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe 2164 conhost.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Token: SeDebugPrivilege 1440 6AdwCleaner.exe Token: SeShutdownPrivilege 624 rundll32.exe Token: SeDebugPrivilege 624 rundll32.exe Token: SeTcbPrivilege 624 rundll32.exe Token: SeDebugPrivilege 2504 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe Token: SeDebugPrivilege 2404 Fantom.exe Token: SeDebugPrivilege 956 taskkill.exe Token: SeDebugPrivilege 2224 schtasks.exe Token: SeRestorePrivilege 2052 msiexec.exe Token: SeTakeOwnershipPrivilege 2052 msiexec.exe Token: SeSecurityPrivilege 2052 msiexec.exe Token: SeCreateTokenPrivilege 2312 [email protected] Token: SeAssignPrimaryTokenPrivilege 2312 [email protected] Token: SeLockMemoryPrivilege 2312 [email protected] Token: SeIncreaseQuotaPrivilege 2312 [email protected] Token: SeMachineAccountPrivilege 2312 [email protected] Token: SeTcbPrivilege 2312 [email protected] Token: SeSecurityPrivilege 2312 [email protected] Token: SeTakeOwnershipPrivilege 2312 [email protected] Token: SeLoadDriverPrivilege 2312 [email protected] Token: SeSystemProfilePrivilege 2312 [email protected] Token: SeSystemtimePrivilege 2312 [email protected] Token: SeProfSingleProcessPrivilege 2312 [email protected] Token: SeIncBasePriorityPrivilege 2312 [email protected] Token: SeCreatePagefilePrivilege 2312 [email protected] Token: SeCreatePermanentPrivilege 2312 [email protected] Token: SeBackupPrivilege 2312 [email protected] Token: SeRestorePrivilege 2312 [email protected] Token: SeShutdownPrivilege 2312 [email protected] Token: SeDebugPrivilege 2312 [email protected] Token: SeAuditPrivilege 2312 [email protected] Token: SeSystemEnvironmentPrivilege 2312 [email protected] Token: SeChangeNotifyPrivilege 2312 [email protected] Token: SeRemoteShutdownPrivilege 2312 [email protected] Token: SeUndockPrivilege 2312 [email protected] Token: SeSyncAgentPrivilege 2312 [email protected] Token: SeEnableDelegationPrivilege 2312 [email protected] Token: SeManageVolumePrivilege 2312 [email protected] Token: SeImpersonatePrivilege 2312 [email protected] Token: SeCreateGlobalPrivilege 2312 [email protected] -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 692 [email protected] 692 [email protected] 692 [email protected] 2360 [email protected] -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 692 [email protected] 692 [email protected] 692 [email protected] -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 692 [email protected] 692 [email protected] 692 [email protected] 692 [email protected] 692 [email protected] 692 [email protected] 692 [email protected] 692 [email protected] 1980 [email protected] 2780 winsp2up.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1492 [email protected] 1344 [email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1768 wrote to memory of 692 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 27 PID 1768 wrote to memory of 692 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 27 PID 1768 wrote to memory of 692 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 27 PID 1768 wrote to memory of 692 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 27 PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 28 PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 28 PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 28 PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 28 PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 28 PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 28 PID 1768 wrote to memory of 1000 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 28 PID 1768 wrote to memory of 1884 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 29 PID 1768 wrote to memory of 1884 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 29 PID 1768 wrote to memory of 1884 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 29 PID 1768 wrote to memory of 1884 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 29 PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 30 PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 30 PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 30 PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 30 PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 30 PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 30 PID 1768 wrote to memory of 892 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 30 PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 31 PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 31 PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 31 PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 31 PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 31 PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 31 PID 1768 wrote to memory of 1200 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 31 PID 1768 wrote to memory of 1800 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 32 PID 1768 wrote to memory of 1800 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 32 PID 1768 wrote to memory of 1800 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 32 PID 1768 wrote to memory of 1800 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 32 PID 1768 wrote to memory of 1492 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 38 PID 1768 wrote to memory of 1492 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 38 PID 1768 wrote to memory of 1492 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 38 PID 1768 wrote to memory of 1492 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 38 PID 1768 wrote to memory of 964 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 33 PID 1768 wrote to memory of 964 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 33 PID 1768 wrote to memory of 964 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 33 PID 1768 wrote to memory of 964 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 33 PID 1768 wrote to memory of 1700 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 34 PID 1768 wrote to memory of 1700 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 34 PID 1768 wrote to memory of 1700 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 34 PID 1768 wrote to memory of 1700 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 34 PID 1768 wrote to memory of 1748 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 35 PID 1768 wrote to memory of 1748 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 35 PID 1768 wrote to memory of 1748 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 35 PID 1768 wrote to memory of 1748 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 35 PID 1200 wrote to memory of 624 1200 [email protected] 37 PID 1200 wrote to memory of 624 1200 [email protected] 37 PID 1200 wrote to memory of 624 1200 [email protected] 37 PID 1200 wrote to memory of 624 1200 [email protected] 37 PID 1200 wrote to memory of 624 1200 [email protected] 37 PID 1200 wrote to memory of 624 1200 [email protected] 37 PID 1200 wrote to memory of 624 1200 [email protected] 37 PID 1768 wrote to memory of 2020 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 36 PID 1768 wrote to memory of 2020 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 36 PID 1768 wrote to memory of 2020 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 36 PID 1768 wrote to memory of 2020 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 36 PID 1768 wrote to memory of 1608 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 40 PID 1768 wrote to memory of 1608 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 40 PID 1768 wrote to memory of 1608 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 40 PID 1768 wrote to memory of 1608 1768 UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe 40 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" [email protected] -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2788 attrib.exe 2608 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:692
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1000
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1884
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:892
-
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"3⤵PID:4276
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵PID:2872
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2635896854 && exit"4⤵PID:2372
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2635896854 && exit"5⤵
- Creates scheduled task(s)
PID:3308
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:59:004⤵PID:988
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:59:005⤵
- Creates scheduled task(s)
PID:2148
-
-
-
C:\Windows\B56B.tmp"C:\Windows\B56B.tmp" \\.\pipe\{75ACB937-FCAC-477C-9E38-6B7F3924A8CC}4⤵
- Executes dropped EXE
PID:2852
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:1800 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:964
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1748
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1492
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:1608
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:860
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1308
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1404
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1404 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\[email protected]" & start C:\Users\Admin\AppData\Local\ogkfdop.exe -f3⤵PID:2536
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 14044⤵
- Kills process with taskkill
PID:2224
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.14⤵
- Runs ping.exe
PID:3032
-
-
C:\Users\Admin\AppData\Local\ogkfdop.exeC:\Users\Admin\AppData\Local\ogkfdop.exe -f4⤵PID:3332
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1192
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1464
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"3⤵PID:2800
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1536 -
C:\Users\Admin\WoIIwYkc\DikkIMsc.exe"C:\Users\Admin\WoIIwYkc\DikkIMsc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1576
-
-
C:\ProgramData\WuUIQoAs\lwIEIUAw.exe"C:\ProgramData\WuUIQoAs\lwIEIUAw.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:672
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"3⤵
- Loads dropped DLL
PID:744 -
C:\Users\Admin\AppData\Local\Temp\[email protected]C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom4⤵PID:2164
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"5⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\[email protected]C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom6⤵PID:3076
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"7⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\[email protected]C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom8⤵PID:3844
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"9⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\[email protected]C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom10⤵PID:3308
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"11⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\[email protected]C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom12⤵PID:4576
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"13⤵PID:4640
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 113⤵
- Modifies registry key
PID:4680
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SEcAkIEE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""13⤵PID:4708
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs14⤵PID:1716
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f13⤵
- Modifies registry key
PID:4700
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 213⤵
- Modifies registry key
PID:4688
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 111⤵
- Modifies registry key
PID:2548
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dIUUosEM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""11⤵PID:3052
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs12⤵PID:4584
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f11⤵
- Modifies registry key
PID:3056
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 211⤵
- Modifies registry key
PID:3028
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 19⤵
- Modifies registry key
PID:2628
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 29⤵
- Modifies registry key
PID:1816
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f9⤵
- Modifies registry key
PID:1864
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Kgoswggo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""9⤵PID:3208
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs10⤵PID:1048
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵
- Modifies registry key
PID:3508
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵
- Modifies registry key
PID:3540
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BoAgMwEg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""7⤵PID:3560
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs8⤵PID:3836
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
PID:3548
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies registry key
PID:2220
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies registry key
PID:2636
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
PID:2624
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qasQEUwI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""5⤵PID:2004
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵PID:3440
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:2080
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:2144
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:2212
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xkAwoEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""3⤵PID:2332
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:2656
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1048
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Users\Admin\AppData\Local\Temp\is-COGBM.tmp\is-PBJJ2.tmp"C:\Users\Admin\AppData\Local\Temp\is-COGBM.tmp\is-PBJJ2.tmp" /SL4 $1025C "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 558083⤵
- Executes dropped EXE
PID:2580
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:832
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:2016
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3468
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1648
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\ProgramData\6981d600-e615-40eb-abf4-c6062762452e_31.avi", start3⤵PID:4440
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1523⤵
- Loads dropped DLL
- Program crash
PID:1684
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1676
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:948
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:2276
-
-
C:\Users\Admin\AppData\Roaming\rlyqdr.exeC:\Users\Admin\AppData\Roaming\rlyqdr.exe3⤵PID:4200
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL3⤵PID:4448
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2780
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2168 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"3⤵
- Loads dropped DLL
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\[email protected]C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock4⤵PID:2812
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"5⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\[email protected]C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock6⤵PID:3716
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"7⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\[email protected]C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock8⤵
- Adds Run key to start application
PID:1404 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"9⤵PID:3556
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 19⤵
- Modifies registry key
PID:2144
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QeIcMUEI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""9⤵PID:3832
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs10⤵PID:4880
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f9⤵
- Modifies registry key
PID:2136
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 29⤵
- Modifies registry key
PID:3924
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵
- Modifies registry key
PID:2616
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵
- Modifies registry key
PID:1120
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
PID:1408
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gcIMgYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""7⤵PID:3396
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs8⤵PID:2812
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies registry key
PID:3120
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies registry key
PID:3128
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
PID:3152
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rMcMQYEM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""5⤵PID:3180
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵PID:3888
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:2856
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:2928
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:3004
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mgcAwUwg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""3⤵PID:1832
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:2172
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
PID:2608
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
PID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:2140
-
-
C:\Windows\SysWOW64\cmd.execmd /c 11511664455271.bat3⤵PID:2532
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs4⤵PID:2576
-
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3356
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe4⤵PID:3344
-
-
-
C:\Windows\SysWOW64\cmd.exePID:3384
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3668
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵PID:3560
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:2200
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4108
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "yqdbhvadqux735" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵PID:4132
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4124
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵PID:4244
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4956
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4988
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\[email protected] SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "3⤵PID:3592
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious use of FindShellTrayWindow
PID:2360
-
-
C:\Users\Admin\AppData\Local\Temp\Fantom.exe"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"3⤵PID:4348
-
-
-
C:\Users\Admin\AppData\Local\Temp\ose00000.exe"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"2⤵PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3820
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3856
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3872
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3912
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3932
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 154⤵PID:3748
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3952
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3964
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3984
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4040
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"4⤵PID:3544
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4064
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4076
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1476
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:2848
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3268
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3192
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3324
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:2164
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"4⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\[email protected]C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom5⤵PID:3256
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"6⤵PID:4100
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies registry key
PID:4252
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
- Modifies registry key
PID:4404
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\jAAcAEQY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""6⤵PID:4480
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:3400
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
PID:4472
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
PID:3428
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
PID:3644
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PgcAQwkg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""4⤵PID:2652
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:1540
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
PID:3476
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:2204
-
C:\Users\Admin\AppData\Local\Temp\is-REELM.tmp\is-SE41D.tmp"C:\Users\Admin\AppData\Local\Temp\is-REELM.tmp\is-SE41D.tmp" /SL4 $10488 "C:\Users\Admin\AppData\Local\Temp\[email protected]" 779923 558084⤵PID:4048
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1488
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3420
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4400
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1524⤵
- Program crash
PID:4008
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3484
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
PID:4564
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled4⤵
- Launches sc.exe
PID:4892
-
-
C:\Users\Admin\AppData\Roaming\kutmmf.exeC:\Users\Admin\AppData\Roaming\kutmmf.exe4⤵PID:4752
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\EN2B55~1.EXE" >> NUL4⤵PID:3384
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3504
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1092
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"4⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\[email protected]C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock5⤵PID:3340
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"6⤵PID:4192
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies registry key
PID:4264
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\iEgUwYQI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""6⤵PID:4372
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:3684
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
PID:4364
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
- Modifies registry key
PID:4336
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
PID:2068
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
PID:2332
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
PID:3408
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IIIQIoUw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""4⤵PID:3456
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:4432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exe"C:\Users\Admin\AppData\Local\Temp\taskse.exe"3⤵PID:3488
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exe"C:\Users\Admin\AppData\Local\Temp\taskdl.exe"3⤵PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\ose00000.exe"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"3⤵PID:2068
-
-
C:\Users\Admin\AppData\Local\Temp\Fantom.exe"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"3⤵PID:3144
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3168
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3132
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:948
-
C:\Windows\SysWOW64\attrib.exeattrib +h .4⤵
- Views/modifies file attributes
PID:2788
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q4⤵
- Modifies file permissions
PID:3328
-
-
-
C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"C:\Users\Admin\AppData\Local\Temp\winsp2up.exe"3⤵PID:820
-
-
C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"C:\Users\Admin\AppData\Local\Temp\UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe"3⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\7138496.exe"C:\Users\Admin\AppData\Local\Temp\7138496.exe"4⤵PID:4916
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4936
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4944
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4960
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4992
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:5008
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:5040
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:5048
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:5064
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"5⤵PID:3272
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:5080
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:5100
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:5112
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4116
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4296
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3996
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4152
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:4144
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2576 -s 18404⤵
- Program crash
PID:3040
-
-
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:2488
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1629774111-1189734067479411229-306934536647202789249845971-982271422-290965814"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2164
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1352951619-697510235-1153078449122492692-192055209515389129671996466594-1835603822"1⤵PID:2928
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1728
Network
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Hidden Files and Directories
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Winlogon Helper DLL
1Defense Evasion
File Deletion
2File and Directory Permissions Modification
1Hidden Files and Directories
1Impair Defenses
1Install Root Certificate
1Modify Registry
7Virtualization/Sandbox Evasion
2Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199KB
MD5aeabed7c43c474e28bb6c2e798ee56ad
SHA14c8841ad827d8227481522ec809abf5b10967879
SHA2561d65ec7515dc6aa18b917b285026d6b2d8fb19b4b655cf5cc027b17dac167e53
SHA5122b953794853653f7bc8803401ae2ffe5f1cf78e35d3509f4eb0453ff2726700da6b94ea99cf9f7c8c34fda2462d638737d68962c49816285e978b142e8a03c27
-
Filesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
Filesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize1.2MB
MD5910dd666c83efd3496f21f9f211cdc1f
SHA177cd736ee1697beda0ac65da24455ec566ba7440
SHA25606effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize1.2MB
MD5910dd666c83efd3496f21f9f211cdc1f
SHA177cd736ee1697beda0ac65da24455ec566ba7440
SHA25606effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize2.0MB
MD5c7e9746b1b039b8bd1106bca3038c38f
SHA1cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize2.0MB
MD5c7e9746b1b039b8bd1106bca3038c38f
SHA1cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize739KB
MD5382430dd7eae8945921b7feab37ed36b
SHA1c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA25670e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA51226abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize739KB
MD5382430dd7eae8945921b7feab37ed36b
SHA1c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA25670e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA51226abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize816KB
MD57dfbfba1e4e64a946cb096bfc937fbad
SHA19180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize116KB
MD541789c704a0eecfdd0048b4b4193e752
SHA1fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA51276391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize190KB
MD5248aadd395ffa7ffb1670392a9398454
SHA1c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA25651290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize190KB
MD5248aadd395ffa7ffb1670392a9398454
SHA1c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA25651290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize1.9MB
MD5cb02c0438f3f4ddabce36f8a26b0b961
SHA148c4fcb17e93b74030415996c0ec5c57b830ea53
SHA25664677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize1.9MB
MD5cb02c0438f3f4ddabce36f8a26b0b961
SHA148c4fcb17e93b74030415996c0ec5c57b830ea53
SHA25664677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32
SHA512373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize6.1MB
MD504155ed507699b4e37532e8371192c0b
SHA1a14107131237dbb0df750e74281c462a2ea61016
SHA256b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
SHA5126de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize1.1MB
MD52eb3ce80b26345bd139f7378330b19c1
SHA110122bd8dd749e20c132d108d176794f140242b0
SHA2568abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
SHA512e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize1.1MB
MD52eb3ce80b26345bd139f7378330b19c1
SHA110122bd8dd749e20c132d108d176794f140242b0
SHA2568abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
SHA512e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize414KB
MD5d0deb2644c9435ea701e88537787ea6e
SHA1866e47ecd80da89c4f56557659027a3aee897132
SHA256ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA5126faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize414KB
MD5d0deb2644c9435ea701e88537787ea6e
SHA1866e47ecd80da89c4f56557659027a3aee897132
SHA256ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA5126faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize9.7MB
MD51f13396fa59d38ebe76ccc587ccb11bb
SHA1867adb3076c0d335b9bfa64594ef37a7e2c951ff
SHA25683ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
SHA51282ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize878KB
MD5e4d4a59494265949993e26dee7b077d1
SHA183e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA2565ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize878KB
MD5e4d4a59494265949993e26dee7b077d1
SHA183e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA2565ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize225KB
MD5af2379cc4d607a45ac44d62135fb7015
SHA139b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA25626b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA51269899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize1.0MB
MD50002dddba512e20c3f82aaab8bad8b4d
SHA1493286b108822ba636cc0e53b8259e4f06ecf900
SHA2562d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize1.0MB
MD50002dddba512e20c3f82aaab8bad8b4d
SHA1493286b108822ba636cc0e53b8259e4f06ecf900
SHA2562d68fe191ba9e97f57f07f7bd116e53800b983d267da99bf0a6e6624dd7e5cf7
SHA512497954400ab463eb254abe895648c208a1cc951ecb231202362dadbe3ffb49d8d853b487589ce935c1dc8171f56d0df95093ffc655c684faa944c13bcfd87b8b
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize2.4MB
MD502f471d1fefbdc07af5555dbfd6ea918
SHA12a8f93dd21628933de8bea4a9abc00dbb215df0b
SHA25636619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
SHA512287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize904KB
MD50315c3149c7dc1d865dc5a89043d870d
SHA1f74546dda99891ca688416b1a61c9637b3794108
SHA25690c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9
SHA5127168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize1.4MB
MD5e1b69c058131e1593eccd4fbcdbb72b2
SHA16d319439cac072547edd7cf2019855fa25092006
SHA256b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f
SHA512161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize1.4MB
MD5e1b69c058131e1593eccd4fbcdbb72b2
SHA16d319439cac072547edd7cf2019855fa25092006
SHA256b61c53f4137c41aa0a5538fc9a746034b3a903cc4b1b3c8b5f3d3118e1e2bd8f
SHA512161a5923dc3a6507cbee3b547edcef4fbfe1dc6a04832c2472b1e635d758d1503a61361c2a83a13a0d8e4607516fda4ae6462a74df66b20a7c93174bbcc7129c
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize1.2MB
MD5d5e5853f5a2a5a7413f26c625c0e240b
SHA10ced68483e7f3742a963f2507937bb7089de3ffe
SHA256415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3
SHA51249ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize2.2MB
MD57dde6427dcf06d0c861693b96ad053a0
SHA1086008ecfe06ad06f4c0eee2b13530897146ae01
SHA256077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf
SHA5128cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize438KB
MD503baeba6b4224371cca7fa6f95ae61c0
SHA18731202d2f954421a37b5c9e01d971131bd515f1
SHA25661a9e3278b6bcc29a2a0405b06fb2a3bbcb1751c3dd564a8f94cc89ea957ec35
SHA512386643b0a52b6b1a53e81a8500d040b6415e532ebaffd1be8d1afd4ccb10f6c0342cf734b688ec803b960339284c8d9669e638b1648d9cc734cf7367659c7fd0
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize438KB
MD503baeba6b4224371cca7fa6f95ae61c0
SHA18731202d2f954421a37b5c9e01d971131bd515f1
SHA25661a9e3278b6bcc29a2a0405b06fb2a3bbcb1751c3dd564a8f94cc89ea957ec35
SHA512386643b0a52b6b1a53e81a8500d040b6415e532ebaffd1be8d1afd4ccb10f6c0342cf734b688ec803b960339284c8d9669e638b1648d9cc734cf7367659c7fd0
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize770KB
MD58cd7c19b6dc76c116cdb84e369fd5d9a
SHA15e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA25647769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize770KB
MD58cd7c19b6dc76c116cdb84e369fd5d9a
SHA15e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA25647769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize194KB
MD58803d517ac24b157431d8a462302b400
SHA1b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA51238fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize2.4MB
MD5dbfbf254cfb84d991ac3860105d66fc6
SHA1893110d8c8451565caa591ddfccf92869f96c242
SHA25668b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
SHA5125e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize84KB
MD59d15a3b314600b4c08682b0202700ee7
SHA1208e79cdb96328d5929248bb8a4dd622cf0684d1
SHA2563ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15
SHA5129916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3
-
Filesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
Filesize
661KB
MD519672882daf21174647509b74a406a8c
SHA1e3313b8741bd9bbe212fe53fcc55b342af5ae849
SHA25634e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8
SHA512eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f
-
Filesize
194KB
MD541d026963239e576d58f0a56d2cb0e97
SHA186b58f785fd03d9d55b84246471cce45e5cdc513
SHA25666a411fee9b52e98fe01364ab2b87278b354a63810e1cf4ce94873633ec3329d
SHA512f3b9d55265faafaada50253ef20b9ff0217422543942dc6f657e1df6a72e650685271282e27a42b1911dcb44be52cae2f5cafac5bfd94c450cc7359faf0bf345
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
Filesize
199KB
MD5aeabed7c43c474e28bb6c2e798ee56ad
SHA14c8841ad827d8227481522ec809abf5b10967879
SHA2561d65ec7515dc6aa18b917b285026d6b2d8fb19b4b655cf5cc027b17dac167e53
SHA5122b953794853653f7bc8803401ae2ffe5f1cf78e35d3509f4eb0453ff2726700da6b94ea99cf9f7c8c34fda2462d638737d68962c49816285e978b142e8a03c27
-
Filesize
199KB
MD5aeabed7c43c474e28bb6c2e798ee56ad
SHA14c8841ad827d8227481522ec809abf5b10967879
SHA2561d65ec7515dc6aa18b917b285026d6b2d8fb19b4b655cf5cc027b17dac167e53
SHA5122b953794853653f7bc8803401ae2ffe5f1cf78e35d3509f4eb0453ff2726700da6b94ea99cf9f7c8c34fda2462d638737d68962c49816285e978b142e8a03c27
-
Filesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
\Users\Admin\AppData\Local\Temp\[email protected]
Filesize770KB
MD58cd7c19b6dc76c116cdb84e369fd5d9a
SHA15e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA25647769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a
-
\Users\Admin\AppData\Local\Temp\[email protected]
Filesize770KB
MD58cd7c19b6dc76c116cdb84e369fd5d9a
SHA15e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA25647769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a
-
\Users\Admin\AppData\Local\Temp\[email protected]
Filesize770KB
MD58cd7c19b6dc76c116cdb84e369fd5d9a
SHA15e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA25647769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a
-
Filesize
661KB
MD519672882daf21174647509b74a406a8c
SHA1e3313b8741bd9bbe212fe53fcc55b342af5ae849
SHA25634e6fea583cf1f995cf24e841da2060e0777405ac228094722f17f2e337ccea8
SHA512eceddd4f1bbaf84dde72642f022b86033ba5a8b5105c573adcc49946d172e26e2512edce6f99e78dd3a2b0f8a23fa6138cca995a824e5f53a6ba925de434fa8f
-
Filesize
194KB
MD541d026963239e576d58f0a56d2cb0e97
SHA186b58f785fd03d9d55b84246471cce45e5cdc513
SHA25666a411fee9b52e98fe01364ab2b87278b354a63810e1cf4ce94873633ec3329d
SHA512f3b9d55265faafaada50253ef20b9ff0217422543942dc6f657e1df6a72e650685271282e27a42b1911dcb44be52cae2f5cafac5bfd94c450cc7359faf0bf345
-
Filesize
194KB
MD541d026963239e576d58f0a56d2cb0e97
SHA186b58f785fd03d9d55b84246471cce45e5cdc513
SHA25666a411fee9b52e98fe01364ab2b87278b354a63810e1cf4ce94873633ec3329d
SHA512f3b9d55265faafaada50253ef20b9ff0217422543942dc6f657e1df6a72e650685271282e27a42b1911dcb44be52cae2f5cafac5bfd94c450cc7359faf0bf345