Malware Analysis Report

2024-10-19 00:02

Sample ID 220929-pt4essaha4
Target Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe
SHA256 f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9
Tags
badrabbit mimikatz evasion ransomware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9

Threat Level: Known bad

The file Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe was found to be: Known bad.

Malicious Activity Summary

badrabbit mimikatz evasion ransomware upx

BadRabbit

Mimikatz

mimikatz is an open source tool to dump credentials on Windows

Executes dropped EXE

UPX packed file

Modifies Windows Firewall

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies registry key

Kills process with taskkill

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-29 12:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-29 12:38

Reported

2022-09-29 12:40

Platform

win7-20220812-en

Max time kernel

127s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

memory/288-54-0x00000000011D0000-0x00000000011FC000-memory.dmp

memory/288-55-0x0000000000140000-0x0000000000156000-memory.dmp

memory/288-56-0x0000000000150000-0x0000000000156000-memory.dmp

memory/288-57-0x00000000006C0000-0x00000000006F8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-29 12:38

Reported

2022-09-29 12:40

Platform

win10v2004-20220812-en

Max time kernel

7s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

Signatures

BadRabbit

ransomware badrabbit

Mimikatz

mimikatz

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\infpub.dat C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
File opened for modification C:\Windows\infpub.dat C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\cscc.dat C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\dispci.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\infpub.dat C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe
PID 4076 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe
PID 4076 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 5028 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 5028 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 5028 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 4076 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe
PID 4076 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe
PID 4076 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Windows\SysWOW64\taskkill.exe
PID 4076 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Windows\SysWOW64\taskkill.exe
PID 4076 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Windows\SysWOW64\taskkill.exe
PID 4076 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4076 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Windows\System32\Conhost.exe
PID 4076 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe C:\Windows\System32\Conhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Delete /F /TN rhaegal

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2065160815 && exit"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Delete /F /TN rhaegal

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:56:00

C:\Windows\B683.tmp

"C:\Windows\B683.tmp" \\.\pipe\{3DB67634-4DC6-45C5-8899-94EABCBCCCFA}

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2065160815 && exit"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:56:00

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\hmkswcsw\qmcMQIsM.exe

"C:\Users\Admin\hmkswcsw\qmcMQIsM.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\ProgramData\wCcgQgQU\yAoMIQIk.exe

"C:\ProgramData\wCcgQgQU\yAoMIQIk.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giksMUoI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcgUYMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\Fantom.exe"

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMosMAwM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSwscEsc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 140.82.113.4:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 140.82.113.4:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 10.127.0.1:445 tcp
US 140.82.113.4:445 github.com tcp
US 93.184.220.29:445 tcp
US 93.184.221.240:445 tcp
NL 95.101.78.106:445 tcp
N/A 10.127.0.1:445 tcp
DE 51.116.253.168:445 tcp
US 140.82.113.4:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 140.82.113.4:139 github.com tcp
US 93.184.221.240:139 tcp
US 93.184.220.29:139 tcp
N/A 10.127.0.1:139 tcp
NL 95.101.78.106:139 tcp
DE 51.116.253.168:139 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 arizonacode.bplaced.net udp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
NL 95.101.78.106:80 tcp
NL 95.101.78.106:80 tcp
N/A 10.127.0.3:445 tcp
US 140.82.113.4:443 github.com tcp
N/A 10.127.0.3:139 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.5:445 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.5:139 tcp
US 128.31.0.39:9101 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
DE 51.116.253.168:443 tcp
N/A 10.127.0.7:445 tcp
SE 171.25.193.9:80 tcp
N/A 10.127.0.7:139 tcp
DE 176.9.40.131:443 tcp
MD 176.123.5.4:443 tcp
CH 31.164.230.2:6969 tcp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
US 8.8.8.8:53 google.com udp
N/A 10.127.0.9:445 tcp
NL 142.250.179.142:80 google.com tcp
N/A 10.127.0.9:139 tcp
NL 142.250.179.142:80 google.com tcp
FI 65.108.73.119:445 tcp
N/A 10.127.0.10:445 tcp
FI 65.108.73.119:139 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
N/A 10.127.0.12:445 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.12:139 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
N/A 10.127.0.13:445 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.13:139 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
US 93.184.220.29:80 tcp
N/A 10.127.0.14:445 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.14:139 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.18:445 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.18:139 tcp
US 8.8.8.8:53 github.com udp
N/A 10.127.0.19:445 tcp
US 140.82.113.4:443 github.com tcp
N/A 10.127.0.19:139 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
N/A 10.127.0.22:445 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.22:139 tcp
N/A 10.127.0.23:445 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.23:139 tcp
N/A 10.127.0.24:445 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.24:139 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
N/A 10.127.0.29:445 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.29:139 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
N/A 10.127.0.33:445 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
N/A 10.127.0.33:139 tcp

Files

memory/4076-132-0x0000018308F30000-0x0000018308F5C000-memory.dmp

memory/4076-133-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

memory/5028-134-0x0000000000000000-mapping.dmp

memory/2128-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

memory/1744-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

memory/4840-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 41789c704a0eecfdd0048b4b4193e752
SHA1 fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256 b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA512 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

memory/4944-146-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

memory/2128-148-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

memory/4944-151-0x0000000000400000-0x0000000000438000-memory.dmp

memory/524-150-0x0000000002490000-0x00000000024F8000-memory.dmp

memory/1352-149-0x0000000000000000-mapping.dmp

memory/4944-141-0x0000000000000000-mapping.dmp

memory/524-140-0x0000000000000000-mapping.dmp

memory/4944-153-0x0000000000650000-0x0000000000656000-memory.dmp

memory/4484-157-0x0000000000000000-mapping.dmp

memory/4944-156-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 41789c704a0eecfdd0048b4b4193e752
SHA1 fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256 b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA512 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

memory/2476-163-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/3848-165-0x0000000000000000-mapping.dmp

memory/524-168-0x0000000002490000-0x00000000024F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/3996-170-0x0000000000000000-mapping.dmp

memory/2244-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

memory/2328-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 41789c704a0eecfdd0048b4b4193e752
SHA1 fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256 b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA512 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/2228-175-0x0000000000000000-mapping.dmp

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

memory/4440-174-0x0000000000000000-mapping.dmp

memory/4484-181-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4444-185-0x0000000000000000-mapping.dmp

memory/2244-184-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3848-190-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

memory/2228-189-0x0000000000D40000-0x0000000000DA8000-memory.dmp

memory/2100-188-0x0000000000000000-mapping.dmp

memory/4840-183-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

memory/2128-193-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

memory/4024-195-0x0000000000000000-mapping.dmp

memory/1296-199-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe.log

MD5 66a0a4aa01208ed3d53a5e131a8d030a
SHA1 ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1
SHA256 f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8
SHA512 626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

memory/2228-200-0x0000000000D40000-0x0000000000DA8000-memory.dmp

memory/4592-202-0x0000000000000000-mapping.dmp

memory/3512-205-0x0000000000000000-mapping.dmp

memory/4596-204-0x0000000000000000-mapping.dmp

memory/4616-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 41789c704a0eecfdd0048b4b4193e752
SHA1 fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256 b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA512 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/2476-206-0x0000000004D50000-0x0000000004D81000-memory.dmp

memory/2444-211-0x0000000000000000-mapping.dmp

memory/2244-208-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

memory/1844-213-0x0000000000000000-mapping.dmp

memory/2948-216-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

MD5 7d80230df68ccba871815d68f016c282
SHA1 e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512 64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

C:\Users\Admin\AppData\Local\Temp\BadRabbit.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

memory/4088-228-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 41789c704a0eecfdd0048b4b4193e752
SHA1 fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256 b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA512 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

memory/4200-231-0x0000000000000000-mapping.dmp

memory/2488-233-0x0000000000000000-mapping.dmp

memory/2236-232-0x0000000002540000-0x00000000025A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/520-240-0x0000000000000000-mapping.dmp

memory/3956-235-0x0000000000000000-mapping.dmp

memory/3512-227-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1296-225-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5012-224-0x0000000000000000-mapping.dmp

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

memory/4440-221-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2476-218-0x0000000000400000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

MD5 7d80230df68ccba871815d68f016c282
SHA1 e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512 64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

memory/2236-215-0x0000000000000000-mapping.dmp

memory/2100-214-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

memory/944-217-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

memory/1296-252-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3968-251-0x0000000000000000-mapping.dmp

memory/2236-250-0x0000000002540000-0x00000000025A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

MD5 7d80230df68ccba871815d68f016c282
SHA1 e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512 64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

memory/3256-247-0x0000000000000000-mapping.dmp

memory/536-242-0x0000000000000000-mapping.dmp

memory/3956-257-0x0000000005090000-0x000000000512C000-memory.dmp

memory/520-256-0x0000000000DD0000-0x0000000000E0C000-memory.dmp

memory/4444-255-0x0000000000100000-0x0000000000182000-memory.dmp

memory/2476-254-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

memory/4088-260-0x0000000000400000-0x0000000000438000-memory.dmp

memory/944-259-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

memory/1416-258-0x0000000000000000-mapping.dmp

memory/3512-253-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4088-268-0x0000000000400000-0x0000000000438000-memory.dmp

memory/944-267-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

memory/2972-269-0x0000000000000000-mapping.dmp

memory/2444-266-0x0000000005670000-0x0000000005702000-memory.dmp

memory/3116-270-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 41789c704a0eecfdd0048b4b4193e752
SHA1 fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256 b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA512 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

memory/4536-265-0x0000000000000000-mapping.dmp

memory/2488-263-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4356-261-0x0000000000000000-mapping.dmp

memory/3956-264-0x00000000056E0000-0x0000000005C84000-memory.dmp

C:\Windows\B683.tmp

MD5 347ac3b6b791054de3e5720a7144a977
SHA1 413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA512 9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

memory/4444-274-0x0000000004A80000-0x0000000004A8A000-memory.dmp

memory/1388-273-0x0000000000000000-mapping.dmp

memory/2444-275-0x0000000005830000-0x0000000005886000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BadRabbit.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/3256-282-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

memory/4864-281-0x0000000000000000-mapping.dmp

memory/4524-279-0x0000000000000000-mapping.dmp

memory/1388-290-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2228-291-0x0000000000000000-mapping.dmp

memory/2972-287-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4548-286-0x0000000000000000-mapping.dmp

memory/2100-285-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

C:\Windows\B683.tmp

MD5 347ac3b6b791054de3e5720a7144a977
SHA1 413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA512 9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

memory/2488-293-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

memory/4864-292-0x0000000000BE0000-0x0000000000C48000-memory.dmp

memory/2972-300-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4864-303-0x0000000000BE0000-0x0000000000C48000-memory.dmp

memory/1388-302-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2332-305-0x0000000000000000-mapping.dmp

memory/4624-304-0x0000000000000000-mapping.dmp

memory/1512-298-0x0000000000000000-mapping.dmp

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

memory/2332-308-0x0000000000E00000-0x0000000000E68000-memory.dmp

memory/4076-310-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

memory/4340-315-0x0000000000000000-mapping.dmp

memory/5092-313-0x0000000000000000-mapping.dmp

memory/2332-321-0x0000000000E00000-0x0000000000E68000-memory.dmp

memory/4620-320-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

MD5 7d80230df68ccba871815d68f016c282
SHA1 e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512 64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 87ccd6f4ec0e6b706d65550f90b0e3c7
SHA1 213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256 e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512 a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 87ccd6f4ec0e6b706d65550f90b0e3c7
SHA1 213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256 e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512 a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

memory/972-322-0x0000000000000000-mapping.dmp

memory/3256-326-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

memory/1436-328-0x0000000000000000-mapping.dmp

memory/5060-325-0x0000000000000000-mapping.dmp

memory/4620-324-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

C:\Users\Admin\Documents\ExitClear.vsx.deria

MD5 7db20c1d997a3b9d7117d609ef848247
SHA1 e669fb0570eb56c79d0521a8a57e47af19959630
SHA256 4fa63da438cefe7a1a8814c5e5dd767720f507c1a28e2ae07b1392f02cbf4bc7
SHA512 2533e7f1d48bf504339090a38abc9ec377f26ff2b82c6b672820b4af24fbc9ffefb053a05ed0d43291abd77b488ed157467bf5613aa20522178cffab179558dc

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

C:\Users\Admin\Pictures\Camera Roll\desktop.ini.deria

MD5 5a4658c7ec3539dc9e8d262637d74ad1
SHA1 2c8bed8b826c7980f4ede6876a61869e1bee0e17
SHA256 317cc4c673749e23c36d12e669df0716c3a399dfa784613a7d352033cd07359f
SHA512 3a6ca4ce16c345898ce09f994b016e8fda4ef0918ff22545b0f0c3cdb6aa182a829eb7ed445577aef4bdaf90040edc20bdef2eb898baa5b03ca18328736265ae

memory/2028-338-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

memory/2236-342-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 87ccd6f4ec0e6b706d65550f90b0e3c7
SHA1 213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256 e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512 a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

memory/3168-337-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

C:\Users\Admin\Pictures\Saved Pictures\desktop.ini.deria

MD5 149081bbc201b2828d2cb1384d43d6f5
SHA1 a46fb7dfd44a4792bfe2eeb3bfd320c2b392620f
SHA256 59fd13eca020817cad814874509c1e798bfc2fdc23fb1c4fe32f2c050c518c97
SHA512 d7ea951d89eb70ad365da9459b7bb0e33524f87e5a917af079b3f4625541eb74c2d5a490a1efb1495914519edebb629b495f0ccb7cd53325fb2d3db96c52a596

memory/1020-333-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/3304-331-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 41789c704a0eecfdd0048b4b4193e752
SHA1 fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256 b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA512 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

C:\Users\Admin\AppData\Local\Temp\BadRabbit.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Fantom.exe

MD5 7d80230df68ccba871815d68f016c282
SHA1 e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512 64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

memory/4944-353-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1704-356-0x0000000002590000-0x00000000025F8000-memory.dmp

memory/3720-355-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

memory/1068-354-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1436-351-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3528-350-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

memory/2308-347-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

memory/5060-346-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1068-345-0x0000000000000000-mapping.dmp

memory/1436-343-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1068-357-0x0000000002350000-0x000000000241E000-memory.dmp

memory/1068-359-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1704-366-0x0000000002590000-0x00000000025F8000-memory.dmp

memory/5004-368-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2904-370-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2904-371-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4440-369-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4484-367-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3720-373-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

memory/4620-372-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

memory/4088-374-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1120-375-0x00000000024E0000-0x0000000002548000-memory.dmp

memory/2972-376-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3564-380-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

memory/4280-386-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1060-388-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4280-389-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3944-387-0x0000000000400000-0x0000000000438000-memory.dmp