Malware Analysis Report

2024-10-19 00:02

Sample ID 220929-pt4essaha5
Target Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
SHA256 72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503
Tags
badrabbit cerber mimikatz wannacry bootkit discovery evasion persistence ransomware spyware stealer upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503

Threat Level: Known bad

The file Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe was found to be: Known bad.

Malicious Activity Summary

badrabbit cerber mimikatz wannacry bootkit discovery evasion persistence ransomware spyware stealer upx worm

Wannacry

Modifies WinLogon for persistence

Mimikatz

Cerber

BadRabbit

mimikatz is an open source tool to dump credentials on Windows

Modifies extensions of user files

Executes dropped EXE

Disables Task Manager via registry modification

Modifies Windows Firewall

Disables RegEdit via registry modification

UPX packed file

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies system certificate store

Modifies Internet Explorer start page

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies registry class

Runs net.exe

Kills process with taskkill

Modifies registry key

Modifies Internet Explorer settings

System policy modification

Checks processor information in registry

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-29 12:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-29 12:38

Reported

2022-09-29 12:40

Platform

win7-20220812-en

Max time kernel

101s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

memory/1652-54-0x00000000010B0000-0x00000000010DC000-memory.dmp

memory/1652-55-0x00000000004C0000-0x00000000004D6000-memory.dmp

memory/1652-56-0x0000000000560000-0x0000000000566000-memory.dmp

memory/1652-57-0x000000001A7D0000-0x000000001A808000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-29 12:38

Reported

2022-09-29 12:41

Platform

win10v2004-20220901-en

Max time kernel

82s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe"

Signatures

BadRabbit

ransomware badrabbit

Cerber

ransomware cerber

Mimikatz

mimikatz

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oper4cod.2v1\\[email protected]" C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected] N/A

Wannacry

ransomware worm wannacry

mimikatz is an open source tool to dump credentials on Windows

Description Indicator Process Target
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe N/A
N/A N/A C:\ProgramData\QGAUgUkc\icYgIkMc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected] N/A
N/A N/A C:\Windows\41CC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ljmyia5o.gcg\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eewa04qc.hg4\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\taskdl.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\AddNew.tiff.deria C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
File opened for modification C:\Users\Admin\Pictures\HideConnect.crw.deria C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
File opened for modification C:\Users\Admin\Pictures\MoveDismount.tif.deria C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
File opened for modification C:\Users\Admin\Pictures\PublishEnable.raw.deria C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mwIoMAwQ.exe = "C:\\Users\\Admin\\ROMQEsAc\\mwIoMAwQ.exe" C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icYgIkMc.exe = "C:\\ProgramData\\QGAUgUkc\\icYgIkMc.exe" C:\ProgramData\QGAUgUkc\icYgIkMc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oper4cod.2v1\\[email protected]" C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mwIoMAwQ.exe = "C:\\Users\\Admin\\ROMQEsAc\\mwIoMAwQ.exe" C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\icYgIkMc.exe = "C:\\ProgramData\\QGAUgUkc\\icYgIkMc.exe" C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected] N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\f: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A

Legitimate hosting services abused for malware hosting/C2

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\[email protected] N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected] N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\hyph_en_US.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification \??\c:\program files (x86)\microsoft\office C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened for modification \??\c:\program files (x86)\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\comdll.X.manifest.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification \??\c:\program files (x86)\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened for modification \??\c:\program files (x86)\word C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\avpc2009.exe C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\ActionsPane3.xsd.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification \??\c:\program files (x86)\onenote C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\avpc2009.exe C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification \??\c:\program files (x86)\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009 C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\libltdl3.dll C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\AddIns.store.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File created C:\Program Files (x86)\AnVi\splash.mp3 C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] N/A
File created C:\Program Files (x86)\AnVi\virus.mp3 C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File created C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\hyph_en_GB.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification \??\c:\program files (x86)\microsoft\excel C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\hyph_en_CA.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\changelog.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification \??\c:\program files (x86)\steam C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification \??\c:\program files (x86)\powerpoint C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
File opened for modification \??\c:\program files (x86)\microsoft\word C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\infpub.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\41CC.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected] N/A
File created C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected] N/A
File opened for modification C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected] N/A
File created C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected] N/A
File opened for modification C:\WINDOWS\Web C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
File created C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected] N/A
File created C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected] N/A
File opened for modification C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected] N/A
File created C:\Windows\infpub.dat C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected] N/A
File created C:\Windows\dispci.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\__tmp_rar_sfx_access_check_240611125 C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected] N/A
File opened for modification C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected] N/A
File created C:\Windows\cscc.dat C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected] N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperOriginY = "187" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\MenuShowDelay = "9999" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperOriginX = "210" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected] N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] N/A
N/A N/A C:\Windows\41CC.tmp N/A
N/A N/A C:\Windows\41CC.tmp N/A
N/A N/A C:\Windows\41CC.tmp N/A
N/A N/A C:\Windows\41CC.tmp N/A
N/A N/A C:\Windows\41CC.tmp N/A
N/A N/A C:\Windows\41CC.tmp N/A
N/A N/A C:\Windows\41CC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\[email protected] N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected] N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\41CC.tmp N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4188 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected]
PID 4188 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected]
PID 4188 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected]
PID 4188 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected]
PID 4188 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected]
PID 4188 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected]
PID 3776 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 3776 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 3776 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected] C:\Windows\SysWOW64\rundll32.exe
PID 4188 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected]
PID 4188 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected]
PID 4188 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected]
PID 4188 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected]
PID 4188 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected]
PID 4188 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected]
PID 4188 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe
PID 4188 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe
PID 4188 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe
PID 3792 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected] C:\Windows\SysWOW64\taskkill.exe
PID 3792 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected] C:\Windows\SysWOW64\taskkill.exe
PID 3792 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected] C:\Windows\SysWOW64\taskkill.exe
PID 4188 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected]
PID 4188 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected]
PID 4188 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected]
PID 4188 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected]
PID 4188 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected]
PID 4188 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected]
PID 4536 wrote to memory of 4424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 4424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 4424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected]
PID 4188 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected]
PID 4188 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected]
PID 4188 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\[email protected]
PID 4188 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\[email protected]
PID 4188 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\[email protected]
PID 4188 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]
PID 4188 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]
PID 4188 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]
PID 3468 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 3468 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 3468 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 4536 wrote to memory of 1560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 1560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 1560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected]
PID 4188 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected]
PID 4188 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected]
PID 4424 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4424 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4424 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4188 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]
PID 4188 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]
PID 4188 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]
PID 5096 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe
PID 5096 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe
PID 5096 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe
PID 5096 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] C:\ProgramData\QGAUgUkc\icYgIkMc.exe
PID 5096 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] C:\ProgramData\QGAUgUkc\icYgIkMc.exe
PID 5096 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] C:\ProgramData\QGAUgUkc\icYgIkMc.exe
PID 5096 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected] C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected] N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdda-72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe"

C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected]

"C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected]"

C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected]

"C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected]"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected]

"C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected]"

C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected]

"C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected]"

C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe

"C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Delete /F /TN rhaegal

C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected]

"C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected]"

C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected]

"C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected]"

C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected]

"C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected]"

C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\[email protected]

"C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\[email protected]"

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]

"C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1835013906 && exit"

C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected]

"C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected]"

C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe

"C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe"

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]

"C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Delete /F /TN rhaegal

C:\ProgramData\QGAUgUkc\icYgIkMc.exe

"C:\ProgramData\QGAUgUkc\icYgIkMc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock"

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1835013906 && exit"

C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\[email protected]

"C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\[email protected]"

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock"

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\[email protected]

"C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\[email protected]"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMEwkMEs.bat" "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgUcQAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKYQQgMY.bat" "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]""

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected]

"C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyYMMokg.bat" "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom

C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected]

"C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected]"

C:\Windows\SysWOW64\cmd.exe

/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:56:00

C:\Windows\41CC.tmp

"C:\Windows\41CC.tmp" \\.\pipe\{9668C2A0-7AE3-436A-B3A4-C45297891E27}

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ljmyia5o.gcg\[email protected]

"C:\Users\Admin\AppData\Local\Temp\ljmyia5o.gcg\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAAkQMkk.bat" "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected]

"C:\Users\Admin\AppData\Local\Temp\eqegsf1b.ins\[email protected]"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmgsQccs.bat" "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 720 -ip 720

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock"

C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected]

"C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSUIckso.bat" "C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]""

C:\Users\Admin\AppData\Local\Temp\eewa04qc.hg4\[email protected]

"C:\Users\Admin\AppData\Local\Temp\eewa04qc.hg4\[email protected]"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEMIEUoU.bat" "C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:56:00

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom

C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected] SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1008 -ip 1008

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 504 -p 2472 -ip 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 804

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5840 -ip 5840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 820

C:\Windows\SysWOW64\net.exe

net stop wscsvc

C:\Windows\SysWOW64\net.exe

net stop winmgmt /y

C:\Windows\SysWOW64\net.exe

net start winmgmt

C:\Windows\SysWOW64\net.exe

net start wscsvc

C:\Windows\SysWOW64\Wbem\mofcomp.exe

mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof

C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\taskdl.exe

taskdl.exe

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 github.com udp
US 140.82.114.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 20.189.173.4:443 tcp
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:80 google.com tcp
NL 142.250.179.142:80 google.com tcp
US 204.79.197.200:443 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.0:139 tcp
N/A 10.127.0.1:139 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
US 209.197.3.8:445 tcp
N/A 10.127.0.1:445 tcp
US 8.253.208.121:445 ctldl.windowsupdate.com tcp
IE 20.82.209.183:445 arc.msn.com tcp
US 140.82.114.4:445 github.com tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
N/A 10.127.0.4:445 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
N/A 10.127.0.4:139 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
N/A 10.127.0.8:445 tcp
NL 154.61.71.51:445 tcp
NL 142.250.179.142:445 google.com tcp
N/A 10.127.0.8:139 tcp
N/A 10.127.0.9:445 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
N/A 10.127.0.9:139 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
N/A 10.127.0.11:445 tcp

Files

memory/4188-132-0x000001B133800000-0x000001B13382C000-memory.dmp

memory/4188-133-0x00007FFD41540000-0x00007FFD42001000-memory.dmp

memory/3776-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

memory/3792-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\oper4cod.2v1\[email protected]

MD5 41789c704a0eecfdd0048b4b4193e752
SHA1 fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256 b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA512 76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

C:\Users\Admin\AppData\Local\Temp\ktzf2cfl.uxo\[email protected]

MD5 fbbdc39af1139aebba4da004475e8839
SHA1 de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512 74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

memory/3468-140-0x0000000000000000-mapping.dmp

memory/4536-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

C:\Windows\infpub.dat

MD5 1d724f95c61f1055f0d02c2154bbccd3
SHA1 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512 f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

memory/3792-145-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1876-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

memory/4536-149-0x0000000002520000-0x0000000002588000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\blzf2w0y.bgq\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/332-152-0x0000000000000000-mapping.dmp

memory/3792-157-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3792-154-0x00000000004B0000-0x00000000004B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe

MD5 7d80230df68ccba871815d68f016c282
SHA1 e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512 64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

memory/3192-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

C:\Users\Admin\AppData\Local\Temp\sa3c0qwz.02p\[email protected]

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

memory/4536-165-0x0000000002520000-0x0000000002588000-memory.dmp

memory/1876-166-0x00000000000F0000-0x0000000000172000-memory.dmp

memory/3468-162-0x0000000000400000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cdjq0sak.522\Fantom.exe

MD5 7d80230df68ccba871815d68f016c282
SHA1 e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA512 64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

memory/3028-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vyv1hubq.odx\[email protected]

MD5 0a7b70efba0aa93d4bc0857b87ac2fcb
SHA1 01a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA256 4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA512 2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

memory/3792-150-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1876-170-0x00000000049D0000-0x0000000004A6C000-memory.dmp

memory/3404-169-0x0000000000000000-mapping.dmp

memory/3192-173-0x0000000000A10000-0x0000000000A4C000-memory.dmp

memory/1436-175-0x0000000000000000-mapping.dmp

memory/1876-176-0x0000000005020000-0x00000000055C4000-memory.dmp

memory/4424-174-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected]

MD5 87ccd6f4ec0e6b706d65550f90b0e3c7
SHA1 213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256 e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512 a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

C:\Users\Admin\AppData\Local\Temp\4m2nfs0d.lrn\[email protected]

MD5 87ccd6f4ec0e6b706d65550f90b0e3c7
SHA1 213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256 e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512 a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

memory/4188-181-0x00007FFD41540000-0x00007FFD42001000-memory.dmp

memory/3468-182-0x0000000001640000-0x0000000001671000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\j1bgbpzv.4xs\[email protected]

MD5 af2379cc4d607a45ac44d62135fb7015
SHA1 39b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA256 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA512 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected]

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

memory/1876-184-0x0000000004A70000-0x0000000004A7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\k3goj0ze.ow0\[email protected]

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

memory/5096-185-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]

MD5 3ed3fb296a477156bc51aba43d825fc0
SHA1 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512 dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

memory/4428-180-0x0000000000000000-mapping.dmp

memory/1436-187-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/332-177-0x00000000049F0000-0x0000000004A82000-memory.dmp

memory/1436-188-0x0000000002290000-0x000000000235E000-memory.dmp

memory/1436-189-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/5096-190-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]

MD5 3ed3fb296a477156bc51aba43d825fc0
SHA1 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512 dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

memory/1876-193-0x0000000004CA0000-0x0000000004CF6000-memory.dmp

memory/2556-192-0x0000000000000000-mapping.dmp

memory/1560-194-0x0000000000000000-mapping.dmp

memory/3412-195-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected]

MD5 dbfbf254cfb84d991ac3860105d66fc6
SHA1 893110d8c8451565caa591ddfccf92869f96c242
SHA256 68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
SHA512 5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

memory/4428-197-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4428-198-0x0000000000510000-0x0000000000522000-memory.dmp

memory/1036-201-0x0000000000000000-mapping.dmp

memory/3016-200-0x0000000000000000-mapping.dmp

memory/2480-199-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]

MD5 8803d517ac24b157431d8a462302b400
SHA1 b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA512 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe

MD5 a7c96a585c886ea97d740c34d88b50fe
SHA1 c06189d72afee45caafc83478e82a2bac61b730b
SHA256 fe0d2a1d7ec776966d95a026869f9057fd690d60ecfa6d1f8546fe7088395dba
SHA512 d0a3bcc1e18a24e0f201bffe6a01029eaade47cfff5ae9b0da4ca18f85d0a88ee7505f42dce1d11fa5130aeb5bafc8cc7193fe71de8f0b73c2886b1176ab353e

memory/3016-204-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1036-205-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3860-206-0x0000000000000000-mapping.dmp

C:\ProgramData\QGAUgUkc\icYgIkMc.exe

MD5 ff7330d26dfb4a2c95098ff8d7ada9f3
SHA1 b4a2321f57204c2a7dceb82e2e1d92dca3741f7e
SHA256 3149b7cd456fbab1b5f1fa4f6b159b51e4075aa4224f02301a6d20e62c9048d1
SHA512 f0c66b1b73cbbf2b71a7bf06533b54688e35d26070c751850d7b284b4f7bf788c27035a90cc8c16194f15c381a89d3c7429ef9ddf42f4feb21e44c862d14bbd4

memory/3792-212-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3860-213-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]

MD5 8803d517ac24b157431d8a462302b400
SHA1 b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA512 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

C:\Users\Admin\ROMQEsAc\mwIoMAwQ.exe

MD5 a7c96a585c886ea97d740c34d88b50fe
SHA1 c06189d72afee45caafc83478e82a2bac61b730b
SHA256 fe0d2a1d7ec776966d95a026869f9057fd690d60ecfa6d1f8546fe7088395dba
SHA512 d0a3bcc1e18a24e0f201bffe6a01029eaade47cfff5ae9b0da4ca18f85d0a88ee7505f42dce1d11fa5130aeb5bafc8cc7193fe71de8f0b73c2886b1176ab353e

C:\ProgramData\QGAUgUkc\icYgIkMc.exe

MD5 ff7330d26dfb4a2c95098ff8d7ada9f3
SHA1 b4a2321f57204c2a7dceb82e2e1d92dca3741f7e
SHA256 3149b7cd456fbab1b5f1fa4f6b159b51e4075aa4224f02301a6d20e62c9048d1
SHA512 f0c66b1b73cbbf2b71a7bf06533b54688e35d26070c751850d7b284b4f7bf788c27035a90cc8c16194f15c381a89d3c7429ef9ddf42f4feb21e44c862d14bbd4

memory/428-208-0x0000000000000000-mapping.dmp

memory/3468-214-0x0000000000400000-0x0000000000450000-memory.dmp

memory/3344-215-0x0000000000000000-mapping.dmp

memory/4668-216-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]

MD5 3ed3fb296a477156bc51aba43d825fc0
SHA1 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512 dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

memory/4736-218-0x0000000000000000-mapping.dmp

memory/3168-219-0x0000000000000000-mapping.dmp

memory/2792-220-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wg2juisi.l3d\[email protected]

MD5 84c82835a5d21bbcf75a61706d8ab549
SHA1 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512 90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

memory/2548-222-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]

MD5 8803d517ac24b157431d8a462302b400
SHA1 b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA512 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom

MD5 2fc0e096bf2f094cca883de93802abb6
SHA1 a4b51b3b4c645a8c082440a6abbc641c5d4ec986
SHA256 14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3
SHA512 7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

memory/1940-225-0x0000000000000000-mapping.dmp

C:\ProgramData\QGAUgUkc\icYgIkMc.inf

MD5 0d9f119b066f5b17e20e8b1de6990f6d
SHA1 56d16930f213f090d55bf7667b4065578389e712
SHA256 794348adf765f002d715985705eb49e5b9cbb96a3ecc1ff5f7a740bf8a944698
SHA512 f8111a0d4db1021d11ab1296d56a5196c51c88a47c108df30ca27ae65440c20583835a3d786ad938b3647b5f5304ebdb4bf62ccfb681c0cbf972d8aac458fb61

memory/2548-226-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\ROMQEsAc\mwIoMAwQ.inf

MD5 0d9f119b066f5b17e20e8b1de6990f6d
SHA1 56d16930f213f090d55bf7667b4065578389e712
SHA256 794348adf765f002d715985705eb49e5b9cbb96a3ecc1ff5f7a740bf8a944698
SHA512 f8111a0d4db1021d11ab1296d56a5196c51c88a47c108df30ca27ae65440c20583835a3d786ad938b3647b5f5304ebdb4bf62ccfb681c0cbf972d8aac458fb61

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock

MD5 76e08b93985d60b82ddb4a313733345c
SHA1 273effbac9e1dc901a3f0ee43122d2bdb383adbf
SHA256 4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89
SHA512 4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

memory/3904-230-0x0000000000000000-mapping.dmp

memory/4884-231-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]

MD5 3ed3fb296a477156bc51aba43d825fc0
SHA1 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512 dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

memory/2652-233-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]

MD5 8803d517ac24b157431d8a462302b400
SHA1 b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA512 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

C:\Users\Admin\AppData\Local\Temp\tptjt0mi.bpx\[email protected]

MD5 dbfbf254cfb84d991ac3860105d66fc6
SHA1 893110d8c8451565caa591ddfccf92869f96c242
SHA256 68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
SHA512 5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

memory/3680-238-0x0000000000000000-mapping.dmp

memory/1100-240-0x0000000000000000-mapping.dmp

memory/3796-237-0x0000000000000000-mapping.dmp

memory/2488-249-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\[email protected]

MD5 9d15a3b314600b4c08682b0202700ee7
SHA1 208e79cdb96328d5929248bb8a4dd622cf0684d1
SHA256 3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15
SHA512 9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

memory/4884-256-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\ROMQEsAc\mwIoMAwQ.inf

MD5 ca5f1bcf00493f15604b170b21df60d4
SHA1 f7ca8f7ec9fb6257d48d8cc61c4a14d0b8231b4c
SHA256 5f99c73a1411a85eee15b2f2ccbb7aeab0d414ee8e2c0a7e334381efc52a057c
SHA512 49fb34a892f25345ac96481fef0af4b551c8c137e8bdf37c07ee315b36c7b42d519953d5680874b3a4675afe9ece4f51ecdee1f53cf4a41cb01f17202220405c

C:\ProgramData\QGAUgUkc\icYgIkMc.inf

MD5 ca5f1bcf00493f15604b170b21df60d4
SHA1 f7ca8f7ec9fb6257d48d8cc61c4a14d0b8231b4c
SHA256 5f99c73a1411a85eee15b2f2ccbb7aeab0d414ee8e2c0a7e334381efc52a057c
SHA512 49fb34a892f25345ac96481fef0af4b551c8c137e8bdf37c07ee315b36c7b42d519953d5680874b3a4675afe9ece4f51ecdee1f53cf4a41cb01f17202220405c

memory/2084-253-0x0000000000000000-mapping.dmp

memory/4244-252-0x0000000000000000-mapping.dmp

memory/2652-257-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4880-260-0x0000000000000000-mapping.dmp

memory/1824-258-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mysydtdx.jod\[email protected]

MD5 9d15a3b314600b4c08682b0202700ee7
SHA1 208e79cdb96328d5929248bb8a4dd622cf0684d1
SHA256 3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15
SHA512 9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

memory/4252-248-0x0000000000000000-mapping.dmp

memory/3488-262-0x0000000000000000-mapping.dmp

memory/720-261-0x00000000004D0000-0x00000000004D3000-memory.dmp

memory/720-259-0x0000000000400000-0x000000000044F000-memory.dmp

memory/5020-247-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock

MD5 76e08b93985d60b82ddb4a313733345c
SHA1 273effbac9e1dc901a3f0ee43122d2bdb383adbf
SHA256 4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89
SHA512 4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

memory/3024-244-0x0000000000000000-mapping.dmp

memory/1376-243-0x0000000000000000-mapping.dmp

memory/4992-242-0x0000000000000000-mapping.dmp

memory/720-241-0x0000000000000000-mapping.dmp

memory/3776-245-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom

MD5 2fc0e096bf2f094cca883de93802abb6
SHA1 a4b51b3b4c645a8c082440a6abbc641c5d4ec986
SHA256 14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3
SHA512 7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

memory/4092-267-0x0000000000000000-mapping.dmp

memory/5096-272-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5184-273-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected]

MD5 c7e9746b1b039b8bd1106bca3038c38f
SHA1 cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256 b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512 cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

memory/3016-276-0x0000000000400000-0x0000000000432000-memory.dmp

C:\ProgramData\QGAUgUkc\icYgIkMc.inf

MD5 1493d913199bc77d25c9f705bbcf0467
SHA1 3d60a637bf152cdd915cde9816e10802bb852c14
SHA256 b53186c993714c5eda538e0f9ea6e44c8ceb5176185e0aed35f190da0573c1aa
SHA512 8eab60577496ff16630f0a19622a559f693f59a5abe45045f0c3dd7a6899ac52f6c6acc89676172dde638cd48a37a2677feda1c0823c48ba2e0d8685d8387c56

C:\Users\Admin\ROMQEsAc\mwIoMAwQ.inf

MD5 1493d913199bc77d25c9f705bbcf0467
SHA1 3d60a637bf152cdd915cde9816e10802bb852c14
SHA256 b53186c993714c5eda538e0f9ea6e44c8ceb5176185e0aed35f190da0573c1aa
SHA512 8eab60577496ff16630f0a19622a559f693f59a5abe45045f0c3dd7a6899ac52f6c6acc89676172dde638cd48a37a2677feda1c0823c48ba2e0d8685d8387c56

memory/1072-277-0x0000000000000000-mapping.dmp

memory/5272-274-0x0000000000000000-mapping.dmp

memory/5224-271-0x0000000000000000-mapping.dmp

memory/2548-270-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4668-268-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5172-269-0x0000000000000000-mapping.dmp

memory/2408-266-0x0000000000000000-mapping.dmp

memory/2280-265-0x0000000000000000-mapping.dmp

memory/4384-264-0x0000000000000000-mapping.dmp

memory/4732-263-0x0000000000000000-mapping.dmp

memory/1412-235-0x0000000000000000-mapping.dmp

memory/5460-281-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\[email protected]

MD5 3ed3fb296a477156bc51aba43d825fc0
SHA1 9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256 1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512 dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\[email protected]

MD5 8803d517ac24b157431d8a462302b400
SHA1 b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256 418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA512 38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

memory/5464-280-0x0000000000000000-mapping.dmp

memory/4428-284-0x0000000000510000-0x0000000000522000-memory.dmp

memory/2792-289-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\j2nrgays.gdo\[email protected]

MD5 c7e9746b1b039b8bd1106bca3038c38f
SHA1 cb93ac887876bafe39c5f9aa64970d5e747fb191
SHA256 b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
SHA512 cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll

MD5 3531cf7755b16d38d5e9e3c43280e7d2
SHA1 19981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA256 76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA512 7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

memory/5460-314-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5464-315-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5840-312-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/5840-316-0x0000000000400000-0x0000000000A06000-memory.dmp

C:\ProgramData\QGAUgUkc\icYgIkMc.inf

MD5 8e93ff7439640abe97ccd045878ca3bc
SHA1 11166c68dcb6b8cb3b4d7d8b120e2b30c2d66726
SHA256 beb1caf816194847dab9d955a969ab803789bc1e3d85c59863372bbf8dee5fa5
SHA512 3b9eb4fa49a02b40e701dea729aada9e532f9441277eb28a221f10fd73115de147b57f0be3bc3a6c8c2da2492df2eff5c9106c28e6286e0f13a4b99cc1378685

C:\Users\Admin\ROMQEsAc\mwIoMAwQ.inf

MD5 8e93ff7439640abe97ccd045878ca3bc
SHA1 11166c68dcb6b8cb3b4d7d8b120e2b30c2d66726
SHA256 beb1caf816194847dab9d955a969ab803789bc1e3d85c59863372bbf8dee5fa5
SHA512 3b9eb4fa49a02b40e701dea729aada9e532f9441277eb28a221f10fd73115de147b57f0be3bc3a6c8c2da2492df2eff5c9106c28e6286e0f13a4b99cc1378685

memory/5840-307-0x0000000000400000-0x0000000000A06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HKYQQgMY.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Windows\41CC.tmp

MD5 347ac3b6b791054de3e5720a7144a977
SHA1 413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA512 9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

C:\Users\Admin\AppData\Local\Temp\hMEwkMEs.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\ygtmer1c.05q\Endermanch@ViraLock

MD5 76e08b93985d60b82ddb4a313733345c
SHA1 273effbac9e1dc901a3f0ee43122d2bdb383adbf
SHA256 4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89
SHA512 4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected]

MD5 7dfbfba1e4e64a946cb096bfc937fbad
SHA1 9180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512 f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

memory/4884-301-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bxyv45qd.jdd\[email protected]

MD5 7dfbfba1e4e64a946cb096bfc937fbad
SHA1 9180d2ce387314cd4a794d148ea6b14084c61e1b
SHA256 312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
SHA512 f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

C:\Users\Admin\AppData\Local\Temp\1drtfwp3.dw1\Endermanch@PolyRansom

MD5 2fc0e096bf2f094cca883de93802abb6
SHA1 a4b51b3b4c645a8c082440a6abbc641c5d4ec986
SHA256 14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3
SHA512 7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

memory/2652-300-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected]

MD5 382430dd7eae8945921b7feab37ed36b
SHA1 c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA256 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA512 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

C:\Users\Admin\ROMQEsAc\mwIoMAwQ.inf

MD5 603b57c6f4fbfe4b823fa40a667f7276
SHA1 360aad3994d9d02cd126c6f759269b4d9036ccc7
SHA256 b01555b61ee67c66d033dcf10ffef469428cfcad8807ce1ff3f35172e02e70cc
SHA512 7e3ea4d3a995d049432c83df0f13539cf43f8301fb2ff7899ab343ffefebbcb0f0022462a79adecd7acafb814e42b72a02e9c535961df7de2075a92c583e4d7b

C:\ProgramData\QGAUgUkc\icYgIkMc.inf

MD5 603b57c6f4fbfe4b823fa40a667f7276
SHA1 360aad3994d9d02cd126c6f759269b4d9036ccc7
SHA256 b01555b61ee67c66d033dcf10ffef469428cfcad8807ce1ff3f35172e02e70cc
SHA512 7e3ea4d3a995d049432c83df0f13539cf43f8301fb2ff7899ab343ffefebbcb0f0022462a79adecd7acafb814e42b72a02e9c535961df7de2075a92c583e4d7b

memory/5668-292-0x0000000000000000-mapping.dmp

memory/5304-291-0x0000000000000000-mapping.dmp

memory/5312-290-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\eyay0sbp.1ln\[email protected]

MD5 382430dd7eae8945921b7feab37ed36b
SHA1 c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128
SHA256 70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b
SHA512 26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll

MD5 3531cf7755b16d38d5e9e3c43280e7d2
SHA1 19981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA256 76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA512 7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

memory/5496-285-0x0000000000000000-mapping.dmp

memory/1008-317-0x00000000003B0000-0x00000000005A2000-memory.dmp

memory/5840-318-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/5840-319-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/4188-320-0x00007FFD41540000-0x00007FFD42001000-memory.dmp

memory/3468-321-0x0000000000400000-0x0000000000433000-memory.dmp