Rannoh ransom
[Aby zobaczyć linki, zarejestruj się tutaj]
Checked for debuggers
Created process: (null),C:\Users\tachion\AppData\Local\Temp\zsbfskhyrp.pre,(null)
Created process: (null),extrac32.exe /A /E /Y "C:\Windows\system32\183B3-2DEF97-2DEF78.cab" /L "C:\Windows\system32\",(null)
Created process: (null),reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System",(null)
Created process: (null),reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe" /t REG_SZ /f /v Debugger /d P9KDMF.EXE,(null)
Created process: (null),reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /t REG_SZ /f /v Debugger /d P9KDMF.EXE,(null)
Created process: (null),reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /t REG_SZ /f /v Debugger /d P9KDMF.EXE,(null)
Created process: (null),reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /t REG_DWORD /f /v DisableRegedit /d "1",(null)
Created process: (null),reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /t REG_DWORD /f /v DisableTaskMgr /d "1",(null)
Created process: (null),reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot" /f,(null)
Created process: (null),svchost.exe,(null)
Decrypted data
Defined code injection in process: c:\windows\system32\svchost.exe
Defined file type created in Windows folder: C:\Windows\system32\13E6C8826017634F8068.exe
Defined file type created: C:\Users\tachion\AppData\Roaming\Bkzfhpsyiwr\F6C809746017634F44B0.exe
Defined file type modified: E:\AdobePhotoshopCS6Portable\App\PhotoshopCS6\dvaui.dll
Defined registry AutoStart location created or modified: machine\software\microsoft\windows nt\currentversion\Image File Execution Options\msconfig.exe\Debugger = P9KDMF.EXE
Defined registry AutoStart location created or modified: machine\software\microsoft\windows nt\currentversion\Image File Execution Options\regedit.exe\Debugger = P9KDMF.EXE
Defined registry AutoStart location created or modified: machine\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe\Debugger = P9KDMF.EXE
Defined registry AutoStart location created or modified: machine\software\microsoft\windows nt\currentversion\winlogon\userinit = C:\Windows\system32\userinit.exe,C:\Windows\system32\13E6C8826017634F8068.exe,
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations = \??\C:\Users\tachion\AppData\Local\Temp\zsbfskhyrp.pre
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Services\VSS\Diag\SPP\SppCreate (Enter) = 4000000000000000A3C5685AD941CD01F817000028110000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Services\VSS\Diag\SPP\SppCreate (Leave) = 400000000000000006B0695AD941CD01F817000028110000D0070000010000000000000002230480000000000000000000000000000000000000000000000000
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Services\VSS\Diag\SystemRestore\SrCreateRp (Enter) = 4000000000000000929E685AD941CD01F817000028110000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 400000000000000006B0695AD941CD01F817000028110000D5070000010000000000000002230480000000000000000000000000000000000000000000000000
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\6017634F = C:\Users\tachion\AppData\Roaming\Bkzfhpsyiwr\F6C809746017634F44B0.exe
Detected process privilege elevation
Disable regedit: machine\software\microsoft\windows\currentversion\policies\system\disableregedit = 00000001
Disable regedit: user\current\software\microsoft\windows\currentversion\policies\system\disableregedit = 00000001
Disable registry tools: user\current\software\microsoft\windows\currentversion\policies\system\disableregistrytools = 00000001
Disable Task Manager: machine\software\microsoft\windows\currentversion\policies\system\disabletaskmgr = 00000001
Encrypted data
File copied itself
File deleted itself
Got computer name
Got user name information
Got volume information
Hide file from user: C:\Users\tachion\AppData\Roaming\Bkzfhpsyiwr\F6C809746017634F44B0.exe
Hide file from user: C:\Windows\system32\13E6C8826017634F8068.exe
Internet connection: Connects to "188.190.98.113" on port 80.
Internet connection: Connects to "makase66makase.com" on port 80.
Listed all entry names in a remote access phone book
Koduje też pliki to
!!uwaga!!
[malware]
[Aby zobaczyć linki, zarejestruj się tutaj]
pass. sg [/malware]
[Aby zobaczyć linki, zarejestruj się tutaj]