API tools faq
paste
Advertisement
paladin316

NetWire_43d31275989308a86e53a1f91f180078_exe_2019-07-22_15_30.txt

paladin316
Jul 22nd, 2019
1,273
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 34.33 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "NetWire"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "NetWire_43d31275989308a86e53a1f91f180078.exe"
  7. * File Size: 1366713
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "6d2417c4ffb93cb5ce7bb53f6e9b9e4026646d10411d907c1b16d58eeac0b2fd"
  10. * MD5: "43d31275989308a86e53a1f91f180078"
  11. * SHA1: "6bc580ea5a10a2eef4569bf0d58f953a3df8bf51"
  12. * SHA512: "0dad66922c79de1722186d5017c46c440872ad0f13b2e61e358d70236a7c9f9d8e92af5c14617b512240fb70392935d875e1fa4f270b72137a275d430988f646"
  13. * CRC32: "F3C86DDF"
  14. * SSDEEP: "24576:bNA3R5drXTLPddvaCZzdtWcwfh3va4F9lj5MeDbeibsRfGZojnTIa4JX:G5Pldimlwp3vbF/jmUbsR0a4B"
  15.  
  16. * Process Execution:
  17. "NetWire_43d31275989308a86e53a1f91f180078.exe",
  18. "wscript.exe",
  19. "pxa.exe",
  20. "pxa.exe",
  21. "RegSvcs.exe",
  22. "services.exe",
  23. "lsass.exe",
  24. "sdclt.exe",
  25. "taskhost.exe",
  26. "sc.exe",
  27. "svchost.exe",
  28. "svchost.exe",
  29. "WerFault.exe",
  30. "wermgr.exe"
  31.  
  32.  
  33. * Executed Commands:
  34. "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ouo.vbs\"",
  35. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ouo.vbs ",
  36. "\"C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pxa.exe\" nnx=igd",
  37. "pxa.exe nnx=igd",
  38. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pxa.exe C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\BSOED",
  39. "C:\\Windows\\system32\\lsass.exe",
  40. "C:\\Windows\\System32\\sdclt.exe /CONFIGNOTIFICATION",
  41. "taskhost.exe $(Arg0)",
  42. "C:\\Windows\\system32\\sc.exe start w32time task_started",
  43. "C:\\Windows\\system32\\svchost.exe -k LocalService",
  44. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
  45. "C:\\Windows\\system32\\WerFault.exe -u -p 380 -s 288",
  46. "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\""
  47.  
  48.  
  49. * Signatures Detected:
  50.  
  51. "Description": "At least one process apparently crashed during execution",
  52. "Details":
  53.  
  54.  
  55. "Description": "Possible date expiration check, exits too soon after checking local time",
  56. "Details":
  57.  
  58. "process": "pxa.exe, PID 2424"
  59.  
  60.  
  61.  
  62.  
  63. "Description": "Creates RWX memory",
  64. "Details":
  65.  
  66.  
  67. "Description": "Detected script timer window indicative of sleep style evasion",
  68. "Details":
  69.  
  70. "Window": "WSH-Timer"
  71.  
  72.  
  73.  
  74.  
  75. "Description": "Reads data out of its own binary image",
  76. "Details":
  77.  
  78. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00000000, length: 0x00000007"
  79.  
  80.  
  81. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00000000, length: 0x00002000"
  82.  
  83.  
  84. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00000007, length: 0x0014dab2"
  85.  
  86.  
  87. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00001ff0, length: 0x00002000"
  88.  
  89.  
  90. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00003fe0, length: 0x00002000"
  91.  
  92.  
  93. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00005fd0, length: 0x00002000"
  94.  
  95.  
  96. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00007fc0, length: 0x00002000"
  97.  
  98.  
  99. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00009fb0, length: 0x00002000"
  100.  
  101.  
  102. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0000bfa0, length: 0x00002000"
  103.  
  104.  
  105. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0000df90, length: 0x00002000"
  106.  
  107.  
  108. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0000ff80, length: 0x00002000"
  109.  
  110.  
  111. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00011f70, length: 0x00002000"
  112.  
  113.  
  114. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00013f60, length: 0x00002000"
  115.  
  116.  
  117. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00015f50, length: 0x00002000"
  118.  
  119.  
  120. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00017f40, length: 0x00002000"
  121.  
  122.  
  123. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00019f30, length: 0x00002000"
  124.  
  125.  
  126. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0001bf20, length: 0x00002000"
  127.  
  128.  
  129. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0001df10, length: 0x00002000"
  130.  
  131.  
  132. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0001ff00, length: 0x00002000"
  133.  
  134.  
  135. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00021ef0, length: 0x00002000"
  136.  
  137.  
  138. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00023ee0, length: 0x00002000"
  139.  
  140.  
  141. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00025ed0, length: 0x00002000"
  142.  
  143.  
  144. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00027ec0, length: 0x00002000"
  145.  
  146.  
  147. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00029eb0, length: 0x00002000"
  148.  
  149.  
  150. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0002bea0, length: 0x00002000"
  151.  
  152.  
  153. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0002de90, length: 0x00002000"
  154.  
  155.  
  156. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0002fe80, length: 0x00002000"
  157.  
  158.  
  159. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00031e70, length: 0x00002000"
  160.  
  161.  
  162. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00033e60, length: 0x00002000"
  163.  
  164.  
  165. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00035e50, length: 0x00002000"
  166.  
  167.  
  168. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00037e40, length: 0x00002000"
  169.  
  170.  
  171. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00039e30, length: 0x00002000"
  172.  
  173.  
  174. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0003be20, length: 0x00002000"
  175.  
  176.  
  177. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0003de10, length: 0x00002000"
  178.  
  179.  
  180. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0003fe00, length: 0x00002000"
  181.  
  182.  
  183. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00041df0, length: 0x00002000"
  184.  
  185.  
  186. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00043de0, length: 0x00002000"
  187.  
  188.  
  189. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00045dd0, length: 0x00002000"
  190.  
  191.  
  192. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00047dc0, length: 0x00002000"
  193.  
  194.  
  195. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00049db0, length: 0x00002000"
  196.  
  197.  
  198. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0004bda0, length: 0x00002000"
  199.  
  200.  
  201. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0004dd90, length: 0x00002000"
  202.  
  203.  
  204. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0004fd80, length: 0x00002000"
  205.  
  206.  
  207. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00050a00, length: 0x00000032"
  208.  
  209.  
  210. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00050a1a, length: 0x000f9834"
  211.  
  212.  
  213. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014a3ee, length: 0x00000028"
  214.  
  215.  
  216. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014a5cc, length: 0x00000028"
  217.  
  218.  
  219. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014a7d2, length: 0x00000028"
  220.  
  221.  
  222. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014a9ab, length: 0x00000028"
  223.  
  224.  
  225. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014ab9e, length: 0x00000028"
  226.  
  227.  
  228. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014ad68, length: 0x00000028"
  229.  
  230.  
  231. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014af85, length: 0x00000028"
  232.  
  233.  
  234. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014b166, length: 0x00000028"
  235.  
  236.  
  237. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014b3a4, length: 0x00000028"
  238.  
  239.  
  240. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014b573, length: 0x00000028"
  241.  
  242.  
  243. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014b758, length: 0x00000028"
  244.  
  245.  
  246. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014b964, length: 0x00000027"
  247.  
  248.  
  249. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014bb6e, length: 0x00000028"
  250.  
  251.  
  252. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014bd4c, length: 0x00000029"
  253.  
  254.  
  255. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014bf42, length: 0x00000028"
  256.  
  257.  
  258. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014c128, length: 0x00000027"
  259.  
  260.  
  261. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014c32e, length: 0x00000028"
  262.  
  263.  
  264. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014c52c, length: 0x00000028"
  265.  
  266.  
  267. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014c6fc, length: 0x00000028"
  268.  
  269.  
  270. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014c8f2, length: 0x00000028"
  271.  
  272.  
  273. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014caf3, length: 0x00000028"
  274.  
  275.  
  276. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014ccfa, length: 0x00000027"
  277.  
  278.  
  279. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014ceda, length: 0x00000029"
  280.  
  281.  
  282. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014d0b7, length: 0x00000028"
  283.  
  284.  
  285. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014d285, length: 0x00000028"
  286.  
  287.  
  288. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014d455, length: 0x00000028"
  289.  
  290.  
  291. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014d647, length: 0x00000027"
  292.  
  293.  
  294. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014d818, length: 0x00000028"
  295.  
  296.  
  297. "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014d9fd, length: 0x0000001b"
  298.  
  299.  
  300. "self_read": "process: wscript.exe, pid: 2644, offset: 0x00000000, length: 0x00000040"
  301.  
  302.  
  303. "self_read": "process: wscript.exe, pid: 2644, offset: 0x000000f0, length: 0x00000018"
  304.  
  305.  
  306. "self_read": "process: wscript.exe, pid: 2644, offset: 0x000001e8, length: 0x00000078"
  307.  
  308.  
  309. "self_read": "process: wscript.exe, pid: 2644, offset: 0x00018000, length: 0x00000020"
  310.  
  311.  
  312. "self_read": "process: wscript.exe, pid: 2644, offset: 0x00018058, length: 0x00000018"
  313.  
  314.  
  315. "self_read": "process: wscript.exe, pid: 2644, offset: 0x000181a8, length: 0x00000018"
  316.  
  317.  
  318. "self_read": "process: wscript.exe, pid: 2644, offset: 0x00018470, length: 0x00000010"
  319.  
  320.  
  321. "self_read": "process: wscript.exe, pid: 2644, offset: 0x00018640, length: 0x00000012"
  322.  
  323.  
  324.  
  325.  
  326. "Description": "A process created a hidden window",
  327. "Details":
  328.  
  329. "Process": "RegSvcs.exe -> "
  330.  
  331.  
  332.  
  333.  
  334. "Description": "Drops a binary and executes it",
  335. "Details":
  336.  
  337. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pxa.exe"
  338.  
  339.  
  340.  
  341.  
  342. "Description": "Executed a process and injected code into it, probably while unpacking",
  343. "Details":
  344.  
  345. "Injection": "pxa.exe(2428) -> RegSvcs.exe(2020)"
  346.  
  347.  
  348.  
  349.  
  350. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  351. "Details":
  352.  
  353. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 12492414 times"
  354.  
  355.  
  356.  
  357.  
  358. "Description": "Steals private information from local Internet browsers",
  359. "Details":
  360.  
  361. "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat"
  362.  
  363.  
  364. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  365.  
  366.  
  367.  
  368.  
  369. "Description": "Installs itself for autorun at Windows startup",
  370. "Details":
  371.  
  372. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate"
  373.  
  374.  
  375. "data": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pxa.exe C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\NNX_IG~1"
  376.  
  377.  
  378.  
  379.  
  380. "Description": "Creates a hidden or system file",
  381. "Details":
  382.  
  383. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pxa.exe"
  384.  
  385.  
  386. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\avf.ppt"
  387.  
  388.  
  389. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bcd.ico"
  390.  
  391.  
  392. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bot.bmp"
  393.  
  394.  
  395. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bpr.xl"
  396.  
  397.  
  398. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\buh.bmp"
  399.  
  400.  
  401. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bvw.bmp"
  402.  
  403.  
  404. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\des.docx"
  405.  
  406.  
  407. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\drr.txt"
  408.  
  409.  
  410. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ebe.mp3"
  411.  
  412.  
  413. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\gfa.docx"
  414.  
  415.  
  416. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ggr.icm"
  417.  
  418.  
  419. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ghp.mp4"
  420.  
  421.  
  422. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\gsb.mp3"
  423.  
  424.  
  425. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hfi.xl"
  426.  
  427.  
  428. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hig.ico"
  429.  
  430.  
  431. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hpa.ico"
  432.  
  433.  
  434. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hvt.mp3"
  435.  
  436.  
  437. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ijg.ico"
  438.  
  439.  
  440. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ixo.jpg"
  441.  
  442.  
  443. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\jqu.mp3"
  444.  
  445.  
  446. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\jrm.xl"
  447.  
  448.  
  449. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\jxf.mp4"
  450.  
  451.  
  452. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\lwa.dat"
  453.  
  454.  
  455. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\mnp.mp4"
  456.  
  457.  
  458. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\mtg.txt"
  459.  
  460.  
  461. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ngk.ico"
  462.  
  463.  
  464. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\nnx=igd"
  465.  
  466.  
  467. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\nuu.jpg"
  468.  
  469.  
  470. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\oro.ico"
  471.  
  472.  
  473. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ouo.vbs"
  474.  
  475.  
  476. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pwx.xl"
  477.  
  478.  
  479. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\rkg.ico"
  480.  
  481.  
  482. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\rmr.bmp"
  483.  
  484.  
  485. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\rrp.jpg"
  486.  
  487.  
  488. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\siu.txt"
  489.  
  490.  
  491. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\sjj.pdf"
  492.  
  493.  
  494. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\smt.pdf"
  495.  
  496.  
  497. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\sof.xl"
  498.  
  499.  
  500. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\tjk.xl"
  501.  
  502.  
  503. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\tuo.ico"
  504.  
  505.  
  506. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\txp.ico"
  507.  
  508.  
  509. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ucc.txt"
  510.  
  511.  
  512. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\uke.icm"
  513.  
  514.  
  515. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\uvi.mp3"
  516.  
  517.  
  518. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\vld.icm"
  519.  
  520.  
  521. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\vlw.mp3"
  522.  
  523.  
  524. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\vow.docx"
  525.  
  526.  
  527. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\wme.dat"
  528.  
  529.  
  530. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\xen.docx"
  531.  
  532.  
  533. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356"
  534.  
  535.  
  536.  
  537.  
  538. "Description": "File has been identified by 22 Antiviruses on VirusTotal as malicious",
  539. "Details":
  540.  
  541. "McAfee": "Artemis!43D312759893"
  542.  
  543.  
  544. "AegisLab": "Trojan.Multi.Generic.4!c"
  545.  
  546.  
  547. "K7GW": "Riskware ( 0040eff71 )"
  548.  
  549.  
  550. "K7AntiVirus": "Riskware ( 0040eff71 )"
  551.  
  552.  
  553. "Invincea": "heuristic"
  554.  
  555.  
  556. "Symantec": "Trojan Horse"
  557.  
  558.  
  559. "APEX": "Malicious"
  560.  
  561.  
  562. "Kaspersky": "UDS:DangerousObject.Multi.Generic"
  563.  
  564.  
  565. "Alibaba": "Trojan:Win32/Starter.ali2000005"
  566.  
  567.  
  568. "McAfee-GW-Edition": "BehavesLike.Win32.Backdoor.tc"
  569.  
  570.  
  571. "FireEye": "Generic.mg.43d31275989308a8"
  572.  
  573.  
  574. "MAX": "malware (ai score=96)"
  575.  
  576.  
  577. "Endgame": "malicious (high confidence)"
  578.  
  579.  
  580. "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
  581.  
  582.  
  583. "Microsoft": "Trojan:AutoIt/Wiausf.AC!MTB"
  584.  
  585.  
  586. "AhnLab-V3": "Trojan/Win32.RL_Agent.R273974"
  587.  
  588.  
  589. "Zoner": "Probably RARAutorun"
  590.  
  591.  
  592. "ESET-NOD32": "Win32/Injector.Autoit.EDS"
  593.  
  594.  
  595. "AVG": "FileRepMetagen Malware"
  596.  
  597.  
  598. "Cybereason": "malicious.a5a10a"
  599.  
  600.  
  601. "Paloalto": "generic.ml"
  602.  
  603.  
  604. "CrowdStrike": "win/malicious_confidence_70% (W)"
  605.  
  606.  
  607.  
  608.  
  609. "Description": "Checks the system manufacturer, likely for anti-virtualization",
  610. "Details":
  611.  
  612.  
  613. "Description": "Harvests information related to installed mail clients",
  614. "Details":
  615.  
  616. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  617.  
  618.  
  619. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
  620.  
  621.  
  622. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  623.  
  624.  
  625. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  626.  
  627.  
  628. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
  629.  
  630.  
  631. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
  632.  
  633.  
  634. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
  635.  
  636.  
  637.  
  638.  
  639.  
  640. * Started Service:
  641. "VaultSvc",
  642. "WerSvc",
  643. "W32Time"
  644.  
  645.  
  646. * Mutexes:
  647. "DefaultTabtip-MainUI",
  648. "CicLoadWinStaWinSta0",
  649. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  650. "Local\\ZoneAttributeCacheCounterMutex",
  651. "Local\\ZonesCacheCounterMutex",
  652. "Local\\ZonesLockedCacheCounterMutex",
  653. "-",
  654. "Local\\WERReportingForProcess380",
  655. "Global\\\\xe5\\x88\\x90\\xc2\\x8f",
  656. "Global\\\\xed\\x95\\xb0\\xc7\\x8a",
  657. "WERUI_BEX64-42c345fcd81471f41bc2fed99624a23f3ee315c"
  658.  
  659.  
  660. * Modified Files:
  661. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\__tmp_rar_sfx_access_check_13422046",
  662. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\jrm.xl",
  663. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\nnx=igd",
  664. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ouo.vbs",
  665. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pxa.exe",
  666. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\siu.txt",
  667. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\gfa.docx",
  668. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ebe.mp3",
  669. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ngk.ico",
  670. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\rmr.bmp",
  671. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bcd.ico",
  672. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\tjk.xl",
  673. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\vlw.mp3",
  674. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\avf.ppt",
  675. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bvw.bmp",
  676. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bot.bmp",
  677. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\uvi.mp3",
  678. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\mnp.mp4",
  679. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ijg.ico",
  680. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\oro.ico",
  681. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\smt.pdf",
  682. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\vow.docx",
  683. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hig.ico",
  684. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\sjj.pdf",
  685. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\rrp.jpg",
  686. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\tuo.ico",
  687. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\jqu.mp3",
  688. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\drr.txt",
  689. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hpa.ico",
  690. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\gsb.mp3",
  691. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\wme.dat",
  692. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hvt.mp3",
  693. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ggr.icm",
  694. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\mtg.txt",
  695. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pwx.xl",
  696. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\vld.icm",
  697. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\des.docx",
  698. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\rkg.ico",
  699. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bpr.xl",
  700. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ixo.jpg",
  701. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\uke.icm",
  702. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\jxf.mp4",
  703. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ghp.mp4",
  704. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\txp.ico",
  705. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\sof.xl",
  706. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\xen.docx",
  707. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\nuu.jpg",
  708. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\lwa.dat",
  709. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ucc.txt",
  710. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hfi.xl",
  711. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\buh.bmp",
  712. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\BSOED",
  713. "\\??\\PIPE\\wkssvc",
  714. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
  715. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\index.dat",
  716. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\History.IE5\\index.dat",
  717. "C:\\Users\\user\\AppData\\Local\\Temp\\WmM4O6.bat",
  718. "C:\\Windows\\sysnative\\LogFiles\\Scm\\2ce1541b-c7b1-4ba0-8974-722d18a3c54d",
  719. "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
  720. "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
  721. "C:\\Windows\\sysnative\\LogFiles\\Scm\\4e6828f4-11de-47bf-b7df-2249f4bdea4e",
  722. "\\??\\PIPE\\lsarpc",
  723. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB5AB.tmp.appcompat.txt",
  724. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB9F2.tmp.WERInternalMetadata.xml",
  725. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBA22.tmp.hdmp",
  726. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERC270.tmp.mdmp",
  727. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\WERB5AB.tmp.appcompat.txt",
  728. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\WERB9F2.tmp.WERInternalMetadata.xml",
  729. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\WERBA22.tmp.hdmp",
  730. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\WERC270.tmp.mdmp",
  731. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\Report.wer",
  732. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\Report.wer.tmp"
  733.  
  734.  
  735. * Deleted Files:
  736. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\__tmp_rar_sfx_access_check_13422046",
  737. "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\BSOED",
  738. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB5AB.tmp",
  739. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB5AB.tmp.appcompat.txt",
  740. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB9F2.tmp",
  741. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB9F2.tmp.WERInternalMetadata.xml",
  742. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBA22.tmp",
  743. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBA22.tmp.hdmp",
  744. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERC270.tmp",
  745. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERC270.tmp.mdmp",
  746. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\Report.wer.tmp"
  747.  
  748.  
  749. * Modified Registry Keys:
  750. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  751. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  752. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  753. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate",
  754. "HKEY_CURRENT_USER\\SOFTWARE\\NetWire",
  755. "HKEY_CURRENT_USER\\Software\\NetWire\\HostId",
  756. "HKEY_CURRENT_USER\\Software\\NetWire\\Install Date",
  757. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
  758. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
  759. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
  760. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
  761. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
  762.  
  763.  
  764. * Deleted Registry Keys:
  765. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  766. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  767. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  768. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
  769.  
  770.  
  771. * DNS Communications:
  772.  
  773. * Domains:
  774.  
  775. * Network Communication - ICMP:
  776.  
  777. * Network Communication - HTTP:
  778.  
  779. * Network Communication - SMTP:
  780.  
  781. * Network Communication - Hosts:
  782.  
  783. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!