API tools faq
paste
Advertisement
paladin316

2343Exes_5ac69ed046e3036e468ac4873dc803dc_exe_2019-09-18_19_30.txt

paladin316
Sep 18th, 2019
1,333
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 31.29 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 2343
  3. * MalFamily: ""
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_5ac69ed046e3036e468ac4873dc803dc.exe"
  8. * File Size: 378880
  9. * File Type: "MS-DOS executable"
  10. * SHA256: "fe9c6f1dc92613fa807829605b585267e545f8d27a2c41b210aa175a4d651368"
  11. * MD5: "5ac69ed046e3036e468ac4873dc803dc"
  12. * SHA1: "8a286658747b17f38a62c08413e7d09d090f0366"
  13. * SHA512: "0b56688b2775c0b76b05d27150fb8ac47f8dddf049270ddd8f84cb8ce32d83f9e89e6fea11d9af948aaf2170b9f90dcc4570cd7d9590fa1f065ad4afc6028e28"
  14. * CRC32: "2B91177E"
  15. * SSDEEP: "6144:gKWw79GUs8uTCDBNFDAeHsgLyQmP5Mdu6s16lGGxk5OaH09KQJmehrY:giPOC8eHpLyJe1lVKjVQne"
  16.  
  17. * Process Execution:
  18. "rJGOa6i3.exe",
  19. "cmd.exe",
  20. "taskkill.exe",
  21. "cmd.exe",
  22. "taskkill.exe",
  23. "cmd.exe",
  24. "taskkill.exe",
  25. "cmd.exe",
  26. "taskkill.exe",
  27. "cmd.exe",
  28. "taskkill.exe",
  29. "cmd.exe",
  30. "taskkill.exe",
  31. "cmd.exe",
  32. "taskkill.exe",
  33. "cmd.exe",
  34. "taskkill.exe",
  35. "cmd.exe",
  36. "taskkill.exe",
  37. "cmd.exe",
  38. "taskkill.exe",
  39. "cmd.exe",
  40. "taskkill.exe",
  41. "cmd.exe",
  42. "taskkill.exe",
  43. "cmd.exe",
  44. "taskkill.exe",
  45. "cmd.exe",
  46. "cmd.exe",
  47. "cmd.exe",
  48. "taskkill.exe",
  49. "cmd.exe",
  50. "taskkill.exe",
  51. "cmd.exe",
  52. "cmd.exe",
  53. "cmd.exe",
  54. "taskkill.exe",
  55. "cmd.exe",
  56. "cmd.exe",
  57. "cmd.exe",
  58. "taskkill.exe",
  59. "cmd.exe",
  60. "cmd.exe",
  61. "cmd.exe",
  62. "taskkill.exe",
  63. "cmd.exe",
  64. "cmd.exe",
  65. "cmd.exe",
  66. "taskkill.exe",
  67. "cmd.exe",
  68. "cmd.exe",
  69. "taskkill.exe",
  70. "cmd.exe",
  71. "cmd.exe",
  72. "svchost.exe",
  73. "svchost.exe"
  74.  
  75.  
  76. * Executed Commands:
  77. "cmd /c taskkill /f /im SQLAGENTSZW.exe",
  78. "cmd /c taskkill /f /im SQLAGENTSLW.exe",
  79. "cmd /c taskkill /f /im SQLAGENTSKW.exe",
  80. "cmd /c taskkill /f /im SQLAGENTSJW.exe",
  81. "cmd /c taskkill /f /im SQLAGENTSHW.exe",
  82. "cmd /c taskkill /f /im SQLAGENTSGW.exe",
  83. "cmd /c taskkill /f /im SQLAGENTSFW.exe",
  84. "cmd /c taskkill /f /im SQLAGENTSEW.exe",
  85. "cmd /c taskkill /f /im SQLAGENTSDW.exe",
  86. "cmd /c taskkill /f /im SQLAGENTSCW.exe",
  87. "cmd /c taskkill /f /im SQLAGENTSBW.exe",
  88. "cmd /c taskkill /f /im SQLAGENTSAW.exe",
  89. "cmd /c taskkill /f /im taskmgzr.exe",
  90. "cmd /c del /f /a /q C:\\ProgramData\\taskmgzr.exe",
  91. "cmd /c del /f /a /q C:\\RECYCLER\\taskmgzr.exe",
  92. "cmd /c taskkill /f /im ftp.exe",
  93. "cmd /c taskkill /f /im p.exe",
  94. "cmd /c del /f /a /q C:\\ProgramData\\winsql.dat",
  95. "cmd /c del /f /a /q C:\\RECYCLER\\winsql.dat",
  96. "cmd /c taskkill /f /im TQQ.exe",
  97. "cmd /c del /f /a /q C:\\ProgramData\\TQQ.exe",
  98. "cmd /c del /f /a /q C:\\RECYCLER\\TQQ.exe",
  99. "cmd /c taskkill /f /im down.exe",
  100. "cmd /c del /f /a /q C:\\ProgramData\\down.exe",
  101. "cmd /c del /f /a /q C:\\RECYCLER\\down.exe",
  102. "cmd /c taskkill /f /im MpMgSvc.dll",
  103. "cmd /c del /f /a /q C:\\ProgramData\\MpMgSvc.dll",
  104. "cmd /c del /f /a /q C:\\RECYCLER\\MpMgSvc.dll",
  105. "cmd /c taskkill /f /im MS17.exe",
  106. "cmd /c del /f /a /q C:\\ProgramData\\MS17.exe",
  107. "cmd /c del /f /a /q C:\\RECYCLER\\MS17.exe",
  108. "cmd /c taskkill /f /im MSSQLL.exe",
  109. "cmd /c del /f /a /q C:\\ProgramData\\MSSQLL.exe",
  110. "cmd /c del /f /a /q C:\\RECYCLER\\MSSQLL.exe",
  111. "cmd /c taskkill /f /im TrustedInsteller.exe",
  112. "cmd /c del /f /a /q C:\\ProgramData\\TrustedInsteller.exe",
  113. "cmd /c del /f /a /q C:\\RECYCLER\\TrustedInsteller.exe",
  114. "cmd /c taskkill /f /im TQ.exe",
  115. "cmd /c del /f /a /q C:\\ProgramData\\TQ.exe",
  116. "cmd /c del /f /a /q C:\\RECYCLER\\TQ.exe",
  117. "cmd /c taskkill /f /im ab2.exe",
  118. "cmd /c del /f /a /q C:\\ProgramData\\ab2.exe",
  119. "cmd /c del /f /a /q C:\\RECYCLER\\ab2.exe",
  120. "cmd /c taskkill /f /im ab1.exe",
  121. "cmd /c del /f /a /q C:\\ProgramData\\ab1.exe",
  122. "cmd /c del /f /a /q C:\\RECYCLER\\ab1.exe",
  123. "cmd /c taskkill /f /im winxmr.exe",
  124. "cmd /c del /f /a /q C:\\ProgramData\\winxmr.exe",
  125. "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe",
  126. "cmd /c taskkill /f /im Rnaphin.exe",
  127. "cmd /c del /f /a /q %ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe",
  128. "taskkill /f /im SQLAGENTSZW.exe",
  129. "taskkill /f /im SQLAGENTSLW.exe",
  130. "taskkill /f /im SQLAGENTSKW.exe",
  131. "taskkill /f /im SQLAGENTSJW.exe",
  132. "taskkill /f /im SQLAGENTSHW.exe",
  133. "taskkill /f /im SQLAGENTSGW.exe",
  134. "taskkill /f /im SQLAGENTSFW.exe",
  135. "taskkill /f /im SQLAGENTSEW.exe",
  136. "taskkill /f /im SQLAGENTSDW.exe",
  137. "taskkill /f /im SQLAGENTSCW.exe",
  138. "taskkill /f /im SQLAGENTSBW.exe",
  139. "taskkill /f /im SQLAGENTSAW.exe",
  140. "taskkill /f /im taskmgzr.exe",
  141. "taskkill /f /im ftp.exe",
  142. "taskkill /f /im p.exe",
  143. "taskkill /f /im TQQ.exe",
  144. "taskkill /f /im down.exe",
  145. "taskkill /f /im MpMgSvc.dll",
  146. "taskkill /f /im MS17.exe",
  147. "taskkill /f /im MSSQLL.exe"
  148.  
  149.  
  150. * Signatures Detected:
  151.  
  152. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  153. "Details":
  154.  
  155.  
  156. "Description": "Behavioural detection: Executable code extraction",
  157. "Details":
  158.  
  159.  
  160. "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
  161. "Details":
  162.  
  163. "command": "cmd /c del /f /a /q C:\\RECYCLER\\taskmgzr.exe"
  164.  
  165.  
  166. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winsql.dat"
  167.  
  168.  
  169. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQQ.exe"
  170.  
  171.  
  172. "command": "cmd /c del /f /a /q C:\\RECYCLER\\down.exe"
  173.  
  174.  
  175. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MpMgSvc.dll"
  176.  
  177.  
  178. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MS17.exe"
  179.  
  180.  
  181. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MSSQLL.exe"
  182.  
  183.  
  184. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TrustedInsteller.exe"
  185.  
  186.  
  187. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQ.exe"
  188.  
  189.  
  190. "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab2.exe"
  191.  
  192.  
  193. "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab1.exe"
  194.  
  195.  
  196. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe"
  197.  
  198.  
  199. "command": "cmd /c del /f /a /q %ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
  200.  
  201.  
  202.  
  203.  
  204. "Description": "Anomalous file deletion behavior detected (10+)",
  205. "Details":
  206.  
  207. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSZW.exe"
  208.  
  209.  
  210. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSLW.exe"
  211.  
  212.  
  213. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSKW.exe"
  214.  
  215.  
  216. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSJW.exe"
  217.  
  218.  
  219. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSHW.exe"
  220.  
  221.  
  222. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSGW.exe"
  223.  
  224.  
  225. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSFW.exe"
  226.  
  227.  
  228. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSDW.exe"
  229.  
  230.  
  231. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSCW.exe"
  232.  
  233.  
  234. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSBW.exe"
  235.  
  236.  
  237. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSAW.exe"
  238.  
  239.  
  240. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\AutoRunApp.vbs"
  241.  
  242.  
  243. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs"
  244.  
  245.  
  246. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\config.json"
  247.  
  248.  
  249. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt"
  250.  
  251.  
  252. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\NVDIA_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt"
  253.  
  254.  
  255. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\AMD_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt"
  256.  
  257.  
  258. "DeletedFile": "C:\\ProgramData\\taskmgzr.exe"
  259.  
  260.  
  261. "DeletedFile": "C:\\RECYCLER\\taskmgzr.exe"
  262.  
  263.  
  264. "DeletedFile": "C:\\ProgramData\\winsql.dat"
  265.  
  266.  
  267. "DeletedFile": "C:\\RECYCLER\\winsql.dat"
  268.  
  269.  
  270. "DeletedFile": "C:\\ProgramData\\winsql.dat"
  271.  
  272.  
  273. "DeletedFile": "C:\\RECYCLER\\winsql.dat"
  274.  
  275.  
  276. "DeletedFile": "C:\\ProgramData\\TQQ.exe"
  277.  
  278.  
  279. "DeletedFile": "C:\\RECYCLER\\TQQ.exe"
  280.  
  281.  
  282. "DeletedFile": "C:\\ProgramData\\down.exe"
  283.  
  284.  
  285. "DeletedFile": "C:\\RECYCLER\\down.exe"
  286.  
  287.  
  288. "DeletedFile": "C:\\ProgramData\\MpMgSvc.dll"
  289.  
  290.  
  291. "DeletedFile": "C:\\RECYCLER\\MpMgSvc.dll"
  292.  
  293.  
  294. "DeletedFile": "C:\\ProgramData\\MS17.exe"
  295.  
  296.  
  297. "DeletedFile": "C:\\RECYCLER\\MS17.exe"
  298.  
  299.  
  300. "DeletedFile": "C:\\ProgramData\\MSSQLL.exe"
  301.  
  302.  
  303. "DeletedFile": "C:\\RECYCLER\\MSSQLL.exe"
  304.  
  305.  
  306. "DeletedFile": "C:\\ProgramData\\TrustedInsteller.exe"
  307.  
  308.  
  309. "DeletedFile": "C:\\RECYCLER\\TrustedInsteller.exe"
  310.  
  311.  
  312. "DeletedFile": "C:\\ProgramData\\TQ.exe"
  313.  
  314.  
  315. "DeletedFile": "C:\\RECYCLER\\TQ.exe"
  316.  
  317.  
  318. "DeletedFile": "C:\\ProgramData\\ab2.exe"
  319.  
  320.  
  321. "DeletedFile": "C:\\RECYCLER\\ab2.exe"
  322.  
  323.  
  324. "DeletedFile": "C:\\ProgramData\\ab1.exe"
  325.  
  326.  
  327. "DeletedFile": "C:\\RECYCLER\\ab1.exe"
  328.  
  329.  
  330. "DeletedFile": "C:\\ProgramData\\winxmr.exe"
  331.  
  332.  
  333. "DeletedFile": "C:\\RECYCLER\\winxmr.exe"
  334.  
  335.  
  336. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
  337.  
  338.  
  339. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
  340.  
  341.  
  342.  
  343.  
  344.  
  345.  
  346.  
  347.  
  348. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempsysermad.exe"
  349.  
  350.  
  351. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\TempXMRig.exe"
  352.  
  353.  
  354. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\TempXMR.exe"
  355.  
  356.  
  357. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temptaobao.exe"
  358.  
  359.  
  360. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempchrom.exe"
  361.  
  362.  
  363. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempchromes.exe"
  364.  
  365.  
  366. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\TempMiner.exe"
  367.  
  368.  
  369. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempm6.exe"
  370.  
  371.  
  372. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempm7.exe"
  373.  
  374.  
  375. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempmyssssql.exe"
  376.  
  377.  
  378. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temptaskmgr.exe"
  379.  
  380.  
  381. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempcpu.exe"
  382.  
  383.  
  384. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempx6.exe"
  385.  
  386.  
  387. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempwin64.exe"
  388.  
  389.  
  390. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempwin32.exe"
  391.  
  392.  
  393. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempwin64.exe"
  394.  
  395.  
  396. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempwin32.exe"
  397.  
  398.  
  399. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempvip.exe"
  400.  
  401.  
  402. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempvpn.exe"
  403.  
  404.  
  405. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp370.exe"
  406.  
  407.  
  408. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\TempaIg.exe"
  409.  
  410.  
  411. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTC.exe"
  412.  
  413.  
  414. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_log1.txt"
  415.  
  416.  
  417. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_log.txt"
  418.  
  419.  
  420. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTN.exe"
  421.  
  422.  
  423. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\N_log1.txt"
  424.  
  425.  
  426. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\N_log.txt"
  427.  
  428.  
  429. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTA.exe"
  430.  
  431.  
  432. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\A_log1.txt"
  433.  
  434.  
  435. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\A_log.txt"
  436.  
  437.  
  438.  
  439.  
  440. "Description": "Guard pages use detected - possible anti-debugging.",
  441. "Details":
  442.  
  443.  
  444. "Description": "A process attempted to delay the analysis task.",
  445. "Details":
  446.  
  447. "Process": "taskkill.exe tried to sleep 1402 seconds, actually delayed analysis time by 0 seconds"
  448.  
  449.  
  450.  
  451.  
  452. "Description": "Expresses interest in specific running processes",
  453. "Details":
  454.  
  455. "process": "cmd.exe"
  456.  
  457.  
  458.  
  459.  
  460. "Description": "Unconventionial language used in binary resources: Chinese (Simplified)",
  461. "Details":
  462.  
  463.  
  464. "Description": "The binary likely contains encrypted or compressed data.",
  465. "Details":
  466.  
  467. "section": "name: .MPRESS1, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00056000, virtual_size: 0x0012f000"
  468.  
  469.  
  470.  
  471.  
  472. "Description": "Uses Windows utilities for basic functionality",
  473. "Details":
  474.  
  475. "command": "cmd /c taskkill /f /im SQLAGENTSZW.exe"
  476.  
  477.  
  478. "command": "cmd /c taskkill /f /im SQLAGENTSLW.exe"
  479.  
  480.  
  481. "command": "cmd /c taskkill /f /im SQLAGENTSKW.exe"
  482.  
  483.  
  484. "command": "cmd /c taskkill /f /im SQLAGENTSJW.exe"
  485.  
  486.  
  487. "command": "cmd /c taskkill /f /im SQLAGENTSHW.exe"
  488.  
  489.  
  490. "command": "cmd /c taskkill /f /im SQLAGENTSGW.exe"
  491.  
  492.  
  493. "command": "cmd /c taskkill /f /im SQLAGENTSFW.exe"
  494.  
  495.  
  496. "command": "cmd /c taskkill /f /im SQLAGENTSEW.exe"
  497.  
  498.  
  499. "command": "cmd /c taskkill /f /im SQLAGENTSDW.exe"
  500.  
  501.  
  502. "command": "cmd /c taskkill /f /im SQLAGENTSCW.exe"
  503.  
  504.  
  505. "command": "cmd /c taskkill /f /im SQLAGENTSBW.exe"
  506.  
  507.  
  508. "command": "cmd /c taskkill /f /im SQLAGENTSAW.exe"
  509.  
  510.  
  511. "command": "cmd /c taskkill /f /im taskmgzr.exe"
  512.  
  513.  
  514. "command": "cmd /c del /f /a /q C:\\ProgramData\\taskmgzr.exe"
  515.  
  516.  
  517. "command": "cmd /c del /f /a /q C:\\RECYCLER\\taskmgzr.exe"
  518.  
  519.  
  520. "command": "cmd /c taskkill /f /im ftp.exe"
  521.  
  522.  
  523. "command": "cmd /c taskkill /f /im p.exe"
  524.  
  525.  
  526. "command": "cmd /c del /f /a /q C:\\ProgramData\\winsql.dat"
  527.  
  528.  
  529. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winsql.dat"
  530.  
  531.  
  532. "command": "cmd /c taskkill /f /im TQQ.exe"
  533.  
  534.  
  535. "command": "cmd /c del /f /a /q C:\\ProgramData\\TQQ.exe"
  536.  
  537.  
  538. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQQ.exe"
  539.  
  540.  
  541. "command": "cmd /c taskkill /f /im down.exe"
  542.  
  543.  
  544. "command": "cmd /c del /f /a /q C:\\ProgramData\\down.exe"
  545.  
  546.  
  547. "command": "cmd /c del /f /a /q C:\\RECYCLER\\down.exe"
  548.  
  549.  
  550. "command": "cmd /c taskkill /f /im MpMgSvc.dll"
  551.  
  552.  
  553. "command": "cmd /c del /f /a /q C:\\ProgramData\\MpMgSvc.dll"
  554.  
  555.  
  556. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MpMgSvc.dll"
  557.  
  558.  
  559. "command": "cmd /c taskkill /f /im MS17.exe"
  560.  
  561.  
  562. "command": "cmd /c del /f /a /q C:\\ProgramData\\MS17.exe"
  563.  
  564.  
  565. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MS17.exe"
  566.  
  567.  
  568. "command": "cmd /c taskkill /f /im MSSQLL.exe"
  569.  
  570.  
  571. "command": "cmd /c del /f /a /q C:\\ProgramData\\MSSQLL.exe"
  572.  
  573.  
  574. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MSSQLL.exe"
  575.  
  576.  
  577. "command": "cmd /c taskkill /f /im TrustedInsteller.exe"
  578.  
  579.  
  580. "command": "cmd /c del /f /a /q C:\\ProgramData\\TrustedInsteller.exe"
  581.  
  582.  
  583. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TrustedInsteller.exe"
  584.  
  585.  
  586. "command": "cmd /c taskkill /f /im TQ.exe"
  587.  
  588.  
  589. "command": "cmd /c del /f /a /q C:\\ProgramData\\TQ.exe"
  590.  
  591.  
  592. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQ.exe"
  593.  
  594.  
  595. "command": "cmd /c taskkill /f /im ab2.exe"
  596.  
  597.  
  598. "command": "cmd /c del /f /a /q C:\\ProgramData\\ab2.exe"
  599.  
  600.  
  601. "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab2.exe"
  602.  
  603.  
  604. "command": "cmd /c taskkill /f /im ab1.exe"
  605.  
  606.  
  607. "command": "cmd /c del /f /a /q C:\\ProgramData\\ab1.exe"
  608.  
  609.  
  610. "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab1.exe"
  611.  
  612.  
  613. "command": "cmd /c taskkill /f /im winxmr.exe"
  614.  
  615.  
  616. "command": "cmd /c del /f /a /q C:\\ProgramData\\winxmr.exe"
  617.  
  618.  
  619. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe"
  620.  
  621.  
  622. "command": "cmd /c taskkill /f /im Rnaphin.exe"
  623.  
  624.  
  625. "command": "cmd /c del /f /a /q %ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
  626.  
  627.  
  628.  
  629.  
  630.  
  631.  
  632.  
  633.  
  634.  
  635.  
  636. "Description": "A cryptomining command was executed",
  637. "Details":
  638.  
  639. "command": "cmd /c taskkill /f /im winxmr.exe"
  640.  
  641.  
  642. "command": "cmd /c del /f /a /q C:\\ProgramData\\winxmr.exe"
  643.  
  644.  
  645. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe"
  646.  
  647.  
  648.  
  649.  
  650. "Description": "Empties the Recycle Bin, indicative of ransomware",
  651. "Details":
  652.  
  653.  
  654. "Description": "Uses suspicious command line tools or Windows utilities",
  655. "Details":
  656.  
  657. "command": "cmd /c taskkill /f /im SQLAGENTSZW.exe"
  658.  
  659.  
  660. "command": "cmd /c taskkill /f /im SQLAGENTSLW.exe"
  661.  
  662.  
  663. "command": "cmd /c taskkill /f /im SQLAGENTSKW.exe"
  664.  
  665.  
  666. "command": "cmd /c taskkill /f /im SQLAGENTSJW.exe"
  667.  
  668.  
  669. "command": "cmd /c taskkill /f /im SQLAGENTSHW.exe"
  670.  
  671.  
  672. "command": "cmd /c taskkill /f /im SQLAGENTSGW.exe"
  673.  
  674.  
  675. "command": "cmd /c taskkill /f /im SQLAGENTSFW.exe"
  676.  
  677.  
  678. "command": "cmd /c taskkill /f /im SQLAGENTSEW.exe"
  679.  
  680.  
  681. "command": "cmd /c taskkill /f /im SQLAGENTSDW.exe"
  682.  
  683.  
  684. "command": "cmd /c taskkill /f /im SQLAGENTSCW.exe"
  685.  
  686.  
  687. "command": "cmd /c taskkill /f /im SQLAGENTSBW.exe"
  688.  
  689.  
  690. "command": "cmd /c taskkill /f /im SQLAGENTSAW.exe"
  691.  
  692.  
  693. "command": "cmd /c taskkill /f /im taskmgzr.exe"
  694.  
  695.  
  696. "command": "cmd /c del /f /a /q C:\\ProgramData\\taskmgzr.exe"
  697.  
  698.  
  699. "command": "cmd /c del /f /a /q C:\\RECYCLER\\taskmgzr.exe"
  700.  
  701.  
  702. "command": "cmd /c taskkill /f /im ftp.exe"
  703.  
  704.  
  705. "command": "cmd /c taskkill /f /im p.exe"
  706.  
  707.  
  708. "command": "cmd /c del /f /a /q C:\\ProgramData\\winsql.dat"
  709.  
  710.  
  711. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winsql.dat"
  712.  
  713.  
  714. "command": "cmd /c taskkill /f /im TQQ.exe"
  715.  
  716.  
  717. "command": "cmd /c del /f /a /q C:\\ProgramData\\TQQ.exe"
  718.  
  719.  
  720. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQQ.exe"
  721.  
  722.  
  723. "command": "cmd /c taskkill /f /im down.exe"
  724.  
  725.  
  726. "command": "cmd /c del /f /a /q C:\\ProgramData\\down.exe"
  727.  
  728.  
  729. "command": "cmd /c del /f /a /q C:\\RECYCLER\\down.exe"
  730.  
  731.  
  732. "command": "cmd /c taskkill /f /im MpMgSvc.dll"
  733.  
  734.  
  735. "command": "cmd /c del /f /a /q C:\\ProgramData\\MpMgSvc.dll"
  736.  
  737.  
  738. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MpMgSvc.dll"
  739.  
  740.  
  741. "command": "cmd /c taskkill /f /im MS17.exe"
  742.  
  743.  
  744. "command": "cmd /c del /f /a /q C:\\ProgramData\\MS17.exe"
  745.  
  746.  
  747. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MS17.exe"
  748.  
  749.  
  750. "command": "cmd /c taskkill /f /im MSSQLL.exe"
  751.  
  752.  
  753. "command": "cmd /c del /f /a /q C:\\ProgramData\\MSSQLL.exe"
  754.  
  755.  
  756. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MSSQLL.exe"
  757.  
  758.  
  759. "command": "cmd /c taskkill /f /im TrustedInsteller.exe"
  760.  
  761.  
  762. "command": "cmd /c del /f /a /q C:\\ProgramData\\TrustedInsteller.exe"
  763.  
  764.  
  765. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TrustedInsteller.exe"
  766.  
  767.  
  768. "command": "cmd /c taskkill /f /im TQ.exe"
  769.  
  770.  
  771. "command": "cmd /c del /f /a /q C:\\ProgramData\\TQ.exe"
  772.  
  773.  
  774. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQ.exe"
  775.  
  776.  
  777. "command": "cmd /c taskkill /f /im ab2.exe"
  778.  
  779.  
  780. "command": "cmd /c del /f /a /q C:\\ProgramData\\ab2.exe"
  781.  
  782.  
  783. "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab2.exe"
  784.  
  785.  
  786. "command": "cmd /c taskkill /f /im ab1.exe"
  787.  
  788.  
  789. "command": "cmd /c del /f /a /q C:\\ProgramData\\ab1.exe"
  790.  
  791.  
  792. "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab1.exe"
  793.  
  794.  
  795. "command": "cmd /c taskkill /f /im winxmr.exe"
  796.  
  797.  
  798. "command": "cmd /c del /f /a /q C:\\ProgramData\\winxmr.exe"
  799.  
  800.  
  801. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe"
  802.  
  803.  
  804. "command": "cmd /c taskkill /f /im Rnaphin.exe"
  805.  
  806.  
  807. "command": "cmd /c del /f /a /q %ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
  808.  
  809.  
  810.  
  811.  
  812.  
  813.  
  814.  
  815.  
  816. "command": "taskkill /f /im SQLAGENTSZW.exe"
  817.  
  818.  
  819. "command": "taskkill /f /im SQLAGENTSLW.exe"
  820.  
  821.  
  822. "command": "taskkill /f /im SQLAGENTSKW.exe"
  823.  
  824.  
  825. "command": "taskkill /f /im SQLAGENTSJW.exe"
  826.  
  827.  
  828. "command": "taskkill /f /im SQLAGENTSHW.exe"
  829.  
  830.  
  831. "command": "taskkill /f /im SQLAGENTSGW.exe"
  832.  
  833.  
  834. "command": "taskkill /f /im SQLAGENTSFW.exe"
  835.  
  836.  
  837. "command": "taskkill /f /im SQLAGENTSEW.exe"
  838.  
  839.  
  840. "command": "taskkill /f /im SQLAGENTSDW.exe"
  841.  
  842.  
  843. "command": "taskkill /f /im SQLAGENTSCW.exe"
  844.  
  845.  
  846. "command": "taskkill /f /im SQLAGENTSBW.exe"
  847.  
  848.  
  849. "command": "taskkill /f /im SQLAGENTSAW.exe"
  850.  
  851.  
  852. "command": "taskkill /f /im taskmgzr.exe"
  853.  
  854.  
  855. "command": "taskkill /f /im ftp.exe"
  856.  
  857.  
  858. "command": "taskkill /f /im p.exe"
  859.  
  860.  
  861. "command": "taskkill /f /im TQQ.exe"
  862.  
  863.  
  864. "command": "taskkill /f /im down.exe"
  865.  
  866.  
  867. "command": "taskkill /f /im MpMgSvc.dll"
  868.  
  869.  
  870. "command": "taskkill /f /im MS17.exe"
  871.  
  872.  
  873. "command": "taskkill /f /im MSSQLL.exe"
  874.  
  875.  
  876.  
  877.  
  878.  
  879. * Started Service:
  880.  
  881. * Mutexes:
  882.  
  883. * Modified Files:
  884.  
  885. * Deleted Files:
  886. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSZW.exe",
  887. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSLW.exe",
  888. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSKW.exe",
  889. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSJW.exe",
  890. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSHW.exe",
  891. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSGW.exe",
  892. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSFW.exe",
  893. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSDW.exe",
  894. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSCW.exe",
  895. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSBW.exe",
  896. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSAW.exe",
  897. "C:\\Users\\user\\AppData\\Local\\Temp\\AutoRunApp.vbs",
  898. "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs",
  899. "C:\\Users\\user\\AppData\\Local\\Temp\\config.json",
  900. "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt",
  901. "C:\\Users\\user\\AppData\\Local\\Temp\\NVDIA_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt",
  902. "C:\\Users\\user\\AppData\\Local\\Temp\\AMD_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt",
  903. "C:\\ProgramData\\taskmgzr.exe",
  904. "C:\\RECYCLER\\taskmgzr.exe",
  905. "C:\\ProgramData\\winsql.dat",
  906. "C:\\RECYCLER\\winsql.dat",
  907. "C:\\ProgramData\\TQQ.exe",
  908. "C:\\RECYCLER\\TQQ.exe",
  909. "C:\\ProgramData\\down.exe",
  910. "C:\\RECYCLER\\down.exe",
  911. "C:\\ProgramData\\MpMgSvc.dll",
  912. "C:\\RECYCLER\\MpMgSvc.dll",
  913. "C:\\ProgramData\\MS17.exe",
  914. "C:\\RECYCLER\\MS17.exe",
  915. "C:\\ProgramData\\MSSQLL.exe",
  916. "C:\\RECYCLER\\MSSQLL.exe",
  917. "C:\\ProgramData\\TrustedInsteller.exe",
  918. "C:\\RECYCLER\\TrustedInsteller.exe",
  919. "C:\\ProgramData\\TQ.exe",
  920. "C:\\RECYCLER\\TQ.exe",
  921. "C:\\ProgramData\\ab2.exe",
  922. "C:\\RECYCLER\\ab2.exe",
  923. "C:\\ProgramData\\ab1.exe",
  924. "C:\\RECYCLER\\ab1.exe",
  925. "C:\\ProgramData\\winxmr.exe",
  926. "C:\\RECYCLER\\winxmr.exe",
  927. "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe",
  928. "C:\\Users\\user\\AppData\\Local\\Tempsysermad.exe",
  929. "C:\\Users\\user\\AppData\\Local\\TempXMRig.exe",
  930. "C:\\Users\\user\\AppData\\Local\\TempXMR.exe",
  931. "C:\\Users\\user\\AppData\\Local\\Temptaobao.exe",
  932. "C:\\Users\\user\\AppData\\Local\\Tempchrom.exe",
  933. "C:\\Users\\user\\AppData\\Local\\Tempchromes.exe",
  934. "C:\\Users\\user\\AppData\\Local\\TempMiner.exe",
  935. "C:\\Users\\user\\AppData\\Local\\Tempm6.exe",
  936. "C:\\Users\\user\\AppData\\Local\\Tempm7.exe",
  937. "C:\\Users\\user\\AppData\\Local\\Tempmyssssql.exe",
  938. "C:\\Users\\user\\AppData\\Local\\Temptaskmgr.exe",
  939. "C:\\Users\\user\\AppData\\Local\\Tempcpu.exe",
  940. "C:\\Users\\user\\AppData\\Local\\Tempx6.exe",
  941. "C:\\Users\\user\\AppData\\Local\\Tempwin64.exe",
  942. "C:\\Users\\user\\AppData\\Local\\Tempwin32.exe",
  943. "C:\\Users\\user\\AppData\\Local\\Tempvip.exe",
  944. "C:\\Users\\user\\AppData\\Local\\Tempvpn.exe",
  945. "C:\\Users\\user\\AppData\\Local\\Temp370.exe",
  946. "C:\\Users\\user\\AppData\\Local\\TempaIg.exe",
  947. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTC.exe",
  948. "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_log1.txt",
  949. "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_log.txt",
  950. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTN.exe",
  951. "C:\\Users\\user\\AppData\\Local\\Temp\\N_log1.txt",
  952. "C:\\Users\\user\\AppData\\Local\\Temp\\N_log.txt",
  953. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTA.exe",
  954. "C:\\Users\\user\\AppData\\Local\\Temp\\A_log1.txt",
  955. "C:\\Users\\user\\AppData\\Local\\Temp\\A_log.txt"
  956.  
  957.  
  958. * Modified Registry Keys:
  959.  
  960. * Deleted Registry Keys:
  961.  
  962. * DNS Communications:
  963.  
  964. * Domains:
  965.  
  966. * Network Communication - ICMP:
  967.  
  968. * Network Communication - HTTP:
  969.  
  970. * Network Communication - SMTP:
  971.  
  972. * Network Communication - Hosts:
  973.  
  974. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!