API tools faq
paste
Advertisement
paladin316

2333Exes_5ac69ed046e3036e468ac4873dc803dc_exe_2019-09-18_19_30.txt

paladin316
Sep 18th, 2019
1,316
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 39.80 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 2333
  3. * MalFamily: ""
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_5ac69ed046e3036e468ac4873dc803dc.exe"
  8. * File Size: 378880
  9. * File Type: "MS-DOS executable"
  10. * SHA256: "fe9c6f1dc92613fa807829605b585267e545f8d27a2c41b210aa175a4d651368"
  11. * MD5: "5ac69ed046e3036e468ac4873dc803dc"
  12. * SHA1: "8a286658747b17f38a62c08413e7d09d090f0366"
  13. * SHA512: "0b56688b2775c0b76b05d27150fb8ac47f8dddf049270ddd8f84cb8ce32d83f9e89e6fea11d9af948aaf2170b9f90dcc4570cd7d9590fa1f065ad4afc6028e28"
  14. * CRC32: "2B91177E"
  15. * SSDEEP: "6144:gKWw79GUs8uTCDBNFDAeHsgLyQmP5Mdu6s16lGGxk5OaH09KQJmehrY:giPOC8eHpLyJe1lVKjVQne"
  16.  
  17. * Process Execution:
  18. "rl8Npxu54.exe",
  19. "cmd.exe",
  20. "taskkill.exe",
  21. "cmd.exe",
  22. "taskkill.exe",
  23. "cmd.exe",
  24. "taskkill.exe",
  25. "cmd.exe",
  26. "taskkill.exe",
  27. "cmd.exe",
  28. "taskkill.exe",
  29. "cmd.exe",
  30. "taskkill.exe",
  31. "cmd.exe",
  32. "taskkill.exe",
  33. "cmd.exe",
  34. "taskkill.exe",
  35. "cmd.exe",
  36. "taskkill.exe",
  37. "cmd.exe",
  38. "taskkill.exe",
  39. "cmd.exe",
  40. "taskkill.exe",
  41. "cmd.exe",
  42. "taskkill.exe",
  43. "cmd.exe",
  44. "taskkill.exe",
  45. "cmd.exe",
  46. "cmd.exe",
  47. "cmd.exe",
  48. "taskkill.exe",
  49. "cmd.exe",
  50. "taskkill.exe",
  51. "cmd.exe",
  52. "cmd.exe",
  53. "cmd.exe",
  54. "taskkill.exe",
  55. "cmd.exe",
  56. "cmd.exe",
  57. "cmd.exe",
  58. "taskkill.exe",
  59. "cmd.exe",
  60. "cmd.exe",
  61. "cmd.exe",
  62. "taskkill.exe",
  63. "cmd.exe",
  64. "cmd.exe",
  65. "cmd.exe",
  66. "taskkill.exe",
  67. "cmd.exe",
  68. "cmd.exe",
  69. "cmd.exe",
  70. "taskkill.exe",
  71. "cmd.exe",
  72. "cmd.exe",
  73. "cmd.exe",
  74. "taskkill.exe",
  75. "cmd.exe",
  76. "cmd.exe",
  77. "cmd.exe",
  78. "taskkill.exe",
  79. "cmd.exe",
  80. "cmd.exe",
  81. "cmd.exe",
  82. "taskkill.exe",
  83. "cmd.exe",
  84. "cmd.exe",
  85. "cmd.exe",
  86. "taskkill.exe",
  87. "cmd.exe",
  88. "cmd.exe",
  89. "cmd.exe",
  90. "taskkill.exe",
  91. "cmd.exe",
  92. "cmd.exe",
  93. "cmd.exe",
  94. "taskkill.exe",
  95. "cmd.exe",
  96. "cmd.exe",
  97. "cmd.exe",
  98. "taskkill.exe",
  99. "cmd.exe",
  100. "cmd.exe",
  101. "wscript.exe",
  102. "cmd.exe",
  103. "taskkill.exe",
  104. "cmd.exe",
  105. "taskkill.exe",
  106. "cmd.exe",
  107. "taskkill.exe",
  108. "cmd.exe",
  109. "taskkill.exe",
  110. "cmd.exe",
  111. "taskkill.exe",
  112. "cmd.exe",
  113. "taskkill.exe",
  114. "cmd.exe",
  115. "cmd.exe",
  116. "taskkill.exe",
  117. "cmd.exe",
  118. "taskkill.exe",
  119. "cmd.exe",
  120. "taskkill.exe",
  121. "cmd.exe",
  122. "taskkill.exe",
  123. "cmd.exe",
  124. "taskkill.exe",
  125. "cmd.exe",
  126. "taskkill.exe",
  127. "cmd.exe",
  128. "taskkill.exe",
  129. "cmd.exe",
  130. "taskkill.exe",
  131. "cmd.exe",
  132. "taskkill.exe",
  133. "cmd.exe",
  134. "taskkill.exe",
  135. "cmd.exe",
  136. "taskkill.exe",
  137. "cmd.exe",
  138. "taskkill.exe",
  139. "cmd.exe",
  140. "taskkill.exe",
  141. "cmd.exe",
  142. "taskkill.exe",
  143. "cmd.exe",
  144. "taskkill.exe",
  145. "cmd.exe",
  146. "taskkill.exe",
  147. "cmd.exe",
  148. "taskkill.exe",
  149. "cmd.exe",
  150. "taskkill.exe",
  151. "cmd.exe",
  152. "taskkill.exe",
  153. "cmd.exe",
  154. "taskkill.exe",
  155. "cmd.exe",
  156. "taskkill.exe",
  157. "cmd.exe",
  158. "svchost.exe",
  159. "WMIADAP.exe"
  160.  
  161.  
  162. * Executed Commands:
  163. "cmd /c taskkill /f /im SQLAGENTSZW.exe",
  164. "cmd /c taskkill /f /im SQLAGENTSLW.exe",
  165. "cmd /c taskkill /f /im SQLAGENTSKW.exe",
  166. "cmd /c taskkill /f /im SQLAGENTSJW.exe",
  167. "cmd /c taskkill /f /im SQLAGENTSHW.exe",
  168. "cmd /c taskkill /f /im SQLAGENTSGW.exe",
  169. "cmd /c taskkill /f /im SQLAGENTSFW.exe",
  170. "cmd /c taskkill /f /im SQLAGENTSEW.exe",
  171. "cmd /c taskkill /f /im SQLAGENTSDW.exe",
  172. "cmd /c taskkill /f /im SQLAGENTSCW.exe",
  173. "cmd /c taskkill /f /im SQLAGENTSBW.exe",
  174. "cmd /c taskkill /f /im SQLAGENTSAW.exe",
  175. "cmd /c taskkill /f /im taskmgzr.exe",
  176. "cmd /c del /f /a /q C:\\ProgramData\\taskmgzr.exe",
  177. "cmd /c del /f /a /q C:\\RECYCLER\\taskmgzr.exe",
  178. "cmd /c taskkill /f /im ftp.exe",
  179. "cmd /c taskkill /f /im p.exe",
  180. "cmd /c del /f /a /q C:\\ProgramData\\winsql.dat",
  181. "cmd /c del /f /a /q C:\\RECYCLER\\winsql.dat",
  182. "cmd /c taskkill /f /im TQQ.exe",
  183. "cmd /c del /f /a /q C:\\ProgramData\\TQQ.exe",
  184. "cmd /c del /f /a /q C:\\RECYCLER\\TQQ.exe",
  185. "cmd /c taskkill /f /im down.exe",
  186. "cmd /c del /f /a /q C:\\ProgramData\\down.exe",
  187. "cmd /c del /f /a /q C:\\RECYCLER\\down.exe",
  188. "cmd /c taskkill /f /im MpMgSvc.dll",
  189. "cmd /c del /f /a /q C:\\ProgramData\\MpMgSvc.dll",
  190. "cmd /c del /f /a /q C:\\RECYCLER\\MpMgSvc.dll",
  191. "cmd /c taskkill /f /im MS17.exe",
  192. "cmd /c del /f /a /q C:\\ProgramData\\MS17.exe",
  193. "cmd /c del /f /a /q C:\\RECYCLER\\MS17.exe",
  194. "cmd /c taskkill /f /im MSSQLL.exe",
  195. "cmd /c del /f /a /q C:\\ProgramData\\MSSQLL.exe",
  196. "cmd /c del /f /a /q C:\\RECYCLER\\MSSQLL.exe",
  197. "cmd /c taskkill /f /im TrustedInsteller.exe",
  198. "cmd /c del /f /a /q C:\\ProgramData\\TrustedInsteller.exe",
  199. "cmd /c del /f /a /q C:\\RECYCLER\\TrustedInsteller.exe",
  200. "cmd /c taskkill /f /im TQ.exe",
  201. "cmd /c del /f /a /q C:\\ProgramData\\TQ.exe",
  202. "cmd /c del /f /a /q C:\\RECYCLER\\TQ.exe",
  203. "cmd /c taskkill /f /im ab2.exe",
  204. "cmd /c del /f /a /q C:\\ProgramData\\ab2.exe",
  205. "cmd /c del /f /a /q C:\\RECYCLER\\ab2.exe",
  206. "cmd /c taskkill /f /im ab1.exe",
  207. "cmd /c del /f /a /q C:\\ProgramData\\ab1.exe",
  208. "cmd /c del /f /a /q C:\\RECYCLER\\ab1.exe",
  209. "cmd /c taskkill /f /im winxmr.exe",
  210. "cmd /c del /f /a /q C:\\ProgramData\\winxmr.exe",
  211. "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe",
  212. "cmd /c taskkill /f /im Rnaphin.exe",
  213. "cmd /c del /f /a /q %ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe",
  214. "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs\"",
  215. "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs ",
  216. "cmd /c taskkill /f /im taskmgr.exe",
  217. "taskkill /f /im SQLAGENTSZW.exe",
  218. "taskkill /f /im SQLAGENTSLW.exe",
  219. "taskkill /f /im SQLAGENTSKW.exe",
  220. "taskkill /f /im SQLAGENTSJW.exe",
  221. "taskkill /f /im SQLAGENTSHW.exe",
  222. "taskkill /f /im SQLAGENTSGW.exe",
  223. "taskkill /f /im SQLAGENTSFW.exe",
  224. "taskkill /f /im SQLAGENTSEW.exe",
  225. "taskkill /f /im SQLAGENTSDW.exe",
  226. "taskkill /f /im SQLAGENTSCW.exe",
  227. "taskkill /f /im SQLAGENTSBW.exe",
  228. "taskkill /f /im SQLAGENTSAW.exe",
  229. "taskkill /f /im taskmgzr.exe",
  230. "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
  231. "taskkill /f /im ftp.exe",
  232. "taskkill /f /im p.exe",
  233. "taskkill /f /im TQQ.exe",
  234. "taskkill /f /im down.exe",
  235. "taskkill /f /im MpMgSvc.dll",
  236. "taskkill /f /im MS17.exe",
  237. "taskkill /f /im MSSQLL.exe",
  238. "taskkill /f /im TrustedInsteller.exe",
  239. "taskkill /f /im TQ.exe",
  240. "taskkill /f /im ab2.exe",
  241. "taskkill /f /im ab1.exe",
  242. "taskkill /f /im winxmr.exe",
  243. "taskkill /f /im Rnaphin.exe",
  244. "\"C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSWW.exe\"",
  245. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSWW.exe ",
  246. "taskkill /f /im taskmgr.exe"
  247.  
  248.  
  249. * Signatures Detected:
  250.  
  251. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  252. "Details":
  253.  
  254.  
  255. "Description": "Behavioural detection: Executable code extraction",
  256. "Details":
  257.  
  258.  
  259. "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
  260. "Details":
  261.  
  262. "IP_ioc": "185.172.66.203:9383 (Germany)"
  263.  
  264.  
  265. "IP_ioc": "169.254.255.254:9383"
  266.  
  267.  
  268.  
  269.  
  270. "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
  271. "Details":
  272.  
  273. "command": "cmd /c del /f /a /q C:\\RECYCLER\\taskmgzr.exe"
  274.  
  275.  
  276. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winsql.dat"
  277.  
  278.  
  279. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQQ.exe"
  280.  
  281.  
  282. "command": "cmd /c del /f /a /q C:\\RECYCLER\\down.exe"
  283.  
  284.  
  285. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MpMgSvc.dll"
  286.  
  287.  
  288. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MS17.exe"
  289.  
  290.  
  291. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MSSQLL.exe"
  292.  
  293.  
  294. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TrustedInsteller.exe"
  295.  
  296.  
  297. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQ.exe"
  298.  
  299.  
  300. "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab2.exe"
  301.  
  302.  
  303. "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab1.exe"
  304.  
  305.  
  306. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe"
  307.  
  308.  
  309. "command": "cmd /c del /f /a /q %ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
  310.  
  311.  
  312.  
  313.  
  314. "Description": "Creates RWX memory",
  315. "Details":
  316.  
  317.  
  318. "Description": "Anomalous file deletion behavior detected (10+)",
  319. "Details":
  320.  
  321. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSZW.exe"
  322.  
  323.  
  324. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSLW.exe"
  325.  
  326.  
  327. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSKW.exe"
  328.  
  329.  
  330. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSJW.exe"
  331.  
  332.  
  333. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSHW.exe"
  334.  
  335.  
  336. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSGW.exe"
  337.  
  338.  
  339. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSFW.exe"
  340.  
  341.  
  342. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSDW.exe"
  343.  
  344.  
  345. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSCW.exe"
  346.  
  347.  
  348. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSBW.exe"
  349.  
  350.  
  351. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSAW.exe"
  352.  
  353.  
  354. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\AutoRunApp.vbs"
  355.  
  356.  
  357. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs"
  358.  
  359.  
  360. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\config.json"
  361.  
  362.  
  363. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt"
  364.  
  365.  
  366. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\NVDIA_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt"
  367.  
  368.  
  369. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\AMD_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt"
  370.  
  371.  
  372. "DeletedFile": "C:\\ProgramData\\taskmgzr.exe"
  373.  
  374.  
  375. "DeletedFile": "C:\\RECYCLER\\taskmgzr.exe"
  376.  
  377.  
  378. "DeletedFile": "C:\\ProgramData\\winsql.dat"
  379.  
  380.  
  381. "DeletedFile": "C:\\RECYCLER\\winsql.dat"
  382.  
  383.  
  384. "DeletedFile": "C:\\ProgramData\\winsql.dat"
  385.  
  386.  
  387. "DeletedFile": "C:\\RECYCLER\\winsql.dat"
  388.  
  389.  
  390. "DeletedFile": "C:\\ProgramData\\TQQ.exe"
  391.  
  392.  
  393. "DeletedFile": "C:\\RECYCLER\\TQQ.exe"
  394.  
  395.  
  396. "DeletedFile": "C:\\ProgramData\\down.exe"
  397.  
  398.  
  399. "DeletedFile": "C:\\RECYCLER\\down.exe"
  400.  
  401.  
  402. "DeletedFile": "C:\\ProgramData\\MpMgSvc.dll"
  403.  
  404.  
  405. "DeletedFile": "C:\\RECYCLER\\MpMgSvc.dll"
  406.  
  407.  
  408. "DeletedFile": "C:\\ProgramData\\MS17.exe"
  409.  
  410.  
  411. "DeletedFile": "C:\\RECYCLER\\MS17.exe"
  412.  
  413.  
  414. "DeletedFile": "C:\\ProgramData\\MSSQLL.exe"
  415.  
  416.  
  417. "DeletedFile": "C:\\RECYCLER\\MSSQLL.exe"
  418.  
  419.  
  420. "DeletedFile": "C:\\ProgramData\\TrustedInsteller.exe"
  421.  
  422.  
  423. "DeletedFile": "C:\\RECYCLER\\TrustedInsteller.exe"
  424.  
  425.  
  426. "DeletedFile": "C:\\ProgramData\\TQ.exe"
  427.  
  428.  
  429. "DeletedFile": "C:\\RECYCLER\\TQ.exe"
  430.  
  431.  
  432. "DeletedFile": "C:\\ProgramData\\ab2.exe"
  433.  
  434.  
  435. "DeletedFile": "C:\\RECYCLER\\ab2.exe"
  436.  
  437.  
  438. "DeletedFile": "C:\\ProgramData\\ab1.exe"
  439.  
  440.  
  441. "DeletedFile": "C:\\RECYCLER\\ab1.exe"
  442.  
  443.  
  444. "DeletedFile": "C:\\ProgramData\\winxmr.exe"
  445.  
  446.  
  447. "DeletedFile": "C:\\RECYCLER\\winxmr.exe"
  448.  
  449.  
  450. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
  451.  
  452.  
  453. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
  454.  
  455.  
  456.  
  457.  
  458.  
  459.  
  460.  
  461.  
  462. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempsysermad.exe"
  463.  
  464.  
  465. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\TempXMRig.exe"
  466.  
  467.  
  468. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\TempXMR.exe"
  469.  
  470.  
  471. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temptaobao.exe"
  472.  
  473.  
  474. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempchrom.exe"
  475.  
  476.  
  477. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempchromes.exe"
  478.  
  479.  
  480. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\TempMiner.exe"
  481.  
  482.  
  483. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempm6.exe"
  484.  
  485.  
  486. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempm7.exe"
  487.  
  488.  
  489. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempmyssssql.exe"
  490.  
  491.  
  492. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temptaskmgr.exe"
  493.  
  494.  
  495. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempcpu.exe"
  496.  
  497.  
  498. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempx6.exe"
  499.  
  500.  
  501. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempwin64.exe"
  502.  
  503.  
  504. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempwin32.exe"
  505.  
  506.  
  507. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempwin64.exe"
  508.  
  509.  
  510. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempwin32.exe"
  511.  
  512.  
  513. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempvip.exe"
  514.  
  515.  
  516. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempvpn.exe"
  517.  
  518.  
  519. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp370.exe"
  520.  
  521.  
  522. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\TempaIg.exe"
  523.  
  524.  
  525. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTC.exe"
  526.  
  527.  
  528. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_log1.txt"
  529.  
  530.  
  531. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_log.txt"
  532.  
  533.  
  534. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTN.exe"
  535.  
  536.  
  537. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\N_log1.txt"
  538.  
  539.  
  540. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\N_log.txt"
  541.  
  542.  
  543. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTA.exe"
  544.  
  545.  
  546. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\A_log1.txt"
  547.  
  548.  
  549. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\A_log.txt"
  550.  
  551.  
  552. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs"
  553.  
  554.  
  555. "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
  556.  
  557.  
  558.  
  559.  
  560. "Description": "Guard pages use detected - possible anti-debugging.",
  561. "Details":
  562.  
  563.  
  564. "Description": "Detected script timer window indicative of sleep style evasion",
  565. "Details":
  566.  
  567. "Window": "WSH-Timer"
  568.  
  569.  
  570.  
  571.  
  572. "Description": "Performs HTTP requests potentially not found in PCAP.",
  573. "Details":
  574.  
  575. "url_ioc": "c.xzzzx.ga:80//o/cpu64.exe"
  576.  
  577.  
  578.  
  579.  
  580. "Description": "Expresses interest in specific running processes",
  581. "Details":
  582.  
  583. "process": "cmd.exe"
  584.  
  585.  
  586.  
  587.  
  588. "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option",
  589. "Details":
  590.  
  591.  
  592. "Description": "Reads data out of its own binary image",
  593. "Details":
  594.  
  595. "self_read": "process: wscript.exe, pid: 4072, offset: 0x00000000, length: 0x00000040"
  596.  
  597.  
  598. "self_read": "process: wscript.exe, pid: 4072, offset: 0x000000f0, length: 0x00000018"
  599.  
  600.  
  601. "self_read": "process: wscript.exe, pid: 4072, offset: 0x000001e8, length: 0x00000078"
  602.  
  603.  
  604. "self_read": "process: wscript.exe, pid: 4072, offset: 0x00018000, length: 0x00000020"
  605.  
  606.  
  607. "self_read": "process: wscript.exe, pid: 4072, offset: 0x00018058, length: 0x00000018"
  608.  
  609.  
  610. "self_read": "process: wscript.exe, pid: 4072, offset: 0x000181a8, length: 0x00000018"
  611.  
  612.  
  613. "self_read": "process: wscript.exe, pid: 4072, offset: 0x00018470, length: 0x00000010"
  614.  
  615.  
  616. "self_read": "process: wscript.exe, pid: 4072, offset: 0x00018640, length: 0x00000012"
  617.  
  618.  
  619.  
  620.  
  621. "Description": "A process created a hidden window",
  622. "Details":
  623.  
  624. "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
  625.  
  626.  
  627.  
  628.  
  629. "Description": "Unconventionial language used in binary resources: Chinese (Simplified)",
  630. "Details":
  631.  
  632.  
  633. "Description": "The binary likely contains encrypted or compressed data.",
  634. "Details":
  635.  
  636. "section": "name: .MPRESS1, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00056000, virtual_size: 0x0012f000"
  637.  
  638.  
  639.  
  640.  
  641. "Description": "A scripting utility was executed",
  642. "Details":
  643.  
  644. "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs\""
  645.  
  646.  
  647.  
  648.  
  649. "Description": "Uses Windows utilities for basic functionality",
  650. "Details":
  651.  
  652. "command": "cmd /c taskkill /f /im SQLAGENTSZW.exe"
  653.  
  654.  
  655. "command": "cmd /c taskkill /f /im SQLAGENTSLW.exe"
  656.  
  657.  
  658. "command": "cmd /c taskkill /f /im SQLAGENTSKW.exe"
  659.  
  660.  
  661. "command": "cmd /c taskkill /f /im SQLAGENTSJW.exe"
  662.  
  663.  
  664. "command": "cmd /c taskkill /f /im SQLAGENTSHW.exe"
  665.  
  666.  
  667. "command": "cmd /c taskkill /f /im SQLAGENTSGW.exe"
  668.  
  669.  
  670. "command": "cmd /c taskkill /f /im SQLAGENTSFW.exe"
  671.  
  672.  
  673. "command": "cmd /c taskkill /f /im SQLAGENTSEW.exe"
  674.  
  675.  
  676. "command": "cmd /c taskkill /f /im SQLAGENTSDW.exe"
  677.  
  678.  
  679. "command": "cmd /c taskkill /f /im SQLAGENTSCW.exe"
  680.  
  681.  
  682. "command": "cmd /c taskkill /f /im SQLAGENTSBW.exe"
  683.  
  684.  
  685. "command": "cmd /c taskkill /f /im SQLAGENTSAW.exe"
  686.  
  687.  
  688. "command": "cmd /c taskkill /f /im taskmgzr.exe"
  689.  
  690.  
  691. "command": "cmd /c del /f /a /q C:\\ProgramData\\taskmgzr.exe"
  692.  
  693.  
  694. "command": "cmd /c del /f /a /q C:\\RECYCLER\\taskmgzr.exe"
  695.  
  696.  
  697. "command": "cmd /c taskkill /f /im ftp.exe"
  698.  
  699.  
  700. "command": "cmd /c taskkill /f /im p.exe"
  701.  
  702.  
  703. "command": "cmd /c del /f /a /q C:\\ProgramData\\winsql.dat"
  704.  
  705.  
  706. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winsql.dat"
  707.  
  708.  
  709. "command": "cmd /c taskkill /f /im TQQ.exe"
  710.  
  711.  
  712. "command": "cmd /c del /f /a /q C:\\ProgramData\\TQQ.exe"
  713.  
  714.  
  715. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQQ.exe"
  716.  
  717.  
  718. "command": "cmd /c taskkill /f /im down.exe"
  719.  
  720.  
  721. "command": "cmd /c del /f /a /q C:\\ProgramData\\down.exe"
  722.  
  723.  
  724. "command": "cmd /c del /f /a /q C:\\RECYCLER\\down.exe"
  725.  
  726.  
  727. "command": "cmd /c taskkill /f /im MpMgSvc.dll"
  728.  
  729.  
  730. "command": "cmd /c del /f /a /q C:\\ProgramData\\MpMgSvc.dll"
  731.  
  732.  
  733. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MpMgSvc.dll"
  734.  
  735.  
  736. "command": "cmd /c taskkill /f /im MS17.exe"
  737.  
  738.  
  739. "command": "cmd /c del /f /a /q C:\\ProgramData\\MS17.exe"
  740.  
  741.  
  742. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MS17.exe"
  743.  
  744.  
  745. "command": "cmd /c taskkill /f /im MSSQLL.exe"
  746.  
  747.  
  748. "command": "cmd /c del /f /a /q C:\\ProgramData\\MSSQLL.exe"
  749.  
  750.  
  751. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MSSQLL.exe"
  752.  
  753.  
  754. "command": "cmd /c taskkill /f /im TrustedInsteller.exe"
  755.  
  756.  
  757. "command": "cmd /c del /f /a /q C:\\ProgramData\\TrustedInsteller.exe"
  758.  
  759.  
  760. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TrustedInsteller.exe"
  761.  
  762.  
  763. "command": "cmd /c taskkill /f /im TQ.exe"
  764.  
  765.  
  766. "command": "cmd /c del /f /a /q C:\\ProgramData\\TQ.exe"
  767.  
  768.  
  769. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQ.exe"
  770.  
  771.  
  772. "command": "cmd /c taskkill /f /im ab2.exe"
  773.  
  774.  
  775. "command": "cmd /c del /f /a /q C:\\ProgramData\\ab2.exe"
  776.  
  777.  
  778. "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab2.exe"
  779.  
  780.  
  781. "command": "cmd /c taskkill /f /im ab1.exe"
  782.  
  783.  
  784. "command": "cmd /c del /f /a /q C:\\ProgramData\\ab1.exe"
  785.  
  786.  
  787. "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab1.exe"
  788.  
  789.  
  790. "command": "cmd /c taskkill /f /im winxmr.exe"
  791.  
  792.  
  793. "command": "cmd /c del /f /a /q C:\\ProgramData\\winxmr.exe"
  794.  
  795.  
  796. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe"
  797.  
  798.  
  799. "command": "cmd /c taskkill /f /im Rnaphin.exe"
  800.  
  801.  
  802. "command": "cmd /c del /f /a /q %ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
  803.  
  804.  
  805.  
  806.  
  807.  
  808.  
  809.  
  810.  
  811. "command": "cmd /c taskkill /f /im taskmgr.exe"
  812.  
  813.  
  814.  
  815.  
  816. "Description": "A process attempted to delay the analysis task by a long amount of time.",
  817. "Details":
  818.  
  819. "Process": "wscript.exe tried to sleep 1921 seconds, actually delayed analysis time by 0 seconds"
  820.  
  821.  
  822. "Process": "taskkill.exe tried to sleep 3303 seconds, actually delayed analysis time by 0 seconds"
  823.  
  824.  
  825.  
  826.  
  827. "Description": "Installs itself for autorun at Windows startup",
  828. "Details":
  829.  
  830. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\ADSL Dial"
  831.  
  832.  
  833. "data": "C:\\Users\\user\\AppData\\Local\\Temp\\\\rl8Npxu54.exe"
  834.  
  835.  
  836.  
  837.  
  838. "Description": "Creates a hidden or system file",
  839. "Details":
  840.  
  841. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs"
  842.  
  843.  
  844.  
  845.  
  846. "Description": "Creates a copy of itself",
  847. "Details":
  848.  
  849. "copy": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSWW.exe"
  850.  
  851.  
  852.  
  853.  
  854. "Description": "A cryptomining command was executed",
  855. "Details":
  856.  
  857. "command": "cmd /c taskkill /f /im winxmr.exe"
  858.  
  859.  
  860. "command": "cmd /c del /f /a /q C:\\ProgramData\\winxmr.exe"
  861.  
  862.  
  863. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe"
  864.  
  865.  
  866. "command": "taskkill /f /im winxmr.exe"
  867.  
  868.  
  869.  
  870.  
  871. "Description": "Empties the Recycle Bin, indicative of ransomware",
  872. "Details":
  873.  
  874.  
  875. "Description": "Uses suspicious command line tools or Windows utilities",
  876. "Details":
  877.  
  878. "command": "cmd /c taskkill /f /im SQLAGENTSZW.exe"
  879.  
  880.  
  881. "command": "cmd /c taskkill /f /im SQLAGENTSLW.exe"
  882.  
  883.  
  884. "command": "cmd /c taskkill /f /im SQLAGENTSKW.exe"
  885.  
  886.  
  887. "command": "cmd /c taskkill /f /im SQLAGENTSJW.exe"
  888.  
  889.  
  890. "command": "cmd /c taskkill /f /im SQLAGENTSHW.exe"
  891.  
  892.  
  893. "command": "cmd /c taskkill /f /im SQLAGENTSGW.exe"
  894.  
  895.  
  896. "command": "cmd /c taskkill /f /im SQLAGENTSFW.exe"
  897.  
  898.  
  899. "command": "cmd /c taskkill /f /im SQLAGENTSEW.exe"
  900.  
  901.  
  902. "command": "cmd /c taskkill /f /im SQLAGENTSDW.exe"
  903.  
  904.  
  905. "command": "cmd /c taskkill /f /im SQLAGENTSCW.exe"
  906.  
  907.  
  908. "command": "cmd /c taskkill /f /im SQLAGENTSBW.exe"
  909.  
  910.  
  911. "command": "cmd /c taskkill /f /im SQLAGENTSAW.exe"
  912.  
  913.  
  914. "command": "cmd /c taskkill /f /im taskmgzr.exe"
  915.  
  916.  
  917. "command": "cmd /c del /f /a /q C:\\ProgramData\\taskmgzr.exe"
  918.  
  919.  
  920. "command": "cmd /c del /f /a /q C:\\RECYCLER\\taskmgzr.exe"
  921.  
  922.  
  923. "command": "cmd /c taskkill /f /im ftp.exe"
  924.  
  925.  
  926. "command": "cmd /c taskkill /f /im p.exe"
  927.  
  928.  
  929. "command": "cmd /c del /f /a /q C:\\ProgramData\\winsql.dat"
  930.  
  931.  
  932. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winsql.dat"
  933.  
  934.  
  935. "command": "cmd /c taskkill /f /im TQQ.exe"
  936.  
  937.  
  938. "command": "cmd /c del /f /a /q C:\\ProgramData\\TQQ.exe"
  939.  
  940.  
  941. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQQ.exe"
  942.  
  943.  
  944. "command": "cmd /c taskkill /f /im down.exe"
  945.  
  946.  
  947. "command": "cmd /c del /f /a /q C:\\ProgramData\\down.exe"
  948.  
  949.  
  950. "command": "cmd /c del /f /a /q C:\\RECYCLER\\down.exe"
  951.  
  952.  
  953. "command": "cmd /c taskkill /f /im MpMgSvc.dll"
  954.  
  955.  
  956. "command": "cmd /c del /f /a /q C:\\ProgramData\\MpMgSvc.dll"
  957.  
  958.  
  959. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MpMgSvc.dll"
  960.  
  961.  
  962. "command": "cmd /c taskkill /f /im MS17.exe"
  963.  
  964.  
  965. "command": "cmd /c del /f /a /q C:\\ProgramData\\MS17.exe"
  966.  
  967.  
  968. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MS17.exe"
  969.  
  970.  
  971. "command": "cmd /c taskkill /f /im MSSQLL.exe"
  972.  
  973.  
  974. "command": "cmd /c del /f /a /q C:\\ProgramData\\MSSQLL.exe"
  975.  
  976.  
  977. "command": "cmd /c del /f /a /q C:\\RECYCLER\\MSSQLL.exe"
  978.  
  979.  
  980. "command": "cmd /c taskkill /f /im TrustedInsteller.exe"
  981.  
  982.  
  983. "command": "cmd /c del /f /a /q C:\\ProgramData\\TrustedInsteller.exe"
  984.  
  985.  
  986. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TrustedInsteller.exe"
  987.  
  988.  
  989. "command": "cmd /c taskkill /f /im TQ.exe"
  990.  
  991.  
  992. "command": "cmd /c del /f /a /q C:\\ProgramData\\TQ.exe"
  993.  
  994.  
  995. "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQ.exe"
  996.  
  997.  
  998. "command": "cmd /c taskkill /f /im ab2.exe"
  999.  
  1000.  
  1001. "command": "cmd /c del /f /a /q C:\\ProgramData\\ab2.exe"
  1002.  
  1003.  
  1004. "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab2.exe"
  1005.  
  1006.  
  1007. "command": "cmd /c taskkill /f /im ab1.exe"
  1008.  
  1009.  
  1010. "command": "cmd /c del /f /a /q C:\\ProgramData\\ab1.exe"
  1011.  
  1012.  
  1013. "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab1.exe"
  1014.  
  1015.  
  1016. "command": "cmd /c taskkill /f /im winxmr.exe"
  1017.  
  1018.  
  1019. "command": "cmd /c del /f /a /q C:\\ProgramData\\winxmr.exe"
  1020.  
  1021.  
  1022. "command": "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe"
  1023.  
  1024.  
  1025. "command": "cmd /c taskkill /f /im Rnaphin.exe"
  1026.  
  1027.  
  1028. "command": "cmd /c del /f /a /q %ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
  1029.  
  1030.  
  1031.  
  1032.  
  1033.  
  1034.  
  1035.  
  1036.  
  1037. "command": "cmd /c taskkill /f /im taskmgr.exe"
  1038.  
  1039.  
  1040. "command": "taskkill /f /im SQLAGENTSZW.exe"
  1041.  
  1042.  
  1043. "command": "taskkill /f /im SQLAGENTSLW.exe"
  1044.  
  1045.  
  1046. "command": "taskkill /f /im SQLAGENTSKW.exe"
  1047.  
  1048.  
  1049. "command": "taskkill /f /im SQLAGENTSJW.exe"
  1050.  
  1051.  
  1052. "command": "taskkill /f /im SQLAGENTSHW.exe"
  1053.  
  1054.  
  1055. "command": "taskkill /f /im SQLAGENTSGW.exe"
  1056.  
  1057.  
  1058. "command": "taskkill /f /im SQLAGENTSFW.exe"
  1059.  
  1060.  
  1061. "command": "taskkill /f /im SQLAGENTSEW.exe"
  1062.  
  1063.  
  1064. "command": "taskkill /f /im SQLAGENTSDW.exe"
  1065.  
  1066.  
  1067. "command": "taskkill /f /im SQLAGENTSCW.exe"
  1068.  
  1069.  
  1070. "command": "taskkill /f /im SQLAGENTSBW.exe"
  1071.  
  1072.  
  1073. "command": "taskkill /f /im SQLAGENTSAW.exe"
  1074.  
  1075.  
  1076. "command": "taskkill /f /im taskmgzr.exe"
  1077.  
  1078.  
  1079. "command": "taskkill /f /im ftp.exe"
  1080.  
  1081.  
  1082. "command": "taskkill /f /im p.exe"
  1083.  
  1084.  
  1085. "command": "taskkill /f /im TQQ.exe"
  1086.  
  1087.  
  1088. "command": "taskkill /f /im down.exe"
  1089.  
  1090.  
  1091. "command": "taskkill /f /im MpMgSvc.dll"
  1092.  
  1093.  
  1094. "command": "taskkill /f /im MS17.exe"
  1095.  
  1096.  
  1097. "command": "taskkill /f /im MSSQLL.exe"
  1098.  
  1099.  
  1100. "command": "taskkill /f /im TrustedInsteller.exe"
  1101.  
  1102.  
  1103. "command": "taskkill /f /im TQ.exe"
  1104.  
  1105.  
  1106. "command": "taskkill /f /im ab2.exe"
  1107.  
  1108.  
  1109. "command": "taskkill /f /im ab1.exe"
  1110.  
  1111.  
  1112. "command": "taskkill /f /im winxmr.exe"
  1113.  
  1114.  
  1115. "command": "taskkill /f /im Rnaphin.exe"
  1116.  
  1117.  
  1118.  
  1119.  
  1120. "command": "taskkill /f /im taskmgr.exe"
  1121.  
  1122.  
  1123.  
  1124.  
  1125.  
  1126. * Started Service:
  1127.  
  1128. * Mutexes:
  1129. "Local\\ZoneAttributeCacheCounterMutex",
  1130. "Local\\ZonesCacheCounterMutex",
  1131. "Local\\ZonesLockedCacheCounterMutex",
  1132. "Global\\ADAP_WMI_ENTRY",
  1133. "Global\\RefreshRA_Mutex",
  1134. "Global\\RefreshRA_Mutex_Lib",
  1135. "Global\\RefreshRA_Mutex_Flag"
  1136.  
  1137.  
  1138. * Modified Files:
  1139. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSWW.exe",
  1140. "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs",
  1141. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  1142. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  1143. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk"
  1144.  
  1145.  
  1146. * Deleted Files:
  1147. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSZW.exe",
  1148. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSLW.exe",
  1149. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSKW.exe",
  1150. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSJW.exe",
  1151. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSHW.exe",
  1152. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSGW.exe",
  1153. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSFW.exe",
  1154. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSDW.exe",
  1155. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSCW.exe",
  1156. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSBW.exe",
  1157. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSAW.exe",
  1158. "C:\\Users\\user\\AppData\\Local\\Temp\\AutoRunApp.vbs",
  1159. "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs",
  1160. "C:\\Users\\user\\AppData\\Local\\Temp\\config.json",
  1161. "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt",
  1162. "C:\\Users\\user\\AppData\\Local\\Temp\\NVDIA_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt",
  1163. "C:\\Users\\user\\AppData\\Local\\Temp\\AMD_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt",
  1164. "C:\\ProgramData\\taskmgzr.exe",
  1165. "C:\\RECYCLER\\taskmgzr.exe",
  1166. "C:\\ProgramData\\winsql.dat",
  1167. "C:\\RECYCLER\\winsql.dat",
  1168. "C:\\ProgramData\\TQQ.exe",
  1169. "C:\\RECYCLER\\TQQ.exe",
  1170. "C:\\ProgramData\\down.exe",
  1171. "C:\\RECYCLER\\down.exe",
  1172. "C:\\ProgramData\\MpMgSvc.dll",
  1173. "C:\\RECYCLER\\MpMgSvc.dll",
  1174. "C:\\ProgramData\\MS17.exe",
  1175. "C:\\RECYCLER\\MS17.exe",
  1176. "C:\\ProgramData\\MSSQLL.exe",
  1177. "C:\\RECYCLER\\MSSQLL.exe",
  1178. "C:\\ProgramData\\TrustedInsteller.exe",
  1179. "C:\\RECYCLER\\TrustedInsteller.exe",
  1180. "C:\\ProgramData\\TQ.exe",
  1181. "C:\\RECYCLER\\TQ.exe",
  1182. "C:\\ProgramData\\ab2.exe",
  1183. "C:\\RECYCLER\\ab2.exe",
  1184. "C:\\ProgramData\\ab1.exe",
  1185. "C:\\RECYCLER\\ab1.exe",
  1186. "C:\\ProgramData\\winxmr.exe",
  1187. "C:\\RECYCLER\\winxmr.exe",
  1188. "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe",
  1189. "C:\\Users\\user\\AppData\\Local\\Tempsysermad.exe",
  1190. "C:\\Users\\user\\AppData\\Local\\TempXMRig.exe",
  1191. "C:\\Users\\user\\AppData\\Local\\TempXMR.exe",
  1192. "C:\\Users\\user\\AppData\\Local\\Temptaobao.exe",
  1193. "C:\\Users\\user\\AppData\\Local\\Tempchrom.exe",
  1194. "C:\\Users\\user\\AppData\\Local\\Tempchromes.exe",
  1195. "C:\\Users\\user\\AppData\\Local\\TempMiner.exe",
  1196. "C:\\Users\\user\\AppData\\Local\\Tempm6.exe",
  1197. "C:\\Users\\user\\AppData\\Local\\Tempm7.exe",
  1198. "C:\\Users\\user\\AppData\\Local\\Tempmyssssql.exe",
  1199. "C:\\Users\\user\\AppData\\Local\\Temptaskmgr.exe",
  1200. "C:\\Users\\user\\AppData\\Local\\Tempcpu.exe",
  1201. "C:\\Users\\user\\AppData\\Local\\Tempx6.exe",
  1202. "C:\\Users\\user\\AppData\\Local\\Tempwin64.exe",
  1203. "C:\\Users\\user\\AppData\\Local\\Tempwin32.exe",
  1204. "C:\\Users\\user\\AppData\\Local\\Tempvip.exe",
  1205. "C:\\Users\\user\\AppData\\Local\\Tempvpn.exe",
  1206. "C:\\Users\\user\\AppData\\Local\\Temp370.exe",
  1207. "C:\\Users\\user\\AppData\\Local\\TempaIg.exe",
  1208. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTC.exe",
  1209. "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_log1.txt",
  1210. "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_log.txt",
  1211. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTN.exe",
  1212. "C:\\Users\\user\\AppData\\Local\\Temp\\N_log1.txt",
  1213. "C:\\Users\\user\\AppData\\Local\\Temp\\N_log.txt",
  1214. "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTA.exe",
  1215. "C:\\Users\\user\\AppData\\Local\\Temp\\A_log1.txt",
  1216. "C:\\Users\\user\\AppData\\Local\\Temp\\A_log.txt",
  1217. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
  1218.  
  1219.  
  1220. * Modified Registry Keys:
  1221. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run",
  1222. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\ADSL Dial",
  1223. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  1224. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  1225. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect"
  1226.  
  1227.  
  1228. * Deleted Registry Keys:
  1229. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  1230. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  1231. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  1232. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
  1233.  
  1234.  
  1235. * DNS Communications:
  1236.  
  1237. "type": "A",
  1238. "request": "x.nxxxn.ga",
  1239. "answers":
  1240.  
  1241.  
  1242. "type": "A",
  1243. "request": "c.xzzzx.ga",
  1244. "answers":
  1245.  
  1246.  
  1247.  
  1248. * Domains:
  1249.  
  1250. "ip": "185.172.66.203",
  1251. "domain": "x.nxxxn.ga"
  1252.  
  1253.  
  1254. "ip": "156.238.3.105",
  1255. "domain": "c.xzzzx.ga"
  1256.  
  1257.  
  1258.  
  1259. * Network Communication - ICMP:
  1260.  
  1261. * Network Communication - HTTP:
  1262.  
  1263. * Network Communication - SMTP:
  1264.  
  1265. * Network Communication - Hosts:
  1266.  
  1267. "country_name": "Germany",
  1268. "ip": "185.172.66.203",
  1269. "inaddrarpa": "",
  1270. "hostname": ""
  1271.  
  1272.  
  1273.  
  1274. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!