· 6 years ago · Sep 19, 2019, 03:34 AM
1
2* ID: 2280
3* MalFamily: "Genpack"
4
5* MalScore: 10.0
6
7* File Name: "Exes_c5704031e9a35c4d9d92170cf7b8807b.exe"
8* File Size: 378880
9* File Type: "MS-DOS executable"
10* SHA256: "ff438b6ded403c48938473ea51d9068ed1defde161dda38897ec5f05b07ba31a"
11* MD5: "c5704031e9a35c4d9d92170cf7b8807b"
12* SHA1: "fa3432747c21e98edf5c767886291c9eb08699fc"
13* SHA512: "13a493df36a9cad662df4981b635c99101e6e33fedda43dfc009d0e960d8a100ec7a80f41ba172da088f5635dbdfcab6becc8d55a2e72e0f9cb3259e939413e0"
14* CRC32: "28786F4D"
15* SSDEEP: "6144:oKWw79GUs8uTCDBNFDAeHsgLyQmP5Mdu6s16lGGxk5OaH09KQJmehrY:oiPOC8eHpLyJe1lVKjVQne"
16
17* Process Execution:
18 "FSGZ4pL54OjE.exe",
19 "cmd.exe",
20 "taskkill.exe",
21 "cmd.exe",
22 "taskkill.exe",
23 "cmd.exe",
24 "taskkill.exe",
25 "cmd.exe",
26 "taskkill.exe",
27 "cmd.exe",
28 "taskkill.exe",
29 "cmd.exe",
30 "taskkill.exe",
31 "cmd.exe",
32 "taskkill.exe",
33 "cmd.exe",
34 "taskkill.exe",
35 "cmd.exe",
36 "taskkill.exe",
37 "cmd.exe",
38 "taskkill.exe",
39 "cmd.exe",
40 "taskkill.exe",
41 "cmd.exe",
42 "taskkill.exe",
43 "cmd.exe",
44 "taskkill.exe",
45 "cmd.exe",
46 "cmd.exe",
47 "cmd.exe",
48 "taskkill.exe",
49 "cmd.exe",
50 "taskkill.exe",
51 "cmd.exe",
52 "cmd.exe",
53 "cmd.exe",
54 "taskkill.exe",
55 "cmd.exe",
56 "cmd.exe",
57 "cmd.exe",
58 "taskkill.exe",
59 "cmd.exe",
60 "cmd.exe",
61 "cmd.exe",
62 "taskkill.exe",
63 "cmd.exe",
64 "cmd.exe",
65 "cmd.exe",
66 "taskkill.exe",
67 "cmd.exe",
68 "cmd.exe",
69 "cmd.exe",
70 "cmd.exe",
71 "taskkill.exe",
72 "cmd.exe",
73 "cmd.exe",
74 "taskkill.exe",
75 "cmd.exe",
76 "cmd.exe",
77 "cmd.exe",
78 "taskkill.exe",
79 "cmd.exe",
80 "cmd.exe",
81 "cmd.exe",
82 "taskkill.exe",
83 "cmd.exe",
84 "cmd.exe",
85 "cmd.exe",
86 "taskkill.exe",
87 "cmd.exe",
88 "cmd.exe",
89 "cmd.exe",
90 "taskkill.exe",
91 "cmd.exe",
92 "cmd.exe",
93 "cmd.exe",
94 "taskkill.exe",
95 "cmd.exe",
96 "cmd.exe",
97 "cmd.exe",
98 "taskkill.exe",
99 "cmd.exe",
100 "cmd.exe",
101 "wscript.exe",
102 "cmd.exe",
103 "taskkill.exe",
104 "cmd.exe",
105 "taskkill.exe",
106 "cmd.exe",
107 "taskkill.exe",
108 "cmd.exe",
109 "taskkill.exe",
110 "cmd.exe",
111 "taskkill.exe",
112 "cmd.exe",
113 "taskkill.exe",
114 "cmd.exe",
115 "taskkill.exe",
116 "cmd.exe",
117 "taskkill.exe",
118 "cmd.exe",
119 "taskkill.exe",
120 "cmd.exe",
121 "taskkill.exe",
122 "cmd.exe",
123 "taskkill.exe",
124 "cmd.exe",
125 "taskkill.exe",
126 "cmd.exe",
127 "taskkill.exe",
128 "cmd.exe",
129 "taskkill.exe",
130 "svchost.exe",
131 "taskeng.exe",
132 "taskeng.exe",
133 "msoia.exe",
134 "msoia.exe",
135 "taskeng.exe",
136 "WMIADAP.exe",
137 "taskeng.exe"
138
139
140* Executed Commands:
141 "cmd /c taskkill /f /im SQLAGENTSZW.exe",
142 "cmd /c taskkill /f /im SQLAGENTSLW.exe",
143 "cmd /c taskkill /f /im SQLAGENTSKW.exe",
144 "cmd /c taskkill /f /im SQLAGENTSJW.exe",
145 "cmd /c taskkill /f /im SQLAGENTSHW.exe",
146 "cmd /c taskkill /f /im SQLAGENTSGW.exe",
147 "cmd /c taskkill /f /im SQLAGENTSFW.exe",
148 "cmd /c taskkill /f /im SQLAGENTSEW.exe",
149 "cmd /c taskkill /f /im SQLAGENTSDW.exe",
150 "cmd /c taskkill /f /im SQLAGENTSCW.exe",
151 "cmd /c taskkill /f /im SQLAGENTSBW.exe",
152 "cmd /c taskkill /f /im SQLAGENTSAW.exe",
153 "cmd /c taskkill /f /im taskmgzr.exe",
154 "cmd /c del /f /a /q C:\\ProgramData\\taskmgzr.exe",
155 "cmd /c del /f /a /q C:\\RECYCLER\\taskmgzr.exe",
156 "cmd /c taskkill /f /im ftp.exe",
157 "cmd /c taskkill /f /im p.exe",
158 "cmd /c del /f /a /q C:\\ProgramData\\winsql.dat",
159 "cmd /c del /f /a /q C:\\RECYCLER\\winsql.dat",
160 "cmd /c taskkill /f /im TQQ.exe",
161 "cmd /c del /f /a /q C:\\ProgramData\\TQQ.exe",
162 "cmd /c del /f /a /q C:\\RECYCLER\\TQQ.exe",
163 "cmd /c taskkill /f /im down.exe",
164 "cmd /c del /f /a /q C:\\ProgramData\\down.exe",
165 "cmd /c del /f /a /q C:\\RECYCLER\\down.exe",
166 "cmd /c taskkill /f /im MpMgSvc.dll",
167 "cmd /c del /f /a /q C:\\ProgramData\\MpMgSvc.dll",
168 "cmd /c del /f /a /q C:\\RECYCLER\\MpMgSvc.dll",
169 "cmd /c taskkill /f /im MS17.exe",
170 "cmd /c del /f /a /q C:\\ProgramData\\MS17.exe",
171 "cmd /c del /f /a /q C:\\RECYCLER\\MS17.exe",
172 "cmd /c taskkill /f /im MSSQLL.exe",
173 "cmd /c del /f /a /q C:\\ProgramData\\MSSQLL.exe",
174 "cmd /c del /f /a /q C:\\RECYCLER\\MSSQLL.exe",
175 "cmd /c taskkill /f /im TrustedInsteller.exe",
176 "cmd /c del /f /a /q C:\\ProgramData\\TrustedInsteller.exe",
177 "cmd /c del /f /a /q C:\\RECYCLER\\TrustedInsteller.exe",
178 "cmd /c taskkill /f /im TQ.exe",
179 "cmd /c del /f /a /q C:\\ProgramData\\TQ.exe",
180 "cmd /c del /f /a /q C:\\RECYCLER\\TQ.exe",
181 "cmd /c taskkill /f /im ab2.exe",
182 "cmd /c del /f /a /q C:\\ProgramData\\ab2.exe",
183 "cmd /c del /f /a /q C:\\RECYCLER\\ab2.exe",
184 "cmd /c taskkill /f /im ab1.exe",
185 "cmd /c del /f /a /q C:\\ProgramData\\ab1.exe",
186 "cmd /c del /f /a /q C:\\RECYCLER\\ab1.exe",
187 "cmd /c taskkill /f /im winxmr.exe",
188 "cmd /c del /f /a /q C:\\ProgramData\\winxmr.exe",
189 "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe",
190 "cmd /c taskkill /f /im Rnaphin.exe",
191 "cmd /c del /f /a /q %ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe",
192 "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs\"",
193 "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs ",
194 "cmd /c taskkill /f /im taskmgr.exe",
195 "taskkill /f /im SQLAGENTSZW.exe",
196 "taskkill /f /im SQLAGENTSLW.exe",
197 "taskkill /f /im SQLAGENTSKW.exe",
198 "taskkill /f /im SQLAGENTSJW.exe",
199 "taskkill /f /im SQLAGENTSHW.exe",
200 "taskkill /f /im SQLAGENTSGW.exe",
201 "taskkill /f /im SQLAGENTSFW.exe",
202 "taskkill /f /im SQLAGENTSEW.exe",
203 "taskkill /f /im SQLAGENTSDW.exe",
204 "taskkill /f /im SQLAGENTSCW.exe",
205 "taskkill /f /im SQLAGENTSBW.exe",
206 "taskkill /f /im SQLAGENTSAW.exe",
207 "taskkill /f /im taskmgzr.exe",
208 "taskkill /f /im ftp.exe",
209 "taskkill /f /im p.exe",
210 "taskeng.exe D7699475-CE31-4D80-AD86-DE0D8AF29461 S-1-5-18:NT AUTHORITY\\System:Service:",
211 "taskeng.exe FE26A9AD-C545-4C5E-96FE-10BA0DA9C341 S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
212 "taskeng.exe 78372A5B-9B29-46C3-AFAD-3EC327466E61 S-1-5-18:NT AUTHORITY\\System:Service:",
213 "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
214 "taskeng.exe 70FC8EB8-F2CA-40B7-BD0E-077E242CCE18 S-1-5-18:NT AUTHORITY\\System:Service:",
215 "taskeng.exe 30D14CB4-6866-4BFC-A353-04D82CA6A1D9 S-1-5-18:NT AUTHORITY\\System:Service:",
216 "taskkill /f /im TQQ.exe",
217 "taskkill /f /im down.exe",
218 "taskkill /f /im MpMgSvc.dll",
219 "taskkill /f /im MS17.exe",
220 "taskkill /f /im MSSQLL.exe",
221 "taskkill /f /im TrustedInsteller.exe",
222 "taskkill /f /im TQ.exe",
223 "taskkill /f /im ab2.exe",
224 "taskkill /f /im ab1.exe",
225 "taskkill /f /im winxmr.exe",
226 "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
227 "taskkill /f /im Rnaphin.exe",
228 "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
229 "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload",
230 "taskkill /f /im taskmgr.exe"
231
232
233* Signatures Detected:
234
235 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
236 "Details":
237
238
239 "Description": "Behavioural detection: Executable code extraction",
240 "Details":
241
242
243 "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
244 "Details":
245
246 "IP_ioc": "185.172.66.203:9383 (Germany)"
247
248
249 "IP_ioc": "169.254.255.254:9383"
250
251
252
253
254 "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
255 "Details":
256
257 "command": "cmd /c del /f /a /q C:\\RECYCLER\\taskmgzr.exe"
258
259
260 "command": "cmd /c del /f /a /q C:\\RECYCLER\\winsql.dat"
261
262
263 "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQQ.exe"
264
265
266 "command": "cmd /c del /f /a /q C:\\RECYCLER\\down.exe"
267
268
269 "command": "cmd /c del /f /a /q C:\\RECYCLER\\MpMgSvc.dll"
270
271
272 "command": "cmd /c del /f /a /q C:\\RECYCLER\\MS17.exe"
273
274
275 "command": "cmd /c del /f /a /q C:\\RECYCLER\\MSSQLL.exe"
276
277
278 "command": "cmd /c del /f /a /q C:\\RECYCLER\\TrustedInsteller.exe"
279
280
281 "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQ.exe"
282
283
284 "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab2.exe"
285
286
287 "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab1.exe"
288
289
290 "command": "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe"
291
292
293 "command": "cmd /c del /f /a /q %ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
294
295
296
297
298 "Description": "Anomalous file deletion behavior detected (10+)",
299 "Details":
300
301 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSZW.exe"
302
303
304 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSLW.exe"
305
306
307 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSKW.exe"
308
309
310 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSJW.exe"
311
312
313 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSHW.exe"
314
315
316 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSGW.exe"
317
318
319 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSFW.exe"
320
321
322 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSDW.exe"
323
324
325 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSCW.exe"
326
327
328 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSBW.exe"
329
330
331 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSAW.exe"
332
333
334 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\AutoRunApp.vbs"
335
336
337 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs"
338
339
340 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\config.json"
341
342
343 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt"
344
345
346 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\NVDIA_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt"
347
348
349 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\AMD_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt"
350
351
352 "DeletedFile": "C:\\ProgramData\\taskmgzr.exe"
353
354
355 "DeletedFile": "C:\\RECYCLER\\taskmgzr.exe"
356
357
358 "DeletedFile": "C:\\ProgramData\\winsql.dat"
359
360
361 "DeletedFile": "C:\\RECYCLER\\winsql.dat"
362
363
364 "DeletedFile": "C:\\ProgramData\\winsql.dat"
365
366
367 "DeletedFile": "C:\\RECYCLER\\winsql.dat"
368
369
370 "DeletedFile": "C:\\ProgramData\\TQQ.exe"
371
372
373 "DeletedFile": "C:\\RECYCLER\\TQQ.exe"
374
375
376 "DeletedFile": "C:\\ProgramData\\down.exe"
377
378
379 "DeletedFile": "C:\\RECYCLER\\down.exe"
380
381
382 "DeletedFile": "C:\\ProgramData\\MpMgSvc.dll"
383
384
385 "DeletedFile": "C:\\RECYCLER\\MpMgSvc.dll"
386
387
388 "DeletedFile": "C:\\ProgramData\\MS17.exe"
389
390
391 "DeletedFile": "C:\\RECYCLER\\MS17.exe"
392
393
394 "DeletedFile": "C:\\ProgramData\\MSSQLL.exe"
395
396
397 "DeletedFile": "C:\\RECYCLER\\MSSQLL.exe"
398
399
400 "DeletedFile": "C:\\ProgramData\\TrustedInsteller.exe"
401
402
403 "DeletedFile": "C:\\RECYCLER\\TrustedInsteller.exe"
404
405
406 "DeletedFile": "C:\\ProgramData\\TQ.exe"
407
408
409 "DeletedFile": "C:\\RECYCLER\\TQ.exe"
410
411
412 "DeletedFile": "C:\\ProgramData\\ab2.exe"
413
414
415 "DeletedFile": "C:\\RECYCLER\\ab2.exe"
416
417
418 "DeletedFile": "C:\\ProgramData\\ab1.exe"
419
420
421 "DeletedFile": "C:\\RECYCLER\\ab1.exe"
422
423
424 "DeletedFile": "C:\\ProgramData\\winxmr.exe"
425
426
427 "DeletedFile": "C:\\RECYCLER\\winxmr.exe"
428
429
430 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
431
432
433 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
434
435
436
437
438
439
440
441
442 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempsysermad.exe"
443
444
445 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\TempXMRig.exe"
446
447
448 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\TempXMR.exe"
449
450
451 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temptaobao.exe"
452
453
454 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempchrom.exe"
455
456
457 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempchromes.exe"
458
459
460 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\TempMiner.exe"
461
462
463 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempm6.exe"
464
465
466 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempm7.exe"
467
468
469 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempmyssssql.exe"
470
471
472 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temptaskmgr.exe"
473
474
475 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempcpu.exe"
476
477
478 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempx6.exe"
479
480
481 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempwin64.exe"
482
483
484 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempwin32.exe"
485
486
487 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempwin64.exe"
488
489
490 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempwin32.exe"
491
492
493 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempvip.exe"
494
495
496 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Tempvpn.exe"
497
498
499 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp370.exe"
500
501
502 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\TempaIg.exe"
503
504
505 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTC.exe"
506
507
508 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_log1.txt"
509
510
511 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_log.txt"
512
513
514 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTN.exe"
515
516
517 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\N_log1.txt"
518
519
520 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\N_log.txt"
521
522
523 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTA.exe"
524
525
526 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\A_log1.txt"
527
528
529 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\A_log.txt"
530
531
532 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs"
533
534
535 "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
536
537
538
539
540 "Description": "Guard pages use detected - possible anti-debugging.",
541 "Details":
542
543
544 "Description": "Detected script timer window indicative of sleep style evasion",
545 "Details":
546
547 "Window": "WSH-Timer"
548
549
550
551
552 "Description": "Performs HTTP requests potentially not found in PCAP.",
553 "Details":
554
555 "url_ioc": "c.xzzzx.ga:80//o/cpu64.exe"
556
557
558
559
560 "Description": "Expresses interest in specific running processes",
561 "Details":
562
563 "process": "cmd.exe"
564
565
566
567
568 "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option",
569 "Details":
570
571
572 "Description": "Reads data out of its own binary image",
573 "Details":
574
575 "self_read": "process: wscript.exe, pid: 3480, offset: 0x00000000, length: 0x00000040"
576
577
578 "self_read": "process: wscript.exe, pid: 3480, offset: 0x000000f0, length: 0x00000018"
579
580
581 "self_read": "process: wscript.exe, pid: 3480, offset: 0x000001e8, length: 0x00000078"
582
583
584 "self_read": "process: wscript.exe, pid: 3480, offset: 0x00018000, length: 0x00000020"
585
586
587 "self_read": "process: wscript.exe, pid: 3480, offset: 0x00018058, length: 0x00000018"
588
589
590 "self_read": "process: wscript.exe, pid: 3480, offset: 0x000181a8, length: 0x00000018"
591
592
593 "self_read": "process: wscript.exe, pid: 3480, offset: 0x00018470, length: 0x00000010"
594
595
596 "self_read": "process: wscript.exe, pid: 3480, offset: 0x00018640, length: 0x00000012"
597
598
599
600
601 "Description": "A process created a hidden window",
602 "Details":
603
604 "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
605
606
607
608
609 "Description": "Unconventionial language used in binary resources: Chinese (Simplified)",
610 "Details":
611
612
613 "Description": "The binary likely contains encrypted or compressed data.",
614 "Details":
615
616 "section": "name: .MPRESS1, entropy: 8.00, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00056000, virtual_size: 0x0012f000"
617
618
619
620
621 "Description": "A scripting utility was executed",
622 "Details":
623
624 "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs\""
625
626
627
628
629 "Description": "Uses Windows utilities for basic functionality",
630 "Details":
631
632 "command": "cmd /c taskkill /f /im SQLAGENTSZW.exe"
633
634
635 "command": "cmd /c taskkill /f /im SQLAGENTSLW.exe"
636
637
638 "command": "cmd /c taskkill /f /im SQLAGENTSKW.exe"
639
640
641 "command": "cmd /c taskkill /f /im SQLAGENTSJW.exe"
642
643
644 "command": "cmd /c taskkill /f /im SQLAGENTSHW.exe"
645
646
647 "command": "cmd /c taskkill /f /im SQLAGENTSGW.exe"
648
649
650 "command": "cmd /c taskkill /f /im SQLAGENTSFW.exe"
651
652
653 "command": "cmd /c taskkill /f /im SQLAGENTSEW.exe"
654
655
656 "command": "cmd /c taskkill /f /im SQLAGENTSDW.exe"
657
658
659 "command": "cmd /c taskkill /f /im SQLAGENTSCW.exe"
660
661
662 "command": "cmd /c taskkill /f /im SQLAGENTSBW.exe"
663
664
665 "command": "cmd /c taskkill /f /im SQLAGENTSAW.exe"
666
667
668 "command": "cmd /c taskkill /f /im taskmgzr.exe"
669
670
671 "command": "cmd /c del /f /a /q C:\\ProgramData\\taskmgzr.exe"
672
673
674 "command": "cmd /c del /f /a /q C:\\RECYCLER\\taskmgzr.exe"
675
676
677 "command": "cmd /c taskkill /f /im ftp.exe"
678
679
680 "command": "cmd /c taskkill /f /im p.exe"
681
682
683 "command": "cmd /c del /f /a /q C:\\ProgramData\\winsql.dat"
684
685
686 "command": "cmd /c del /f /a /q C:\\RECYCLER\\winsql.dat"
687
688
689 "command": "cmd /c taskkill /f /im TQQ.exe"
690
691
692 "command": "cmd /c del /f /a /q C:\\ProgramData\\TQQ.exe"
693
694
695 "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQQ.exe"
696
697
698 "command": "cmd /c taskkill /f /im down.exe"
699
700
701 "command": "cmd /c del /f /a /q C:\\ProgramData\\down.exe"
702
703
704 "command": "cmd /c del /f /a /q C:\\RECYCLER\\down.exe"
705
706
707 "command": "cmd /c taskkill /f /im MpMgSvc.dll"
708
709
710 "command": "cmd /c del /f /a /q C:\\ProgramData\\MpMgSvc.dll"
711
712
713 "command": "cmd /c del /f /a /q C:\\RECYCLER\\MpMgSvc.dll"
714
715
716 "command": "cmd /c taskkill /f /im MS17.exe"
717
718
719 "command": "cmd /c del /f /a /q C:\\ProgramData\\MS17.exe"
720
721
722 "command": "cmd /c del /f /a /q C:\\RECYCLER\\MS17.exe"
723
724
725 "command": "cmd /c taskkill /f /im MSSQLL.exe"
726
727
728 "command": "cmd /c del /f /a /q C:\\ProgramData\\MSSQLL.exe"
729
730
731 "command": "cmd /c del /f /a /q C:\\RECYCLER\\MSSQLL.exe"
732
733
734 "command": "cmd /c taskkill /f /im TrustedInsteller.exe"
735
736
737 "command": "cmd /c del /f /a /q C:\\ProgramData\\TrustedInsteller.exe"
738
739
740 "command": "cmd /c del /f /a /q C:\\RECYCLER\\TrustedInsteller.exe"
741
742
743 "command": "cmd /c taskkill /f /im TQ.exe"
744
745
746 "command": "cmd /c del /f /a /q C:\\ProgramData\\TQ.exe"
747
748
749 "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQ.exe"
750
751
752 "command": "cmd /c taskkill /f /im ab2.exe"
753
754
755 "command": "cmd /c del /f /a /q C:\\ProgramData\\ab2.exe"
756
757
758 "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab2.exe"
759
760
761 "command": "cmd /c taskkill /f /im ab1.exe"
762
763
764 "command": "cmd /c del /f /a /q C:\\ProgramData\\ab1.exe"
765
766
767 "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab1.exe"
768
769
770 "command": "cmd /c taskkill /f /im winxmr.exe"
771
772
773 "command": "cmd /c del /f /a /q C:\\ProgramData\\winxmr.exe"
774
775
776 "command": "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe"
777
778
779 "command": "cmd /c taskkill /f /im Rnaphin.exe"
780
781
782 "command": "cmd /c del /f /a /q %ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
783
784
785
786
787
788
789
790
791 "command": "cmd /c taskkill /f /im taskmgr.exe"
792
793
794 "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
795
796
797
798
799 "Description": "A process attempted to delay the analysis task by a long amount of time.",
800 "Details":
801
802 "Process": "taskkill.exe tried to sleep 3092 seconds, actually delayed analysis time by 0 seconds"
803
804
805 "Process": "wscript.exe tried to sleep 1023 seconds, actually delayed analysis time by 0 seconds"
806
807
808 "Process": "svchost.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
809
810
811 "Process": "taskeng.exe tried to sleep 607 seconds, actually delayed analysis time by 0 seconds"
812
813
814 "Process": "cmd.exe tried to sleep 477 seconds, actually delayed analysis time by 0 seconds"
815
816
817
818
819 "Description": "Installs itself for autorun at Windows startup",
820 "Details":
821
822 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\ADSL Dial"
823
824
825 "data": "C:\\Users\\user\\AppData\\Local\\Temp\\\\FSGZ4pL54OjE.exe"
826
827
828
829
830 "Description": "Stack pivoting was detected when using a critical API",
831 "Details":
832
833 "process": "taskeng.exe:2116"
834
835
836 "process": "taskeng.exe:1136"
837
838
839
840
841 "Description": "Creates a hidden or system file",
842 "Details":
843
844 "file": "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs"
845
846
847
848
849 "Description": "File has been identified by 39 Antiviruses on VirusTotal as malicious",
850 "Details":
851
852 "MicroWorld-eScan": "GenPack:Generic.Mulinex.1CFF8DFC"
853
854
855 "FireEye": "Generic.mg.c5704031e9a35c4d"
856
857
858 "CAT-QuickHeal": "Trojan.Generic.8500"
859
860
861 "Cylance": "Unsafe"
862
863
864 "K7AntiVirus": "Riskware ( 005514d01 )"
865
866
867 "K7GW": "Riskware ( 005514d01 )"
868
869
870 "Cybereason": "malicious.1e9a35"
871
872
873 "Arcabit": "GenPack:Generic.Mulinex.1CFF8DFC"
874
875
876 "Invincea": "heuristic"
877
878
879 "Symantec": "Miner.XMRig"
880
881
882 "APEX": "Malicious"
883
884
885 "Kaspersky": "HEUR:Trojan.Win32.Generic"
886
887
888 "BitDefender": "GenPack:Generic.Mulinex.1CFF8DFC"
889
890
891 "Endgame": "malicious (high confidence)"
892
893
894 "Emsisoft": "GenPack:Generic.Mulinex.1CFF8DFC (B)"
895
896
897 "F-Secure": "Heuristic.HEUR/AGEN.1039736"
898
899
900 "DrWeb": "Trojan.MulDrop11.15304"
901
902
903 "TrendMicro": "Coinminer.Win32.MALXMR.SMBM5"
904
905
906 "McAfee-GW-Edition": "BehavesLike.Win32.Backdoor.fc"
907
908
909 "CMC": "Virus.Win32.Sality!O"
910
911
912 "Ikarus": "Trojan.Win32.Cossta"
913
914
915 "Webroot": "W32.Malware.Gen"
916
917
918 "Avira": "HEUR/AGEN.1039736"
919
920
921 "Microsoft": "Trojan:Win32/Wacatac.B!ml"
922
923
924 "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
925
926
927 "GData": "GenPack:Generic.Mulinex.1CFF8DFC"
928
929
930 "Acronis": "suspicious"
931
932
933 "VBA32": "BScope.Trojan.CMY3U"
934
935
936 "ALYac": "GenPack:Generic.Mulinex.1CFF8DFC"
937
938
939 "MAX": "malware (ai score=87)"
940
941
942 "Ad-Aware": "GenPack:Generic.Mulinex.1CFF8DFC"
943
944
945 "ESET-NOD32": "a variant of Win32/CoinMiner.BUF"
946
947
948 "TrendMicro-HouseCall": "Coinminer.Win32.MALXMR.SMBM5"
949
950
951 "Rising": "Trojan.Generic!8.C3 (TFE:5:qK5o4OzNnBU)"
952
953
954 "SentinelOne": "DFI - Malicious PE"
955
956
957 "Fortinet": "W32/CoinMiner.BUF!tr"
958
959
960 "AVG": "Other:Malware-gen Trj"
961
962
963 "Avast": "Other:Malware-gen Trj"
964
965
966 "CrowdStrike": "win/malicious_confidence_90% (W)"
967
968
969
970
971 "Description": "Creates a copy of itself",
972 "Details":
973
974 "copy": "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSWW.exe"
975
976
977
978
979 "Description": "A cryptomining command was executed",
980 "Details":
981
982 "command": "cmd /c taskkill /f /im winxmr.exe"
983
984
985 "command": "cmd /c del /f /a /q C:\\ProgramData\\winxmr.exe"
986
987
988 "command": "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe"
989
990
991 "command": "taskkill /f /im winxmr.exe"
992
993
994
995
996 "Description": "Empties the Recycle Bin, indicative of ransomware",
997 "Details":
998
999
1000 "Description": "Uses suspicious command line tools or Windows utilities",
1001 "Details":
1002
1003 "command": "cmd /c taskkill /f /im SQLAGENTSZW.exe"
1004
1005
1006 "command": "cmd /c taskkill /f /im SQLAGENTSLW.exe"
1007
1008
1009 "command": "cmd /c taskkill /f /im SQLAGENTSKW.exe"
1010
1011
1012 "command": "cmd /c taskkill /f /im SQLAGENTSJW.exe"
1013
1014
1015 "command": "cmd /c taskkill /f /im SQLAGENTSHW.exe"
1016
1017
1018 "command": "cmd /c taskkill /f /im SQLAGENTSGW.exe"
1019
1020
1021 "command": "cmd /c taskkill /f /im SQLAGENTSFW.exe"
1022
1023
1024 "command": "cmd /c taskkill /f /im SQLAGENTSEW.exe"
1025
1026
1027 "command": "cmd /c taskkill /f /im SQLAGENTSDW.exe"
1028
1029
1030 "command": "cmd /c taskkill /f /im SQLAGENTSCW.exe"
1031
1032
1033 "command": "cmd /c taskkill /f /im SQLAGENTSBW.exe"
1034
1035
1036 "command": "cmd /c taskkill /f /im SQLAGENTSAW.exe"
1037
1038
1039 "command": "cmd /c taskkill /f /im taskmgzr.exe"
1040
1041
1042 "command": "cmd /c del /f /a /q C:\\ProgramData\\taskmgzr.exe"
1043
1044
1045 "command": "cmd /c del /f /a /q C:\\RECYCLER\\taskmgzr.exe"
1046
1047
1048 "command": "cmd /c taskkill /f /im ftp.exe"
1049
1050
1051 "command": "cmd /c taskkill /f /im p.exe"
1052
1053
1054 "command": "cmd /c del /f /a /q C:\\ProgramData\\winsql.dat"
1055
1056
1057 "command": "cmd /c del /f /a /q C:\\RECYCLER\\winsql.dat"
1058
1059
1060 "command": "cmd /c taskkill /f /im TQQ.exe"
1061
1062
1063 "command": "cmd /c del /f /a /q C:\\ProgramData\\TQQ.exe"
1064
1065
1066 "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQQ.exe"
1067
1068
1069 "command": "cmd /c taskkill /f /im down.exe"
1070
1071
1072 "command": "cmd /c del /f /a /q C:\\ProgramData\\down.exe"
1073
1074
1075 "command": "cmd /c del /f /a /q C:\\RECYCLER\\down.exe"
1076
1077
1078 "command": "cmd /c taskkill /f /im MpMgSvc.dll"
1079
1080
1081 "command": "cmd /c del /f /a /q C:\\ProgramData\\MpMgSvc.dll"
1082
1083
1084 "command": "cmd /c del /f /a /q C:\\RECYCLER\\MpMgSvc.dll"
1085
1086
1087 "command": "cmd /c taskkill /f /im MS17.exe"
1088
1089
1090 "command": "cmd /c del /f /a /q C:\\ProgramData\\MS17.exe"
1091
1092
1093 "command": "cmd /c del /f /a /q C:\\RECYCLER\\MS17.exe"
1094
1095
1096 "command": "cmd /c taskkill /f /im MSSQLL.exe"
1097
1098
1099 "command": "cmd /c del /f /a /q C:\\ProgramData\\MSSQLL.exe"
1100
1101
1102 "command": "cmd /c del /f /a /q C:\\RECYCLER\\MSSQLL.exe"
1103
1104
1105 "command": "cmd /c taskkill /f /im TrustedInsteller.exe"
1106
1107
1108 "command": "cmd /c del /f /a /q C:\\ProgramData\\TrustedInsteller.exe"
1109
1110
1111 "command": "cmd /c del /f /a /q C:\\RECYCLER\\TrustedInsteller.exe"
1112
1113
1114 "command": "cmd /c taskkill /f /im TQ.exe"
1115
1116
1117 "command": "cmd /c del /f /a /q C:\\ProgramData\\TQ.exe"
1118
1119
1120 "command": "cmd /c del /f /a /q C:\\RECYCLER\\TQ.exe"
1121
1122
1123 "command": "cmd /c taskkill /f /im ab2.exe"
1124
1125
1126 "command": "cmd /c del /f /a /q C:\\ProgramData\\ab2.exe"
1127
1128
1129 "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab2.exe"
1130
1131
1132 "command": "cmd /c taskkill /f /im ab1.exe"
1133
1134
1135 "command": "cmd /c del /f /a /q C:\\ProgramData\\ab1.exe"
1136
1137
1138 "command": "cmd /c del /f /a /q C:\\RECYCLER\\ab1.exe"
1139
1140
1141 "command": "cmd /c taskkill /f /im winxmr.exe"
1142
1143
1144 "command": "cmd /c del /f /a /q C:\\ProgramData\\winxmr.exe"
1145
1146
1147 "command": "cmd /c del /f /a /q C:\\RECYCLER\\winxmr.exe"
1148
1149
1150 "command": "cmd /c taskkill /f /im Rnaphin.exe"
1151
1152
1153 "command": "cmd /c del /f /a /q %ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe"
1154
1155
1156
1157
1158
1159
1160
1161
1162 "command": "cmd /c taskkill /f /im taskmgr.exe"
1163
1164
1165 "command": "taskkill /f /im SQLAGENTSZW.exe"
1166
1167
1168 "command": "taskkill /f /im SQLAGENTSLW.exe"
1169
1170
1171 "command": "taskkill /f /im SQLAGENTSKW.exe"
1172
1173
1174 "command": "taskkill /f /im SQLAGENTSJW.exe"
1175
1176
1177 "command": "taskkill /f /im SQLAGENTSHW.exe"
1178
1179
1180 "command": "taskkill /f /im SQLAGENTSGW.exe"
1181
1182
1183 "command": "taskkill /f /im SQLAGENTSFW.exe"
1184
1185
1186 "command": "taskkill /f /im SQLAGENTSEW.exe"
1187
1188
1189 "command": "taskkill /f /im SQLAGENTSDW.exe"
1190
1191
1192 "command": "taskkill /f /im SQLAGENTSCW.exe"
1193
1194
1195 "command": "taskkill /f /im SQLAGENTSBW.exe"
1196
1197
1198 "command": "taskkill /f /im SQLAGENTSAW.exe"
1199
1200
1201 "command": "taskkill /f /im taskmgzr.exe"
1202
1203
1204 "command": "taskkill /f /im ftp.exe"
1205
1206
1207 "command": "taskkill /f /im p.exe"
1208
1209
1210 "command": "taskkill /f /im TQQ.exe"
1211
1212
1213 "command": "taskkill /f /im down.exe"
1214
1215
1216 "command": "taskkill /f /im MpMgSvc.dll"
1217
1218
1219 "command": "taskkill /f /im MS17.exe"
1220
1221
1222 "command": "taskkill /f /im MSSQLL.exe"
1223
1224
1225 "command": "taskkill /f /im TrustedInsteller.exe"
1226
1227
1228 "command": "taskkill /f /im TQ.exe"
1229
1230
1231 "command": "taskkill /f /im ab2.exe"
1232
1233
1234 "command": "taskkill /f /im ab1.exe"
1235
1236
1237 "command": "taskkill /f /im winxmr.exe"
1238
1239
1240 "command": "taskkill /f /im Rnaphin.exe"
1241
1242
1243
1244
1245 "command": "taskkill /f /im taskmgr.exe"
1246
1247
1248
1249
1250
1251* Started Service:
1252
1253* Mutexes:
1254 "Local\\ZoneAttributeCacheCounterMutex",
1255 "Local\\ZonesCacheCounterMutex",
1256 "Local\\ZonesLockedCacheCounterMutex",
1257 "Global\\ADAP_WMI_ENTRY",
1258 "Global\\RefreshRA_Mutex",
1259 "Global\\RefreshRA_Mutex_Lib",
1260 "Global\\RefreshRA_Mutex_Flag"
1261
1262
1263* Modified Files:
1264 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSWW.exe",
1265 "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs",
1266 "\\Device\\LanmanDatagramReceiver",
1267 "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
1268 "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
1269 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk"
1270
1271
1272* Deleted Files:
1273 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSZW.exe",
1274 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSLW.exe",
1275 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSKW.exe",
1276 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSJW.exe",
1277 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSHW.exe",
1278 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSGW.exe",
1279 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSFW.exe",
1280 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSDW.exe",
1281 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSCW.exe",
1282 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSBW.exe",
1283 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTSAW.exe",
1284 "C:\\Users\\user\\AppData\\Local\\Temp\\AutoRunApp.vbs",
1285 "C:\\Users\\user\\AppData\\Local\\Temp\\VBS.vbs",
1286 "C:\\Users\\user\\AppData\\Local\\Temp\\config.json",
1287 "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt",
1288 "C:\\Users\\user\\AppData\\Local\\Temp\\NVDIA_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt",
1289 "C:\\Users\\user\\AppData\\Local\\Temp\\AMD_\\xef\\xbe\\xb2\\xef\\xbf\\x8e\\xef\\xbf\\x8a\\xef\\xbf\\xbd.txt",
1290 "C:\\ProgramData\\taskmgzr.exe",
1291 "C:\\RECYCLER\\taskmgzr.exe",
1292 "C:\\ProgramData\\winsql.dat",
1293 "C:\\RECYCLER\\winsql.dat",
1294 "C:\\ProgramData\\TQQ.exe",
1295 "C:\\RECYCLER\\TQQ.exe",
1296 "C:\\ProgramData\\down.exe",
1297 "C:\\RECYCLER\\down.exe",
1298 "C:\\ProgramData\\MpMgSvc.dll",
1299 "C:\\RECYCLER\\MpMgSvc.dll",
1300 "C:\\ProgramData\\MS17.exe",
1301 "C:\\RECYCLER\\MS17.exe",
1302 "C:\\ProgramData\\MSSQLL.exe",
1303 "C:\\RECYCLER\\MSSQLL.exe",
1304 "C:\\ProgramData\\TrustedInsteller.exe",
1305 "C:\\RECYCLER\\TrustedInsteller.exe",
1306 "C:\\ProgramData\\TQ.exe",
1307 "C:\\RECYCLER\\TQ.exe",
1308 "C:\\ProgramData\\ab2.exe",
1309 "C:\\RECYCLER\\ab2.exe",
1310 "C:\\ProgramData\\ab1.exe",
1311 "C:\\RECYCLER\\ab1.exe",
1312 "C:\\ProgramData\\winxmr.exe",
1313 "C:\\RECYCLER\\winxmr.exe",
1314 "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramFiles%\\Microsoft Rntel 2.14.2\\Rnaphin.exe",
1315 "C:\\Users\\user\\AppData\\Local\\Tempsysermad.exe",
1316 "C:\\Users\\user\\AppData\\Local\\TempXMRig.exe",
1317 "C:\\Users\\user\\AppData\\Local\\TempXMR.exe",
1318 "C:\\Users\\user\\AppData\\Local\\Temptaobao.exe",
1319 "C:\\Users\\user\\AppData\\Local\\Tempchrom.exe",
1320 "C:\\Users\\user\\AppData\\Local\\Tempchromes.exe",
1321 "C:\\Users\\user\\AppData\\Local\\TempMiner.exe",
1322 "C:\\Users\\user\\AppData\\Local\\Tempm6.exe",
1323 "C:\\Users\\user\\AppData\\Local\\Tempm7.exe",
1324 "C:\\Users\\user\\AppData\\Local\\Tempmyssssql.exe",
1325 "C:\\Users\\user\\AppData\\Local\\Temptaskmgr.exe",
1326 "C:\\Users\\user\\AppData\\Local\\Tempcpu.exe",
1327 "C:\\Users\\user\\AppData\\Local\\Tempx6.exe",
1328 "C:\\Users\\user\\AppData\\Local\\Tempwin64.exe",
1329 "C:\\Users\\user\\AppData\\Local\\Tempwin32.exe",
1330 "C:\\Users\\user\\AppData\\Local\\Tempvip.exe",
1331 "C:\\Users\\user\\AppData\\Local\\Tempvpn.exe",
1332 "C:\\Users\\user\\AppData\\Local\\Temp370.exe",
1333 "C:\\Users\\user\\AppData\\Local\\TempaIg.exe",
1334 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTC.exe",
1335 "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_log1.txt",
1336 "C:\\Users\\user\\AppData\\Local\\Temp\\CPU_log.txt",
1337 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTN.exe",
1338 "C:\\Users\\user\\AppData\\Local\\Temp\\N_log1.txt",
1339 "C:\\Users\\user\\AppData\\Local\\Temp\\N_log.txt",
1340 "C:\\Users\\user\\AppData\\Local\\Temp\\SQLAGENTA.exe",
1341 "C:\\Users\\user\\AppData\\Local\\Temp\\A_log1.txt",
1342 "C:\\Users\\user\\AppData\\Local\\Temp\\A_log.txt",
1343 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
1344
1345
1346* Modified Registry Keys:
1347 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run",
1348 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\ADSL Dial",
1349 "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
1350 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
1351 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
1352 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
1353 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\D7699475-CE31-4D80-AD86-DE0D8AF29461",
1354 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
1355 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\FE26A9AD-C545-4C5E-96FE-10BA0DA9C341",
1356 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
1357 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\78372A5B-9B29-46C3-AFAD-3EC327466E61",
1358 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\70FC8EB8-F2CA-40B7-BD0E-077E242CCE18",
1359 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\30D14CB4-6866-4BFC-A353-04D82CA6A1D9",
1360 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\D7699475-CE31-4D80-AD86-DE0D8AF29461\\data",
1361 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\FE26A9AD-C545-4C5E-96FE-10BA0DA9C341\\data",
1362 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\78372A5B-9B29-46C3-AFAD-3EC327466E61\\data",
1363 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\70FC8EB8-F2CA-40B7-BD0E-077E242CCE18\\data"
1364
1365
1366* Deleted Registry Keys:
1367 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
1368 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
1369 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
1370 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
1371
1372
1373* DNS Communications:
1374
1375 "type": "A",
1376 "request": "x.nxxxn.ga",
1377 "answers":
1378
1379
1380 "type": "A",
1381 "request": "c.xzzzx.ga",
1382 "answers":
1383
1384
1385
1386* Domains:
1387
1388 "ip": "185.172.66.203",
1389 "domain": "x.nxxxn.ga"
1390
1391
1392 "ip": "156.238.3.105",
1393 "domain": "c.xzzzx.ga"
1394
1395
1396
1397* Network Communication - ICMP:
1398
1399* Network Communication - HTTP:
1400
1401* Network Communication - SMTP:
1402
1403* Network Communication - Hosts:
1404
1405 "country_name": "Germany",
1406 "ip": "185.172.66.203",
1407 "inaddrarpa": "",
1408 "hostname": ""
1409
1410
1411
1412* Network Communication - IRC: