10/30/2022 0 Comments Escape whisper valley malware![]() "wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"įound potential IP address in binary/memory "wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches" "wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4SY1QIY7\7383b335521.png" "wscript.exe" touched file "C:\Windows\system32\en-US\" "wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat" "wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" "wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\History" ![]() "wscript.exe" touched file "%APPDATA%\Microsoft\Windows\Cookies" "wscript.exe" touched file "C:\Windows\System32\msxml3.dll" "wscript.exe" touched file "C:\Windows\System32\msxml3.dll\1" "wscript.exe" touched file "C:\Windows\system32\scrrun.dll" "wscript.exe" touched file "C:\Windows\System32\msxml3r.dll" "wscript.exe" touched file "C:\Windows\system32\wshom.ocx" "wscript.exe" touched file "C:\Windows\system32\rsaenh.dll" "wscript.exe" touched file "C:\Windows\Globalization\Sorting\s" "wscript.exe" touched file "C:\Windows\System32\WScript.exe" "wscript.exe" touched file "C:\Windows\System32\en-US\" Tries to access unusual system drive letters Spawned process "cmd.exe" with commandline "/c DEL "%TEMP%\php4ts.dll"" ( Show Process) Spawned process "cmd.exe" with commandline "/c DEL "%TEMP%\a.exe"" ( Show Process) Spawned process "cmd.exe" with commandline "/c DEL "%TEMP%\a.php"" ( Show Process) Spawned process "notepad.exe" with commandline ""%TEMP%\a.txt"" ( Show Process) Spawned process "cmd.exe" with commandline "/c notepad.exe "%TEMP%\a.txt"" ( Show Process) Spawned process "a.exe" with commandline ""%TEMP%\a.php"" ( Show Process) Spawned process "reg.exe" with commandline "REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"%TEMP%\a.txt\""" ( Show Process) ![]() Spawned process "reg.exe" with commandline "REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"" ( Show Process) Spawned process "reg.exe" with commandline "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "%TEMP%\a.txt"" ( Show Process) Spawned process "cmd.exe" with commandline "/c %TEMP%\a.exe "%TEMP%\a.php"" ( Show Process) Spawned process "cmd.exe" with commandline "/c copy /y "%TEMP%\a.txt" "%USERPROFILE%\Desktop\DECRYPT.txt"" ( Show Process) ![]() Spawned process "cmd.exe" with commandline "/c copy /y "%APPDATA%\Desktop\DECRYPT.txt"" ( Show Process) Spawned process "cmd.exe" with commandline "/c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"%TEMP%\a.txt\""" ( Show Process) Spawned process "cmd.exe" with commandline "/c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted"" ( Show Process) Spawned process "cmd.exe" with commandline "/c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "%TEMP%\a.txt"" ( Show Process) Spawned process "wscript.exe" with commandline ""C:\Delivery_Notification_"" ( Show Process) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |