0

Poking around my machine today, realised there's an unknown user listed in there: tVA2uiJ14w

enter image description here

First I thought it could be some IT account, but then again the filenames are too funky to be business related.

All of these files seems to be encoded/encrypted in some way:

Extract of the diskapricotdeputy.sql

/*******************MX1PeeTAjoIw76ynSESp4zkb2sIUOcZD32FSP9a4zEz82MitGVU9Vyx54QBiwbytyDEXtcwLuGEqXjFXyJBUiZYFSVA2uiJ14fitQF5Qss1gtPi4jHvwe2Lunu88d9pTmy9uXuz5jc0IDG38FuBb0OuGEIzCxTnA1e6UaiUqrPzxJsghlEaDHKNHQg21TeG1ogGAiSKfDAsXp1r3TASYCE6mWj2VgqQVqUVUn99EDDlO8hmpc9AVmhTPDTLaLtwusQI8wRxdGOqXsayUxVIVJYBeiT0IzKmsCMHL4IBGLRT4SatKl2W6olKoCCBlQtpo3ZCRrIbJvZ965mNvLXis64QVw7jABWO1FmzIkkQszwUteVdlTDKWEOqCA42GaO77cfCPvAFHWAHjuip3Uj1K3osDdvFOHq6WRu0oNmWiZKRVJdRTihV6eBi6c050XQHU7bFeKy7H9x0B6ArN0hhHQ0ssQ1va3vU6yHOdnvJnqVgGlwO2EHgryzplKCkDAmUosS4X1RhvfRowbkiYFO4Oj6tNCBk3Z9sKE4Vj3Wrii5ML8dPI0ykZLwrdpaiKAQCjwY79gQEU7MRm9nwXNP95jMnp5TarbArRPkQpTaaRRTpbFAdMH3Om6OiVrrP2Oed961cqldfYLCtEksG7ghCWvHZ6XDRKCNETQ40u8QZfTkhAjjv235znPw6pySXnX0iFufYFxzGuSGv0YnCBqPGd33XIdyBXdPZCTTJCLaemypNROnyQYpD9cTvNv32HWCAsAd5AhA0aEVVBbgWTCw8YejkKJ2qJxAj8TijfgsyUSIS2MZ6slpx8OZp9FcYSyIviREFFB4bQJBQwaolSqTIDwTSkizECQmlabhJ4vpMEa3oryUzQwMNG66GrgoZ1L1B9W4EKsO301IfqzJeKAsYHRJlzCAP268V3HCuphjwBrj51qG0yawrsMhNVm5kvmvPqxUyzuX5YOdw8WUh3HLxAvVR8x6AQktVJBgcEGf2lRC9RJLn5uN6T2h7MI8VqflIgZ4DcnhgCK9HJguDsYlk3MT02tbcdQR7PGqljkQJeK5aESRFZOgTLJi6sHs3FCYmpsAQIgnYDqcvAgvei5mTo2zmMaGVlPPua8ATYvW3nDkok91VZIAcYW6mpR1oJGY59iuJN2zD9KWN9ybonFLu9S2IRUrvcjBDsos2frHQNYLQfUGxM7pyNJUqCMzyUYH8Lc4Lx1hsLK8NaJHgZfZayqqMuEUB...

I would appreciate if anyone has some pointer on this, cheers.

schroeder
  • 125,553
  • 55
  • 289
  • 326
fduff
  • 725
  • 1
  • 8
  • 17
  • Each file name is 3 random dictionary words with different separators. Each a different file type. And they are all created in the same minute. You got malware. Disconnect it from the network. – schroeder Feb 26 '21 at 14:16
  • 1
    Turns out, these files are part of the A/V detection tools. These are canary files owned by the A/V. If these get encrypted by a malware, the A/V will then detect that a ransomeware attact is underway. – fduff Feb 26 '21 at 15:15

0 Answers0