API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 1st, 2015
200
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.29 KB | None | 0 0
raw download clone embed print report
  1. Processes Created:
  2. ==================
  3. [CreateProcess] Explorer.EXE:1432 > "%UserProfile%\Desktop\hehda.exe" [Child PID: 2520]
  4. [CreateProcess] hehda.exe:2520 > "%WinDir%\system32\cmd.exe" [Child PID: 3444]
  5.  
  6. File Activity:
  7. ==================
  8. [New Folder] hehda.exe:2520 > C:\RECYCLER\S-1-5-21-861567501-412668190-725345543-500\$fab110457830839344b58457ddd1f357
  9. [New Folder] hehda.exe:2520 > C:\RECYCLER\S-1-5-21-861567501-412668190-725345543-500\$fab110457830839344b58457ddd1f357\L
  10. [New Folder] hehda.exe:2520 > C:\RECYCLER\S-1-5-21-861567501-412668190-725345543-500\$fab110457830839344b58457ddd1f357\U
  11. [CreateFile] hehda.exe:2520 > C:\RECYCLER\S-1-5-21-861567501-412668190-725345543-500\$fab110457830839344b58457ddd1f357\@ [MD5: 814c3536c2aab13763ac0beb7847a71f]
  12. [CreateFile] hehda.exe:2520 > C:\RECYCLER\S-1-5-21-861567501-412668190-725345543-500\$fab110457830839344b58457ddd1f357\n [MD5: cfaddbb43ba973f8d15d7d2e50c63476]
  13. [New Folder] hehda.exe:2520 > C:\RECYCLER\S-1-5-18
  14. [New Folder] hehda.exe:2520 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357
  15. [New Folder] hehda.exe:2520 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357\L
  16. [New Folder] hehda.exe:2520 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357\U
  17. [CreateFile] hehda.exe:2520 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357\@ [MD5: d1993f38046a68cc78a20560e8de9ad8]
  18. [CreateFile] hehda.exe:2520 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357\n [MD5: cfaddbb43ba973f8d15d7d2e50c63476]
  19. [CreateFile] services.exe:680 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357\@ [MD5: d1993f38046a68cc78a20560e8de9ad8]
  20. [New Folder] services.exe:680 > C:\RECYCLER\S-1-5-18\$fab110457830839344b58457ddd1f357\U
  21. [CreateFile] hehda.exe:2520 > %UserProfile%\Desktop\hehda.exe [File no longer exists]
  22. [DeleteFile] cmd.exe:3444 > %UserProfile%\Desktop\hehda.exe
  23.  
  24. Registry Activity:
  25. ==================
  26. [CreateKey] hehda.exe:2520 > HKLM\SOFTWARE\Microsoft\Cryptography\RNG
  27. [CreateKey] hehda.exe:2520 > HKCU\Software\Classes\clsid
  28. [CreateKey] hehda.exe:2520 > HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}
  29. [CreateKey] hehda.exe:2520 > HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32
  30. [SetValue] hehda.exe:2520 > HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = Both
  31. [SetValue] hehda.exe:2520 > HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\(Default) = C:\RECYCLER\S-1-5-21-861567501-412668190-725345543-500\$fab110457830839344b58457ddd1f357\n.
  32. [SetValue] svchost.exe:1032 > HKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\Epoch = 404
  33. [SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\SharedAccess\Type = 32
  34. [SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\SharedAccess\Start = 4
  35. [SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\SharedAccess\ErrorControl = 0
  36. [SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\SharedAccess\DeleteFlag = 1
  37. [SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\SharedAccess\Start = 4
  38. [CreateKey] services.exe:680 > HKLM\System\CurrentControlSet\Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}\0000
  39. [CreateKey] services.exe:680 > HKLM\System\CurrentControlSet\Services\SharedAccess\Enum
  40. [SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\SharedAccess\Enum\Count = 0
  41. [SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\SharedAccess\Enum\NextInstance = 0
  42. [SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\wscsvc\Type = 32
  43. [SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\wscsvc\Start = 4
  44. [SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\wscsvc\ErrorControl = 0
  45. [SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\wscsvc\DeleteFlag = 1
  46. [SetValue] services.exe:680 > HKLM\System\CurrentControlSet\Services\wscsvc\Start = 4
  47.  
  48. Network Traffic:
  49. ==================
  50. [UDP] hehda.exe:2520 > google-public-dns-a.google.com:53
  51. [UDP] google-public-dns-a.google.com:53 > hehda.exe:2520
  52. [HTTP] hehda.exe:2520 > 50.22.196.70-static.reverse.softlayer.com:80
  53. [TCP] 50.22.196.70-static.reverse.softlayer.com:80 > hehda.exe:2520
  54. [UDP] hehda.exe:2520 > 83.133.123.20:53
  55. [UDP] svchost.exe:1032 > 239.255.255.250:1900
  56. [UDP] services.exe:680 > 206.254.253.254:16471
  57. [UDP] services.exe:680 > 190.254.253.254:16471
  58. [UDP] services.exe:680 > 182.254.253.254:16471
  59. [UDP] services.exe:680 > 180.254.253.254:16471
  60. [UDP] services.exe:680 > 135.254.253.254:16471
  61. [UDP] services.exe:680 > 134.254.253.254:16471
  62. [UDP] services.exe:680 > 117.254.253.254:16471
  63. [UDP] services.exe:680 > 115.254.253.254:16471
  64. [UDP] services.exe:680 > 92.254.253.254:16471
  65. [UDP] services.exe:680 > 88.254.253.254.dynamic.ttnet.com.tr:16471
  66. [UDP] services.exe:680 > 254.253.254.87.dynamic.monaco.mc:16471
  67.  
  68. Unique Hosts:
  69. ==================
  70. 115.254.253.254
  71. 117.254.253.254
  72. 134.254.253.254
  73. 135.254.253.254
  74. 180.254.253.254
  75. 182.254.253.254
  76. 190.254.253.254
  77. 206.254.253.254
  78. 239.255.255.250
  79. 254.253.254.87.dynamic.monaco.mc
  80. 255.255.255.255
  81. 50.22.196.70-static.reverse.softlayer.com
  82. 83.133.123.20
  83. 88.254.253.254.dynamic.ttnet.com.tr
  84. 92.254.253.254
  85. google-public-dns-a.google.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!