API tools faq
paste
Advertisement
paladin316

Exes_35d7f82a7ffa92c254171d8691ca9c60_exe_2019-07-15_14_30.txt

paladin316
Jul 15th, 2019
1,575
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 32.29 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "Malicious"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Exes_35d7f82a7ffa92c254171d8691ca9c60.exe"
  7. * File Size: 256512
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "4781397885bff04479080503ad5ede6d8463e354c7a8cc04a72a5cee9ad3fb59"
  10. * MD5: "35d7f82a7ffa92c254171d8691ca9c60"
  11. * SHA1: "e62bdc2e3290f660c4b01891dca6bf0584cd6c29"
  12. * SHA512: "30f22ff5eb5d92eec17e7b48a57883ff4a4590122dda62846fc1eeed1228d67c520072eb98986ceaf23255afaf9420082ace546bbaf3aafb8913f395717c69b3"
  13. * CRC32: "4B0C1C8C"
  14. * SSDEEP: "6144:1/FsObxyl2q+qGFcSRlQLyQrByTkbjobQjt5r0A7RVx:1/hMl2FqGIRA4/jt5rTRX"
  15.  
  16. * Process Execution:
  17. "Exes_35d7f82a7ffa92c254171d8691ca9c60.exe",
  18. "Exes_35d7f82a7ffa92c254171d8691ca9c60.exe",
  19. "services.exe",
  20. "lsass.exe",
  21. "lsass.exe",
  22. "lsass.exe",
  23. "taskhost.exe",
  24. "lsass.exe",
  25. "svchost.exe",
  26. "lsass.exe",
  27. "lsass.exe",
  28. "lsass.exe",
  29. "lsass.exe",
  30. "lsass.exe"
  31.  
  32.  
  33. * Executed Commands:
  34. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_35d7f82a7ffa92c254171d8691ca9c60.exe --vwxyz",
  35. "C:\\Windows\\system32\\lsass.exe",
  36. "taskhost.exe $(Arg0)",
  37. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup"
  38.  
  39.  
  40. * Signatures Detected:
  41.  
  42. "Description": "Attempts to connect to a dead IP:Port (3 unique times)",
  43. "Details":
  44.  
  45. "IP": "205.185.216.10:80"
  46.  
  47.  
  48. "IP": "5.45.127.15:443"
  49.  
  50.  
  51. "IP": "192.35.177.64:80"
  52.  
  53.  
  54.  
  55.  
  56. "Description": "Creates RWX memory",
  57. "Details":
  58.  
  59.  
  60. "Description": "Starts servers listening on 127.0.0.1:281, 127.0.0.1:402",
  61. "Details":
  62.  
  63.  
  64. "Description": "Reads data out of its own binary image",
  65. "Details":
  66.  
  67. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00000000, length: 0x00000200"
  68.  
  69.  
  70. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00000000, length: 0x00004800"
  71.  
  72.  
  73. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00000000, length: 0x00006800"
  74.  
  75.  
  76. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00000000, length: 0x0003ea00"
  77.  
  78.  
  79. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00000200, length: 0x00007c00"
  80.  
  81.  
  82. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00004800, length: 0x0000e000"
  83.  
  84.  
  85. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00006800, length: 0x0000d200"
  86.  
  87.  
  88. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00007e00, length: 0x00014200"
  89.  
  90.  
  91. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00012800, length: 0x00003c00"
  92.  
  93.  
  94. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00013a00, length: 0x0000d000"
  95.  
  96.  
  97. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00016400, length: 0x0000f000"
  98.  
  99.  
  100. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x0001c000, length: 0x00007600"
  101.  
  102.  
  103. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00020a00, length: 0x0000e400"
  104.  
  105.  
  106. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00023600, length: 0x0000b200"
  107.  
  108.  
  109. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00025400, length: 0x00017a00"
  110.  
  111.  
  112. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x0002e800, length: 0x00000800"
  113.  
  114.  
  115. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x0002ee00, length: 0x00000c00"
  116.  
  117.  
  118. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x0002f800, length: 0x00000400"
  119.  
  120.  
  121. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x0002fa00, length: 0x00000800"
  122.  
  123.  
  124. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00030000, length: 0x00001000"
  125.  
  126.  
  127. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00030200, length: 0x00001200"
  128.  
  129.  
  130. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00031000, length: 0x00009600"
  131.  
  132.  
  133. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x00031400, length: 0x00008400"
  134.  
  135.  
  136. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x0003a600, length: 0x00000800"
  137.  
  138.  
  139. "self_read": "process: Exes_35d7f82a7ffa92c254171d8691ca9c60.exe, pid: 2308, offset: 0x0003ce00, length: 0x00000400"
  140.  
  141.  
  142.  
  143.  
  144. "Description": "Performs some HTTP requests",
  145. "Details":
  146.  
  147. "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
  148.  
  149.  
  150. "url": "http://apps.identrust.com/roots/dstrootcax3.p7c"
  151.  
  152.  
  153.  
  154.  
  155. "Description": "A process attempted to delay the analysis task by a long amount of time.",
  156. "Details":
  157.  
  158. "Process": "Exes_35d7f82a7ffa92c254171d8691ca9c60.exe tried to sleep 13411 seconds, actually delayed analysis time by 0 seconds"
  159.  
  160.  
  161.  
  162.  
  163. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  164. "Details":
  165.  
  166. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 11943139 times"
  167.  
  168.  
  169.  
  170.  
  171. "Description": "Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config",
  172. "Details":
  173.  
  174. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_8"
  175.  
  176.  
  177. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_7"
  178.  
  179.  
  180. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_6"
  181.  
  182.  
  183. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_5"
  184.  
  185.  
  186. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_4"
  187.  
  188.  
  189. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_3"
  190.  
  191.  
  192. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_2"
  193.  
  194.  
  195. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_1"
  196.  
  197.  
  198. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_0"
  199.  
  200.  
  201.  
  202.  
  203. "Description": "Steals private information from local Internet browsers",
  204. "Details":
  205.  
  206. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  207.  
  208.  
  209. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  210.  
  211.  
  212. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  213.  
  214.  
  215. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  216.  
  217.  
  218. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  219.  
  220.  
  221. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  222.  
  223.  
  224. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  225.  
  226.  
  227. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  228.  
  229.  
  230. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  231.  
  232.  
  233. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  234.  
  235.  
  236. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
  237.  
  238.  
  239. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  240.  
  241.  
  242. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  243.  
  244.  
  245. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  246.  
  247.  
  248. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  249.  
  250.  
  251. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal"
  252.  
  253.  
  254. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  255.  
  256.  
  257. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  258.  
  259.  
  260. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies Backup"
  261.  
  262.  
  263. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  264.  
  265.  
  266. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  267.  
  268.  
  269. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data Backup"
  270.  
  271.  
  272. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal"
  273.  
  274.  
  275.  
  276.  
  277. "Description": "Behavior consistent with a dropper attempting to download the next stage.",
  278. "Details":
  279.  
  280. "File": "/rpersist4/1259084940 was requested from hosts: madregobilsg.com, kladrykroptur.com, chaabattent.com, kerymarynicegross.com, pillygreamstronh.com"
  281.  
  282.  
  283.  
  284.  
  285. "Description": "File has been identified by 16 Antiviruses on VirusTotal as malicious",
  286. "Details":
  287.  
  288. "FireEye": "Generic.mg.35d7f82a7ffa92c2"
  289.  
  290.  
  291. "Invincea": "heuristic"
  292.  
  293.  
  294. "APEX": "Malicious"
  295.  
  296.  
  297. "Rising": "Trojan.Generic@ML.100 (RDML:lyCRciK+G7e56SkUUqyUdA)"
  298.  
  299.  
  300. "Endgame": "malicious (high confidence)"
  301.  
  302.  
  303. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.dh"
  304.  
  305.  
  306. "SentinelOne": "DFI - Malicious PE"
  307.  
  308.  
  309. "Microsoft": "Trojan:Win32/Fuerboos.A!cl"
  310.  
  311.  
  312. "Acronis": "suspicious"
  313.  
  314.  
  315. "VBA32": "BScope.Trojan.Azden"
  316.  
  317.  
  318. "Cylance": "Unsafe"
  319.  
  320.  
  321. "ESET-NOD32": "a variant of Win32/Kryptik.GPLI"
  322.  
  323.  
  324. "AVG": "FileRepMalware"
  325.  
  326.  
  327. "Cybereason": "malicious.e3290f"
  328.  
  329.  
  330. "CrowdStrike": "win/malicious_confidence_100% (D)"
  331.  
  332.  
  333. "Qihoo-360": "HEUR/QVM09.0.8A63.Malware.Gen"
  334.  
  335.  
  336.  
  337.  
  338. "Description": "Checks the version of Bios, possibly for anti-virtualization",
  339. "Details":
  340.  
  341.  
  342. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  343. "Details":
  344.  
  345.  
  346. "Description": "Checks the presence of disk drives in the registry, possibly for anti-virtualization",
  347. "Details":
  348.  
  349.  
  350. "Description": "Attempts to modify browser security settings",
  351. "Details":
  352.  
  353.  
  354. "Description": "Harvests credentials from local FTP client softwares",
  355. "Details":
  356.  
  357. "file": "C:\\Program Files (x86)\\CuteFTP\\sm.dat"
  358.  
  359.  
  360. "file": "C:\\Users\\user\\AppData\\Local\\CuteFTP\\sm.dat"
  361.  
  362.  
  363. "file": "C:\\Users\\user\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\sm.dat"
  364.  
  365.  
  366. "file": "C:\\Users\\user\\AppData\\Roaming\\CuteFTP\\sm.dat"
  367.  
  368.  
  369. "file": "C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\sm.dat"
  370.  
  371.  
  372. "file": "C:\\ProgramData\\CuteFTP\\sm.dat"
  373.  
  374.  
  375. "file": "C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\sm.dat"
  376.  
  377.  
  378. "file": "C:\\Users\\user\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\sm.dat"
  379.  
  380.  
  381. "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\sitemanager.xml"
  382.  
  383.  
  384. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
  385.  
  386.  
  387. "file": "C:\\ProgramData\\FileZilla\\sitemanager.xml"
  388.  
  389.  
  390. "file": "C:\\ProgramData\\FileZilla\\recentservers.xml"
  391.  
  392.  
  393. "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\recentservers.xml"
  394.  
  395.  
  396. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
  397.  
  398.  
  399. "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Windows Commander"
  400.  
  401.  
  402. "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Windows Commander"
  403.  
  404.  
  405. "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
  406.  
  407.  
  408. "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Total Commander"
  409.  
  410.  
  411. "key": "HKEY_CURRENT_USER\\Software\\FileZilla"
  412.  
  413.  
  414. "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla"
  415.  
  416.  
  417. "key": "HKEY_CURRENT_USER\\Software\\FileZilla Client"
  418.  
  419.  
  420. "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla Client"
  421.  
  422.  
  423.  
  424.  
  425. "Description": "Harvests information related to installed mail clients",
  426. "Details":
  427.  
  428. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
  429.  
  430.  
  431. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Microsoft Outlook Internet Settings"
  432.  
  433.  
  434. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
  435.  
  436.  
  437. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
  438.  
  439.  
  440. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
  441.  
  442.  
  443. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP User"
  444.  
  445.  
  446. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
  447.  
  448.  
  449. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
  450.  
  451.  
  452. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Server"
  453.  
  454.  
  455. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
  456.  
  457.  
  458. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Server"
  459.  
  460.  
  461. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP User"
  462.  
  463.  
  464. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
  465.  
  466.  
  467. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
  468.  
  469.  
  470. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
  471.  
  472.  
  473. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
  474.  
  475.  
  476. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
  477.  
  478.  
  479. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
  480.  
  481.  
  482. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Server"
  483.  
  484.  
  485. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
  486.  
  487.  
  488. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  489.  
  490.  
  491. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
  492.  
  493.  
  494. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP User"
  495.  
  496.  
  497. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 User"
  498.  
  499.  
  500. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
  501.  
  502.  
  503. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
  504.  
  505.  
  506. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
  507.  
  508.  
  509. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
  510.  
  511.  
  512. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP User"
  513.  
  514.  
  515. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
  516.  
  517.  
  518. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 User"
  519.  
  520.  
  521. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Server"
  522.  
  523.  
  524. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Server"
  525.  
  526.  
  527. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
  528.  
  529.  
  530. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
  531.  
  532.  
  533. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
  534.  
  535.  
  536. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
  537.  
  538.  
  539. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
  540.  
  541.  
  542. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
  543.  
  544.  
  545. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Server"
  546.  
  547.  
  548. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
  549.  
  550.  
  551. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts"
  552.  
  553.  
  554. "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Internet Account Manager\\Accounts"
  555.  
  556.  
  557.  
  558.  
  559. "Description": "Collects information to fingerprint the system",
  560. "Details":
  561.  
  562.  
  563.  
  564. * Started Service:
  565. "KeyIso",
  566. "VaultSvc",
  567. "WerSvc"
  568.  
  569.  
  570. * Mutexes:
  571. "ServiceEntryPointThread",
  572. "DBWinMutex"
  573.  
  574.  
  575. * Modified Files:
  576. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_35d7f82a7ffa92c254171d8691ca9c60.inf",
  577. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
  578. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
  579. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
  580. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
  581. "\\??\\PIPE\\wkssvc",
  582. "\\??\\PIPE\\srvsvc",
  583. "C:\\Users\\user\\AppData\\Local\\Temp\\cookies.sqlite",
  584. "C:\\Users\\user\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\Cookies Backup",
  585. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies Backup",
  586. "C:\\Users\\user\\AppData\\Local\\Temp\\cookies.sqlite-journal",
  587. "C:\\Users\\user\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\Login Data Backup",
  588. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data Backup",
  589. "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
  590. "C:\\Windows\\sysnative\\LogFiles\\Scm\\f0cfc274-6e3d-421a-9066-c7393a63dc0e"
  591.  
  592.  
  593. * Deleted Files:
  594. "C:\\Users\\user\\AppData\\Local\\Temp\\cookies.sqlite-journal",
  595. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies Backup",
  596. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data Backup"
  597.  
  598.  
  599. * Modified Registry Keys:
  600. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\2500",
  601. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\2500",
  602. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2\\2500",
  603. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\2500",
  604. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4\\2500",
  605. "HKEY_CURRENT_USER\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs",
  606. "HKEY_CURRENT_USER\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Count",
  607. "HKEY_CURRENT_USER\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Path1",
  608. "HKEY_CURRENT_USER\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Section1",
  609. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_0",
  610. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_1",
  611. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_2",
  612. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_3",
  613. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_4",
  614. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_5",
  615. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_6",
  616. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_7",
  617. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_8",
  618. "HKEY_CURRENT_USER\\Software\\Microsoft\\2dc03b67-bbe0-46f6-a506-c0799ccb1f6b",
  619. "HKEY_CURRENT_USER\\Software\\Microsoft\\ec58180b-dfce-4a67-b18b-e6d83b3e979b",
  620. "HKEY_CURRENT_USER\\Software\\Microsoft\\7ade5bfc-66f6-4220-aa24-6032bdb90317",
  621. "HKEY_CURRENT_USER\\Software\\Microsoft\\102f49a9-80c9-42ee-8924-3256738fc621",
  622. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\VaultSvc\\Type",
  623. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\KeyIso\\Type",
  624. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type"
  625.  
  626.  
  627. * Deleted Registry Keys:
  628. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_0",
  629. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_1",
  630. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_2",
  631. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_3",
  632. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_4",
  633. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_5",
  634. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_6",
  635. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_7",
  636. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_8",
  637. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_9",
  638. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_10",
  639. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_11",
  640. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_12",
  641. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_13",
  642. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_14",
  643. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_15",
  644. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_16",
  645. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_17",
  646. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_18",
  647. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_19",
  648. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_20",
  649. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_21",
  650. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_22",
  651. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_23",
  652. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_24",
  653. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_25",
  654. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_26",
  655. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_27",
  656. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_28",
  657. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_29",
  658. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_30",
  659. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_31",
  660. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_32",
  661. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_33",
  662. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_34",
  663. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_35",
  664. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_36",
  665. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_37",
  666. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_38",
  667. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_39",
  668. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_40",
  669. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_41",
  670. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_42",
  671. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_43",
  672. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_44",
  673. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_45",
  674. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_46",
  675. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_47",
  676. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_48",
  677. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_49"
  678.  
  679.  
  680. * DNS Communications:
  681.  
  682. "type": "A",
  683. "request": "chaabattent.com",
  684. "answers":
  685.  
  686. "data": "5.45.127.15",
  687. "type": "A"
  688.  
  689.  
  690.  
  691.  
  692. "type": "A",
  693. "request": "kladrykroptur.com",
  694. "answers":
  695.  
  696. "data": "51.15.37.44",
  697. "type": "A"
  698.  
  699.  
  700.  
  701.  
  702. "type": "A",
  703. "request": "apps.identrust.com",
  704. "answers":
  705.  
  706. "data": "192.35.177.64",
  707. "type": "A"
  708.  
  709.  
  710. "data": "apps.digsigtrust.com",
  711. "type": "CNAME"
  712.  
  713.  
  714.  
  715.  
  716. "type": "A",
  717. "request": "madregobilsg.com",
  718. "answers":
  719.  
  720. "data": "",
  721. "type": "NXDOMAIN"
  722.  
  723.  
  724.  
  725.  
  726. "type": "A",
  727. "request": "kerymarynicegross.com",
  728. "answers":
  729.  
  730. "data": "",
  731. "type": "NXDOMAIN"
  732.  
  733.  
  734.  
  735.  
  736. "type": "A",
  737. "request": "pillygreamstronh.com",
  738. "answers":
  739.  
  740. "data": "",
  741. "type": "NXDOMAIN"
  742.  
  743.  
  744.  
  745.  
  746.  
  747. * Domains:
  748.  
  749. "ip": "",
  750. "domain": "pillygreamstronh.com"
  751.  
  752.  
  753. "ip": "",
  754. "domain": "madregobilsg.com"
  755.  
  756.  
  757. "ip": "192.35.177.64",
  758. "domain": "apps.identrust.com"
  759.  
  760.  
  761. "ip": "51.15.37.44",
  762. "domain": "kladrykroptur.com"
  763.  
  764.  
  765. "ip": "5.45.127.15",
  766. "domain": "chaabattent.com"
  767.  
  768.  
  769. "ip": "",
  770. "domain": "kerymarynicegross.com"
  771.  
  772.  
  773.  
  774. * Network Communication - ICMP:
  775.  
  776. * Network Communication - HTTP:
  777.  
  778. "count": 1,
  779. "body": "",
  780. "uri": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
  781. "user-agent": "Microsoft-CryptoAPI/6.1",
  782. "method": "GET",
  783. "host": "www.download.windowsupdate.com",
  784. "version": "1.1",
  785. "path": "/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
  786. "data": "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Feb 2019 16:53:13 GMT\r\nIf-None-Match: \"80e22c19cfcad41:0\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: www.download.windowsupdate.com\r\n\r\n",
  787. "port": 80
  788.  
  789.  
  790. "count": 1,
  791. "body": "",
  792. "uri": "http://apps.identrust.com/roots/dstrootcax3.p7c",
  793. "user-agent": "Microsoft-CryptoAPI/6.1",
  794. "method": "GET",
  795. "host": "apps.identrust.com",
  796. "version": "1.1",
  797. "path": "/roots/dstrootcax3.p7c",
  798. "data": "GET /roots/dstrootcax3.p7c HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: apps.identrust.com\r\n\r\n",
  799. "port": 80
  800.  
  801.  
  802.  
  803. * Network Communication - SMTP:
  804.  
  805. * Network Communication - Hosts:
  806.  
  807. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!