API tools faq
paste
Advertisement
paladin316

Exes_771014073ec8cd39daac28b1ce95b474_exe_2019-07-22_20_30.txt

paladin316
Jul 22nd, 2019
1,299
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 32.06 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "Malicious"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Exes_771014073ec8cd39daac28b1ce95b474.exe"
  7. * File Size: 317440
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
  9. * SHA256: "3bd9107fac52bc69d0bb5dce1fa4ff060c4a0a4c324e78d182f141ccb7998bd3"
  10. * MD5: "771014073ec8cd39daac28b1ce95b474"
  11. * SHA1: "4423e3ff7390caa04991404e2c03e893aba618a1"
  12. * SHA512: "e494477ac089e72654cbc3fa30a6aac05055d91f980ba77a7c8e65a73dac4f4c940c1cec91ff22da57271d2de9f0c8c183173952e05381bc5e68f32c0e1ec26a"
  13. * CRC32: "A3E8AA70"
  14. * SSDEEP: "3072:L92gkM1dTnzUJuwSQQrtIQPaE3i5cKvtxQa0HDNqknIgx2UpsIkTpg:LsgkM1dLzCjcvby6Kvte9Rqoc7T"
  15.  
  16. * Process Execution:
  17. "Exes_771014073ec8cd39daac28b1ce95b474.exe",
  18. "Exes_771014073ec8cd39daac28b1ce95b474.exe",
  19. "services.exe",
  20. "lsass.exe",
  21. "taskhost.exe",
  22. "sc.exe",
  23. "svchost.exe",
  24. "svchost.exe",
  25. "WerFault.exe",
  26. "wermgr.exe"
  27.  
  28.  
  29. * Executed Commands:
  30. "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_771014073ec8cd39daac28b1ce95b474.exe\"",
  31. "C:\\Windows\\system32\\lsass.exe",
  32. "taskhost.exe $(Arg0)",
  33. "C:\\Windows\\system32\\sc.exe start w32time task_started",
  34. "C:\\Windows\\system32\\svchost.exe -k LocalService",
  35. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
  36. "C:\\Windows\\system32\\WerFault.exe -u -p 2396 -s 288",
  37. "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_065b9e59\""
  38.  
  39.  
  40. * Signatures Detected:
  41.  
  42. "Description": "At least one process apparently crashed during execution",
  43. "Details":
  44.  
  45.  
  46. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  47. "Details":
  48.  
  49. "IP": "151.139.128.14:80"
  50.  
  51.  
  52.  
  53.  
  54. "Description": "Creates RWX memory",
  55. "Details":
  56.  
  57.  
  58. "Description": "A process created a hidden window",
  59. "Details":
  60.  
  61. "Process": "Exes_771014073ec8cd39daac28b1ce95b474.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\Exes_771014073ec8cd39daac28b1ce95b474.exe"
  62.  
  63.  
  64.  
  65.  
  66. "Description": "Performs some HTTP requests",
  67. "Details":
  68.  
  69. "url": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D"
  70.  
  71.  
  72. "url": "http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY"
  73.  
  74.  
  75. "url": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSTufqHinruS%2FP9Wi1XSjRRzoTLfAQUfgNaZUFrp34K4bidCOodjh1qx2UCEC4BJRXilBJzt%2BjULTDTeVo%3D"
  76.  
  77.  
  78.  
  79.  
  80. "Description": "The binary likely contains encrypted or compressed data.",
  81. "Details":
  82.  
  83. "section": "name: UPX1, entropy: 7.94, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00024200, virtual_size: 0x00025000"
  84.  
  85.  
  86.  
  87.  
  88. "Description": "The executable is compressed using UPX",
  89. "Details":
  90.  
  91. "section": "name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00057000"
  92.  
  93.  
  94.  
  95.  
  96. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  97. "Details":
  98.  
  99. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 11150935 times"
  100.  
  101.  
  102.  
  103.  
  104. "Description": "Steals private information from local Internet browsers",
  105. "Details":
  106.  
  107. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  108.  
  109.  
  110. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  111.  
  112.  
  113. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  114.  
  115.  
  116. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  117.  
  118.  
  119. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  120.  
  121.  
  122. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  123.  
  124.  
  125. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  126.  
  127.  
  128. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  129.  
  130.  
  131. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  132.  
  133.  
  134. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  135.  
  136.  
  137. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  138.  
  139.  
  140. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  141.  
  142.  
  143. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  144.  
  145.  
  146. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  147.  
  148.  
  149. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  150.  
  151.  
  152. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
  153.  
  154.  
  155. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  156.  
  157.  
  158. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  159.  
  160.  
  161. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
  162.  
  163.  
  164. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  165.  
  166.  
  167.  
  168.  
  169. "Description": "Collects information about installed applications",
  170. "Details":
  171.  
  172. "Program": "Google Update Helper"
  173.  
  174.  
  175.  
  176.  
  177. "Program": "Microsoft Excel MUI 2013"
  178.  
  179.  
  180. "Program": "Microsoft Outlook MUI 2013"
  181.  
  182.  
  183.  
  184.  
  185. "Program": "Google Chrome"
  186.  
  187.  
  188. "Program": "Adobe Flash Player 29 NPAPI"
  189.  
  190.  
  191. "Program": "Adobe Flash Player 29 ActiveX"
  192.  
  193.  
  194. "Program": "Microsoft DCF MUI 2013"
  195.  
  196.  
  197. "Program": "Microsoft Access MUI 2013"
  198.  
  199.  
  200. "Program": "Microsoft Office Proofing Tools 2013 - English"
  201.  
  202.  
  203. "Program": "Adobe Acrobat Reader DC"
  204.  
  205.  
  206. "Program": "Microsoft Publisher MUI 2013"
  207.  
  208.  
  209. "Program": "Microsoft Office Shared MUI 2013"
  210.  
  211.  
  212. "Program": "Microsoft Office OSM MUI 2013"
  213.  
  214.  
  215. "Program": "Microsoft InfoPath MUI 2013"
  216.  
  217.  
  218. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
  219.  
  220.  
  221. "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
  222.  
  223.  
  224. "Program": "Microsoft Word MUI 2013"
  225.  
  226.  
  227. "Program": "Microsoft OneDrive"
  228.  
  229.  
  230. "Program": "Microsoft Groove MUI 2013"
  231.  
  232.  
  233. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
  234.  
  235.  
  236.  
  237.  
  238. "Program": "Microsoft Access Setup Metadata MUI 2013"
  239.  
  240.  
  241. "Program": "Microsoft Office OSM UX MUI 2013"
  242.  
  243.  
  244. "Program": "Java Auto Updater"
  245.  
  246.  
  247. "Program": "Microsoft PowerPoint MUI 2013"
  248.  
  249.  
  250. "Program": "Microsoft Office Professional Plus 2013"
  251.  
  252.  
  253. "Program": "Adobe Refresh Manager"
  254.  
  255.  
  256. "Program": "Microsoft Office Proofing 2013"
  257.  
  258.  
  259. "Program": "Microsoft Lync MUI 2013"
  260.  
  261.  
  262.  
  263.  
  264. "Program": "Microsoft OneNote MUI 2013"
  265.  
  266.  
  267.  
  268.  
  269. "Description": "File has been identified by 23 Antiviruses on VirusTotal as malicious",
  270. "Details":
  271.  
  272. "FireEye": "Generic.mg.771014073ec8cd39"
  273.  
  274.  
  275. "McAfee": "GenericRXHY-XS!C6619D8DF1A4"
  276.  
  277.  
  278. "Cylance": "Unsafe"
  279.  
  280.  
  281. "K7GW": "Trojan ( 005530f21 )"
  282.  
  283.  
  284. "K7AntiVirus": "Trojan ( 005530f21 )"
  285.  
  286.  
  287. "Symantec": "ML.Attribute.HighConfidence"
  288.  
  289.  
  290. "APEX": "Malicious"
  291.  
  292.  
  293. "Endgame": "malicious (moderate confidence)"
  294.  
  295.  
  296. "F-Secure": "Trojan.TR/Crypt.ULPM.Gen"
  297.  
  298.  
  299. "DrWeb": "Trojan.PWS.Siggen2.23585"
  300.  
  301.  
  302. "Invincea": "heuristic"
  303.  
  304.  
  305. "Trapmine": "malicious.moderate.ml.score"
  306.  
  307.  
  308. "CMC": "Trojan.Win32.Swizzor.1!O"
  309.  
  310.  
  311. "Avira": "TR/Crypt.ULPM.Gen"
  312.  
  313.  
  314. "Microsoft": "Trojan:Win32/Fuerboos.C!cl"
  315.  
  316.  
  317. "Acronis": "suspicious"
  318.  
  319.  
  320. "ESET-NOD32": "a variant of Win32/GenKryptik.DNZI"
  321.  
  322.  
  323. "SentinelOne": "DFI - Malicious PE"
  324.  
  325.  
  326. "eGambit": "Unsafe.AI_Score_92%"
  327.  
  328.  
  329. "Fortinet": "W32/Kryptik.GUPZ!tr"
  330.  
  331.  
  332. "Cybereason": "malicious.f7390c"
  333.  
  334.  
  335. "CrowdStrike": "win/malicious_confidence_70% (D)"
  336.  
  337.  
  338. "Qihoo-360": "HEUR/QVM11.1.B195.Malware.Gen"
  339.  
  340.  
  341.  
  342.  
  343. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  344. "Details":
  345.  
  346.  
  347. "Description": "Checks the system manufacturer, likely for anti-virtualization",
  348. "Details":
  349.  
  350.  
  351. "Description": "Attempts to access Bitcoin/ALTCoin wallets",
  352. "Details":
  353.  
  354. "file": "C:\\Users\\user\\AppData\\Roaming\\Adobe\\wallet.dat"
  355.  
  356.  
  357. "file": "C:\\Users\\user\\AppData\\Roaming\\Sun\\wallet.dat"
  358.  
  359.  
  360. "file": "C:\\Users\\user\\AppData\\Roaming\\Identities\\wallet.dat"
  361.  
  362.  
  363. "file": "C:\\Users\\user\\AppData\\Roaming\\Macromedia\\wallet.dat"
  364.  
  365.  
  366. "file": "C:\\Users\\user\\AppData\\wallet.dat"
  367.  
  368.  
  369. "file": "C:\\Users\\user\\AppData\\Roaming\\wallet.dat"
  370.  
  371.  
  372. "file": "C:\\Users\\user\\AppData\\Roaming\\Notepad++\\wallet.dat"
  373.  
  374.  
  375. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\wallet.dat"
  376.  
  377.  
  378. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\*"
  379.  
  380.  
  381.  
  382.  
  383. "Description": "Harvests credentials from local FTP client softwares",
  384. "Details":
  385.  
  386. "file": "C:\\Users\\user\\AppData\\Roaming\\filezilla\\recentservers.xml"
  387.  
  388.  
  389.  
  390.  
  391. "Description": "Harvests information related to installed instant messenger clients",
  392. "Details":
  393.  
  394. "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
  395.  
  396.  
  397.  
  398.  
  399. "Description": "Harvests information related to installed mail clients",
  400. "Details":
  401.  
  402. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
  403.  
  404.  
  405. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
  406.  
  407.  
  408. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
  409.  
  410.  
  411. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
  412.  
  413.  
  414. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
  415.  
  416.  
  417. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
  418.  
  419.  
  420. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
  421.  
  422.  
  423. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
  424.  
  425.  
  426. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  427.  
  428.  
  429. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
  430.  
  431.  
  432. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
  433.  
  434.  
  435. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
  436.  
  437.  
  438. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
  439.  
  440.  
  441. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
  442.  
  443.  
  444. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
  445.  
  446.  
  447. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
  448.  
  449.  
  450. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
  451.  
  452.  
  453. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
  454.  
  455.  
  456. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
  457.  
  458.  
  459. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
  460.  
  461.  
  462. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
  463.  
  464.  
  465.  
  466.  
  467. "Description": "Collects information to fingerprint the system",
  468. "Details":
  469.  
  470.  
  471.  
  472. * Started Service:
  473. "VaultSvc",
  474. "WerSvc",
  475. "W32Time"
  476.  
  477.  
  478. * Mutexes:
  479. "A81FB8C6-0BBE6E18-6FC9B5DB-536DA455-933946726",
  480. "Local\\WERReportingForProcess2396",
  481. "Global\\\\xe5\\x88\\x90\\xc2\\xa0",
  482. "Global\\\\xed\\x95\\xb0\\xc7\\x9b",
  483. "WERUI_BEX64-928a3992b7bed7284823981773aca329ad5b54d"
  484.  
  485.  
  486. * Modified Files:
  487. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4",
  488. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4",
  489. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA",
  490. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA",
  491. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0255CEC2C51D081EFF40366512890989_CFBE135C1EB4E34EEEA2C1CB8DC92D8B",
  492. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0255CEC2C51D081EFF40366512890989_CFBE135C1EB4E34EEEA2C1CB8DC92D8B",
  493. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-console-l1-1-0.dll",
  494. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-datetime-l1-1-0.dll",
  495. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-debug-l1-1-0.dll",
  496. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-errorhandling-l1-1-0.dll",
  497. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l1-1-0.dll",
  498. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l1-2-0.dll",
  499. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l2-1-0.dll",
  500. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-handle-l1-1-0.dll",
  501. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-heap-l1-1-0.dll",
  502. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-interlocked-l1-1-0.dll",
  503. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-libraryloader-l1-1-0.dll",
  504. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-localization-l1-2-0.dll",
  505. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-memory-l1-1-0.dll",
  506. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-namedpipe-l1-1-0.dll",
  507. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processenvironment-l1-1-0.dll",
  508. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processthreads-l1-1-0.dll",
  509. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processthreads-l1-1-1.dll",
  510. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-profile-l1-1-0.dll",
  511. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-rtlsupport-l1-1-0.dll",
  512. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-string-l1-1-0.dll",
  513. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-synch-l1-1-0.dll",
  514. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-synch-l1-2-0.dll",
  515. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-sysinfo-l1-1-0.dll",
  516. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-timezone-l1-1-0.dll",
  517. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-util-l1-1-0.dll",
  518. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-conio-l1-1-0.dll",
  519. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-convert-l1-1-0.dll",
  520. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-environment-l1-1-0.dll",
  521. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-filesystem-l1-1-0.dll",
  522. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-heap-l1-1-0.dll",
  523. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-locale-l1-1-0.dll",
  524. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-math-l1-1-0.dll",
  525. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-multibyte-l1-1-0.dll",
  526. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-private-l1-1-0.dll",
  527. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-process-l1-1-0.dll",
  528. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-runtime-l1-1-0.dll",
  529. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-stdio-l1-1-0.dll",
  530. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-string-l1-1-0.dll",
  531. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-time-l1-1-0.dll",
  532. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-utility-l1-1-0.dll",
  533. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\freebl3.dll",
  534. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\mozglue.dll",
  535. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\msvcp140.dll",
  536. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\nss3.dll",
  537. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\nssdbm3.dll",
  538. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\softokn3.dll",
  539. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\ucrtbase.dll",
  540. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\vcruntime140.dll",
  541. "C:\\Users\\user\\AppData\\Local\\Temp\\135662341384565854071147.tmp",
  542. "C:\\Users\\user\\AppData\\Local\\Temp\\136175626668354943421455.tmp",
  543. "C:\\Users\\user\\AppData\\Local\\Temp\\13617625760319523058928.tmp",
  544. "C:\\Users\\user\\AppData\\Local\\Temp\\136176566904652965936176.tmp",
  545. "C:\\Users\\user\\AppData\\Local\\Temp\\136177036187809389259254.tmp",
  546. "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat",
  547. "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
  548. "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
  549. "C:\\Windows\\sysnative\\LogFiles\\Scm\\4ea3e899-a35a-4b2c-8309-21adf5344aca",
  550. "\\??\\PIPE\\lsarpc",
  551. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA00B.tmp.appcompat.txt",
  552. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA423.tmp.WERInternalMetadata.xml",
  553. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA453.tmp.hdmp",
  554. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAF02.tmp.mdmp",
  555. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_065b9e59\\WERA00B.tmp.appcompat.txt",
  556. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_065b9e59\\WERA423.tmp.WERInternalMetadata.xml",
  557. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_065b9e59\\WERA453.tmp.hdmp",
  558. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_065b9e59\\WERAF02.tmp.mdmp",
  559. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_065b9e59\\Report.wer",
  560. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_065b9e59\\Report.wer.tmp"
  561.  
  562.  
  563. * Deleted Files:
  564. "C:\\Users\\user\\AppData\\Local\\Temp\\135662341384565854071147.tmp",
  565. "C:\\Users\\user\\AppData\\Local\\Temp\\136175626668354943421455.tmp",
  566. "C:\\Users\\user\\AppData\\Local\\Temp\\13617625760319523058928.tmp",
  567. "C:\\Users\\user\\AppData\\Local\\Temp\\136176566904652965936176.tmp",
  568. "C:\\Users\\user\\AppData\\Local\\Temp\\136177036187809389259254.tmp",
  569. "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat",
  570. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-console-l1-1-0.dll",
  571. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-datetime-l1-1-0.dll",
  572. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-debug-l1-1-0.dll",
  573. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-errorhandling-l1-1-0.dll",
  574. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l1-1-0.dll",
  575. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l1-2-0.dll",
  576. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l2-1-0.dll",
  577. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-handle-l1-1-0.dll",
  578. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-heap-l1-1-0.dll",
  579. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-interlocked-l1-1-0.dll",
  580. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-libraryloader-l1-1-0.dll",
  581. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-localization-l1-2-0.dll",
  582. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-memory-l1-1-0.dll",
  583. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-namedpipe-l1-1-0.dll",
  584. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processenvironment-l1-1-0.dll",
  585. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processthreads-l1-1-0.dll",
  586. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processthreads-l1-1-1.dll",
  587. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-profile-l1-1-0.dll",
  588. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-rtlsupport-l1-1-0.dll",
  589. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-string-l1-1-0.dll",
  590. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-synch-l1-1-0.dll",
  591. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-synch-l1-2-0.dll",
  592. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-sysinfo-l1-1-0.dll",
  593. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-timezone-l1-1-0.dll",
  594. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-util-l1-1-0.dll",
  595. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-conio-l1-1-0.dll",
  596. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-convert-l1-1-0.dll",
  597. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-environment-l1-1-0.dll",
  598. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-filesystem-l1-1-0.dll",
  599. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-heap-l1-1-0.dll",
  600. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-locale-l1-1-0.dll",
  601. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-math-l1-1-0.dll",
  602. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-multibyte-l1-1-0.dll",
  603. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-private-l1-1-0.dll",
  604. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-process-l1-1-0.dll",
  605. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-runtime-l1-1-0.dll",
  606. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-stdio-l1-1-0.dll",
  607. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-string-l1-1-0.dll",
  608. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-time-l1-1-0.dll",
  609. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-utility-l1-1-0.dll",
  610. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\freebl3.dll",
  611. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\mozglue.dll",
  612. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\msvcp140.dll",
  613. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\nss3.dll",
  614. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\nssdbm3.dll",
  615. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\softokn3.dll",
  616. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\ucrtbase.dll",
  617. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\vcruntime140.dll",
  618. "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\",
  619. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA00B.tmp",
  620. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA00B.tmp.appcompat.txt",
  621. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA423.tmp",
  622. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA423.tmp.WERInternalMetadata.xml",
  623. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA453.tmp",
  624. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA453.tmp.hdmp",
  625. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAF02.tmp",
  626. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAF02.tmp.mdmp",
  627. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_065b9e59\\Report.wer.tmp"
  628.  
  629.  
  630. * Modified Registry Keys:
  631. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
  632. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
  633. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
  634. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
  635. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
  636.  
  637.  
  638. * Deleted Registry Keys:
  639.  
  640. * DNS Communications:
  641.  
  642. "type": "A",
  643. "request": "sukaponic.com",
  644. "answers":
  645.  
  646. "data": "103.229.72.62",
  647. "type": "A"
  648.  
  649.  
  650.  
  651.  
  652.  
  653. * Domains:
  654.  
  655. "ip": "103.229.72.62",
  656. "domain": "sukaponic.com"
  657.  
  658.  
  659.  
  660. * Network Communication - ICMP:
  661.  
  662. * Network Communication - HTTP:
  663.  
  664. "count": 1,
  665. "body": "",
  666. "uri": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D",
  667. "user-agent": "Microsoft-CryptoAPI/6.1",
  668. "method": "GET",
  669. "host": "ocsp.usertrust.com",
  670. "version": "1.1",
  671. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D",
  672. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D HTTP/1.1\r\nCache-Control: max-age = 94765\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Mon, 11 Mar 2019 04:19:13 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.usertrust.com\r\n\r\n",
  673. "port": 80
  674.  
  675.  
  676. "count": 1,
  677. "body": "",
  678. "uri": "http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY",
  679. "user-agent": "Microsoft-CryptoAPI/6.1",
  680. "method": "GET",
  681. "host": "ocsp.comodoca.com",
  682. "version": "1.1",
  683. "path": "/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY",
  684. "data": "GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.comodoca.com\r\n\r\n",
  685. "port": 80
  686.  
  687.  
  688. "count": 1,
  689. "body": "",
  690. "uri": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSTufqHinruS%2FP9Wi1XSjRRzoTLfAQUfgNaZUFrp34K4bidCOodjh1qx2UCEC4BJRXilBJzt%2BjULTDTeVo%3D",
  691. "user-agent": "Microsoft-CryptoAPI/6.1",
  692. "method": "GET",
  693. "host": "ocsp.comodoca.com",
  694. "version": "1.1",
  695. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSTufqHinruS%2FP9Wi1XSjRRzoTLfAQUfgNaZUFrp34K4bidCOodjh1qx2UCEC4BJRXilBJzt%2BjULTDTeVo%3D",
  696. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSTufqHinruS%2FP9Wi1XSjRRzoTLfAQUfgNaZUFrp34K4bidCOodjh1qx2UCEC4BJRXilBJzt%2BjULTDTeVo%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.comodoca.com\r\n\r\n",
  697. "port": 80
  698.  
  699.  
  700.  
  701. * Network Communication - SMTP:
  702.  
  703. * Network Communication - Hosts:
  704.  
  705. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!