API tools faq
paste
Advertisement
paladin316

Exes_fa218cab688dd5f74244773a38ea6310_bat_2019-07-18_11_30.txt

paladin316
Jul 18th, 2019
2,618
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 42.19 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: ""
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Exes_fa218cab688dd5f74244773a38ea6310.bat"
  7. * File Size: 5231022
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, RAR self-extracting archive"
  9. * SHA256: "d8a1cfc8d4667abafd7af53ea54e53310c7067e9f6ed9bd7234a17cc524a1e7a"
  10. * MD5: "fa218cab688dd5f74244773a38ea6310"
  11. * SHA1: "d5243f15bb6cd9a7d3444da5aeaf5c307a77c785"
  12. * SHA512: "bd504e1337805bd80321d4e8ad7429dcbf2f759795c25418f51034dca0489dbf4aef5ec9dc32b722f13f2bd535c678fb688a36906c786c0836c428da4760ce2a"
  13. * CRC32: "B9EABB9F"
  14. * SSDEEP: "98304:vTqgox/pe8fs+CMm8KGm8cIQHb2uM3OtIdjEnRgoAvuGYtJK:bqggxCMmRXIQHDIdjEnRgTv/GJK"
  15.  
  16. * Process Execution:
  17. "Exes_fa218cab688dd5f74244773a38ea6310.bat",
  18. "wscript.exe",
  19. "cmd.exe",
  20. "systemscr.exe",
  21. "Build.exe",
  22. "CHxReadingStringIME.exe",
  23. "CHxReadingStringIME.module.exe",
  24. "attrib.exe",
  25. "WatchBull.exe",
  26. "RegeditFrameHost.exe",
  27. "e6ee5674bb9446c78bbc5729af6e2c28.exe",
  28. "Build.exe",
  29. "cmd.exe",
  30. "taskkill.exe",
  31. "attrib.exe",
  32. "Windows defender.exe",
  33. "svchost.exe",
  34. "WmiPrvSE.exe",
  35. "WmiPrvSE.exe",
  36. "svchost.exe",
  37. "WMIADAP.exe"
  38.  
  39.  
  40. * Executed Commands:
  41. "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Roaming\\System\\System.vbe\"",
  42. "C:\\Users\\user\\AppData\\Roaming\\System\\System.vbe ",
  43. "C:\\Users\\user\\AppData\\Roaming\\System\\Build.exe ",
  44. "C:\\Users\\user\\AppData\\Roaming\\System\\Windows defender.exe ",
  45. "\"C:\\Users\\user\\AppData\\Roaming\\System\\KrXzzhIXVKdi17YT7Z2CN0JlLQNM6x.bat\"",
  46. "C:\\Users\\user\\AppData\\Roaming\\System\\KrXzzhIXVKdi17YT7Z2CN0JlLQNM6x.bat ",
  47. "\"C:\\Users\\user\\AppData\\Roaming\\System\\Build.exe\"",
  48. "\"C:\\Users\\user\\AppData\\Roaming\\System\\WatchBull.exe\"",
  49. "C:\\Users\\user\\AppData\\Roaming\\System\\WatchBull.exe ",
  50. "\"C:\\Users\\user\\AppData\\Roaming\\System\\RegeditFrameHost.exe\"",
  51. "C:\\Users\\user\\AppData\\Roaming\\System\\RegeditFrameHost.exe ",
  52. "\"C:\\Users\\user\\AppData\\Roaming\\System\\e6ee5674bb9446c78bbc5729af6e2c28.exe\"",
  53. "C:\\Users\\user\\AppData\\Roaming\\System\\e6ee5674bb9446c78bbc5729af6e2c28.exe ",
  54. "C:\\Windows\\system32\\cmd.exe /c taskkill /f /pid 2428 & attrib -s -h -r -a /S /D \"C:\\Users\\user\\AppData\\Roaming\\System\" & del /q /f \"C:\\Users\\user\\AppData\\Roaming\\System\\Build.exe\"",
  55. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
  56. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
  57. "C:\\Users\\user\\AppData\\Roaming/System/systemscr.exe",
  58. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\CHxReadingStringIME.exe",
  59. "taskkill /f /pid 2428",
  60. "attrib -s -h -r -a /S /D \"C:\\Users\\user\\AppData\\Roaming\\System\"",
  61. "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\syswow64\\WININET.dll\",DispatchAPICall 1",
  62. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\CHxReadingStringIME.module.exe a -y -mx9 -ssw \"C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\ENU_94687FE9746877523523.7z\" \"C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\1\\*\"",
  63. "attrib +s +h \"C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\""
  64.  
  65.  
  66. * Signatures Detected:
  67.  
  68. "Description": "Attempts to connect to a dead IP:Port (4 unique times)",
  69. "Details":
  70.  
  71. "IP": "205.185.216.10:80"
  72.  
  73.  
  74. "IP": "72.167.239.239:80"
  75.  
  76.  
  77. "IP": "151.139.128.14:80"
  78.  
  79.  
  80. "IP": "149.154.167.220:443"
  81.  
  82.  
  83.  
  84.  
  85. "Description": "Creates RWX memory",
  86. "Details":
  87.  
  88.  
  89. "Description": "Possible date expiration check, exits too soon after checking local time",
  90. "Details":
  91.  
  92. "process": "attrib.exe, PID 796"
  93.  
  94.  
  95.  
  96.  
  97. "Description": "Detected script timer window indicative of sleep style evasion",
  98. "Details":
  99.  
  100. "Window": "WSH-Timer"
  101.  
  102.  
  103.  
  104.  
  105. "Description": "A process attempted to delay the analysis task.",
  106. "Details":
  107.  
  108. "Process": "svchost.exe tried to sleep 253 seconds, actually delayed analysis time by 0 seconds"
  109.  
  110.  
  111.  
  112.  
  113. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
  114. "Details":
  115.  
  116. "ioc": "nc.110/"
  117.  
  118.  
  119.  
  120.  
  121. "Description": "Reads data out of its own binary image",
  122. "Details":
  123.  
  124. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00000000, length: 0x00000007"
  125.  
  126.  
  127. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00000000, length: 0x00002000"
  128.  
  129.  
  130. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00000007, length: 0x001ffff0"
  131.  
  132.  
  133. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00001ff0, length: 0x00002000"
  134.  
  135.  
  136. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00003fe0, length: 0x00002000"
  137.  
  138.  
  139. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00005fd0, length: 0x00002000"
  140.  
  141.  
  142. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00007fc0, length: 0x00002000"
  143.  
  144.  
  145. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00009fb0, length: 0x00002000"
  146.  
  147.  
  148. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x0000bfa0, length: 0x00002000"
  149.  
  150.  
  151. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x0000df90, length: 0x00002000"
  152.  
  153.  
  154. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x0000ff80, length: 0x00002000"
  155.  
  156.  
  157. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00011f70, length: 0x00002000"
  158.  
  159.  
  160. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00013f60, length: 0x00002000"
  161.  
  162.  
  163. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00015f50, length: 0x00002000"
  164.  
  165.  
  166. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00017f40, length: 0x00002000"
  167.  
  168.  
  169. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00019f30, length: 0x00002000"
  170.  
  171.  
  172. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x0001bf20, length: 0x00002000"
  173.  
  174.  
  175. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x0001df10, length: 0x00002000"
  176.  
  177.  
  178. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x0001ff00, length: 0x00002000"
  179.  
  180.  
  181. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00021ef0, length: 0x00002000"
  182.  
  183.  
  184. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00023ee0, length: 0x00002000"
  185.  
  186.  
  187. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00025ed0, length: 0x00002000"
  188.  
  189.  
  190. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00027ec0, length: 0x00002000"
  191.  
  192.  
  193. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x00029eb0, length: 0x00002000"
  194.  
  195.  
  196. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x0002b400, length: 0x00000032"
  197.  
  198.  
  199. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x0002b41a, length: 0x004d1b0b"
  200.  
  201.  
  202. "self_read": "process: Exes_fa218cab688dd5f74244773a38ea6310.bat, pid: 1400, offset: 0x004fd1a6, length: 0x00000008"
  203.  
  204.  
  205. "self_read": "process: wscript.exe, pid: 2236, offset: 0x00000000, length: 0x00000040"
  206.  
  207.  
  208. "self_read": "process: wscript.exe, pid: 2236, offset: 0x000000f0, length: 0x00000018"
  209.  
  210.  
  211. "self_read": "process: wscript.exe, pid: 2236, offset: 0x000001e8, length: 0x00000078"
  212.  
  213.  
  214. "self_read": "process: wscript.exe, pid: 2236, offset: 0x00018000, length: 0x00000020"
  215.  
  216.  
  217. "self_read": "process: wscript.exe, pid: 2236, offset: 0x00018058, length: 0x00000018"
  218.  
  219.  
  220. "self_read": "process: wscript.exe, pid: 2236, offset: 0x000181a8, length: 0x00000018"
  221.  
  222.  
  223. "self_read": "process: wscript.exe, pid: 2236, offset: 0x00018470, length: 0x00000010"
  224.  
  225.  
  226. "self_read": "process: wscript.exe, pid: 2236, offset: 0x00018640, length: 0x00000012"
  227.  
  228.  
  229.  
  230.  
  231. "Description": "A process created a hidden window",
  232. "Details":
  233.  
  234. "Process": "wscript.exe -> C:\\Users\\user\\AppData\\Roaming\\System\\KrXzzhIXVKdi17YT7Z2CN0JlLQNM6x.bat"
  235.  
  236.  
  237. "Process": "wscript.exe -> C:\\Users\\user\\AppData\\Roaming\\System\\Build.exe"
  238.  
  239.  
  240. "Process": "wscript.exe -> C:\\Users\\user\\AppData\\Roaming\\System\\WatchBull.exe"
  241.  
  242.  
  243. "Process": "wscript.exe -> C:\\Users\\user\\AppData\\Roaming\\System\\RegeditFrameHost.exe"
  244.  
  245.  
  246. "Process": "wscript.exe -> C:\\Users\\user\\AppData\\Roaming\\System\\e6ee5674bb9446c78bbc5729af6e2c28.exe"
  247.  
  248.  
  249.  
  250.  
  251. "Description": "Drops a binary and executes it",
  252. "Details":
  253.  
  254. "binary": "C:\\Users\\user\\AppData\\Roaming\\System\\e6ee5674bb9446c78bbc5729af6e2c28.exe"
  255.  
  256.  
  257. "binary": "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\CHxReadingStringIME.module.exe"
  258.  
  259.  
  260. "binary": "C:\\Users\\user\\AppData\\Roaming\\System\\systemscr.exe"
  261.  
  262.  
  263. "binary": "C:\\Users\\user\\AppData\\Roaming\\System\\RegeditFrameHost.exe"
  264.  
  265.  
  266. "binary": "C:\\Users\\user\\AppData\\Roaming\\System\\Windows defender.exe"
  267.  
  268.  
  269. "binary": "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\CHxReadingStringIME.exe"
  270.  
  271.  
  272. "binary": "C:\\Users\\user\\AppData\\Roaming\\System\\WatchBull.exe"
  273.  
  274.  
  275.  
  276.  
  277. "Description": "Performs some HTTP requests",
  278. "Details":
  279.  
  280. "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
  281.  
  282.  
  283. "url": "http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D"
  284.  
  285.  
  286. "url": "http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D"
  287.  
  288.  
  289. "url": "http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQChwNmuhlFIyg%3D%3D"
  290.  
  291.  
  292. "url": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D"
  293.  
  294.  
  295. "url": "http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D"
  296.  
  297.  
  298. "url": "http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCEGbZBgaEG1afQkxO0Kqs%2FzU%3D"
  299.  
  300.  
  301.  
  302.  
  303. "Description": "The binary likely contains encrypted or compressed data.",
  304. "Details":
  305.  
  306. "section": "name: UPX1, entropy: 7.93, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00020c00, virtual_size: 0x00021000"
  307.  
  308.  
  309.  
  310.  
  311. "Description": "The executable is compressed using UPX",
  312. "Details":
  313.  
  314. "section": "name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x0004d000"
  315.  
  316.  
  317.  
  318.  
  319. "Description": "Steals private information from local Internet browsers",
  320. "Details":
  321.  
  322. "file": "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\1\\Cookies\\Google Chrome (2).txt"
  323.  
  324.  
  325. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  326.  
  327.  
  328. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
  329.  
  330.  
  331. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  332.  
  333.  
  334.  
  335.  
  336. "Description": "Installs itself for autorun at Windows startup",
  337. "Details":
  338.  
  339. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\System.lnk"
  340.  
  341.  
  342. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\System.lnk"
  343.  
  344.  
  345.  
  346.  
  347. "Description": "Collects information about installed applications",
  348. "Details":
  349.  
  350. "Program": "Google Update Helper"
  351.  
  352.  
  353. "Program": "Microsoft Excel MUI 2013"
  354.  
  355.  
  356. "Program": "Microsoft Outlook MUI 2013"
  357.  
  358.  
  359.  
  360.  
  361. "Program": "Google Chrome"
  362.  
  363.  
  364. "Program": "Adobe Flash Player 29 NPAPI"
  365.  
  366.  
  367. "Program": "Adobe Flash Player 29 ActiveX"
  368.  
  369.  
  370. "Program": "Microsoft DCF MUI 2013"
  371.  
  372.  
  373. "Program": "Microsoft Access MUI 2013"
  374.  
  375.  
  376. "Program": "Microsoft Office Proofing Tools 2013 - English"
  377.  
  378.  
  379. "Program": "Adobe Acrobat Reader DC"
  380.  
  381.  
  382. "Program": "Microsoft Publisher MUI 2013"
  383.  
  384.  
  385. "Program": "Microsoft Office Shared MUI 2013"
  386.  
  387.  
  388. "Program": "Microsoft Office OSM MUI 2013"
  389.  
  390.  
  391. "Program": "Microsoft InfoPath MUI 2013"
  392.  
  393.  
  394. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
  395.  
  396.  
  397. "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
  398.  
  399.  
  400. "Program": "Microsoft Word MUI 2013"
  401.  
  402.  
  403. "Program": "Microsoft Groove MUI 2013"
  404.  
  405.  
  406. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
  407.  
  408.  
  409.  
  410.  
  411. "Program": "Microsoft Access Setup Metadata MUI 2013"
  412.  
  413.  
  414. "Program": "Microsoft Office OSM UX MUI 2013"
  415.  
  416.  
  417. "Program": "Java Auto Updater"
  418.  
  419.  
  420. "Program": "Microsoft PowerPoint MUI 2013"
  421.  
  422.  
  423. "Program": "Microsoft Office Professional Plus 2013"
  424.  
  425.  
  426. "Program": "Adobe Refresh Manager"
  427.  
  428.  
  429. "Program": "Microsoft Office Proofing 2013"
  430.  
  431.  
  432. "Program": "Microsoft Lync MUI 2013"
  433.  
  434.  
  435.  
  436.  
  437. "Program": "Microsoft OneNote MUI 2013"
  438.  
  439.  
  440.  
  441.  
  442. "Description": "Creates a hidden or system file",
  443. "Details":
  444.  
  445. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low"
  446.  
  447.  
  448. "file": "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events"
  449.  
  450.  
  451.  
  452.  
  453. "Description": "Attempts to identify installed AV products by installation directory",
  454. "Details":
  455.  
  456. "file": "C:\\Users\\user\\AppData\\Local\\AVAST Software\\Browser\\User Data"
  457.  
  458.  
  459.  
  460.  
  461. "Description": "File has been identified by 55 Antiviruses on VirusTotal as malicious",
  462. "Details":
  463.  
  464. "MicroWorld-eScan": "Gen:Variant.Strictor.191993"
  465.  
  466.  
  467. "CAT-QuickHeal": "Trojan.Generic"
  468.  
  469.  
  470. "McAfee": "Artemis!FA218CAB688D"
  471.  
  472.  
  473. "Cylance": "Unsafe"
  474.  
  475.  
  476. "VIPRE": "Trojan.Win32.Generic!BT"
  477.  
  478.  
  479. "Alibaba": "PWSteal:Win32/Stealer.57861a3c"
  480.  
  481.  
  482. "K7GW": "Trojan ( 0053c4881 )"
  483.  
  484.  
  485. "K7AntiVirus": "Trojan ( 0053c4881 )"
  486.  
  487.  
  488. "Arcabit": "Trojan.Strictor.D2EDF9"
  489.  
  490.  
  491. "Invincea": "heuristic"
  492.  
  493.  
  494. "F-Prot": "W32/Rasftuby.D"
  495.  
  496.  
  497. "Symantec": "Trojan.Gen.MBT"
  498.  
  499.  
  500. "APEX": "Malicious"
  501.  
  502.  
  503. "Paloalto": "generic.ml"
  504.  
  505.  
  506. "Kaspersky": "HEUR:Trojan.Win32.Generic"
  507.  
  508.  
  509. "BitDefender": "Gen:Variant.Strictor.191993"
  510.  
  511.  
  512. "NANO-Antivirus": "Trojan.Win32.Mlw.fqaogz"
  513.  
  514.  
  515. "AegisLab": "Trojan.Win32.Generic.4!c"
  516.  
  517.  
  518. "Avast": "Win32:Trojan-gen"
  519.  
  520.  
  521. "Tencent": "Msil.Trojan-psw.Coinstealer.Ectl"
  522.  
  523.  
  524. "Ad-Aware": "Gen:Variant.Strictor.191993"
  525.  
  526.  
  527. "Emsisoft": "Gen:Variant.Strictor.191993 (B)"
  528.  
  529.  
  530. "Comodo": "Malware@#1zrbyyo0817ub"
  531.  
  532.  
  533. "F-Secure": "Heuristic.HEUR/AGEN.1040377"
  534.  
  535.  
  536. "DrWeb": "Trojan.PWS.Siggen2.14209"
  537.  
  538.  
  539. "Zillya": "Trojan.Generic.Win32.108792"
  540.  
  541.  
  542. "TrendMicro": "Trojan.Win32.CRYPTINJECT.SMB"
  543.  
  544.  
  545. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.rc"
  546.  
  547.  
  548. "Trapmine": "malicious.high.ml.score"
  549.  
  550.  
  551. "FireEye": "Generic.mg.fa218cab688dd5f7"
  552.  
  553.  
  554. "Sophos": "Mal/Generic-S"
  555.  
  556.  
  557. "Cyren": "W32/Trojan.BIIU-4289"
  558.  
  559.  
  560. "Jiangmin": "Backdoor.Androm.akpo"
  561.  
  562.  
  563. "Webroot": "W32.Trojan.Gen"
  564.  
  565.  
  566. "Avira": "TR/PSW.CoinStealer.ciszu"
  567.  
  568.  
  569. "MAX": "malware (ai score=100)"
  570.  
  571.  
  572. "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
  573.  
  574.  
  575. "Microsoft": "PWS:Win32/Stealer.H!bit"
  576.  
  577.  
  578. "Endgame": "malicious (moderate confidence)"
  579.  
  580.  
  581. "ViRobot": "Trojan.Win32.Z.Strictor.5231022"
  582.  
  583.  
  584. "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
  585.  
  586.  
  587. "GData": "Gen:Variant.Strictor.191993"
  588.  
  589.  
  590. "AhnLab-V3": "Dropper/Win32.Agent.R258341"
  591.  
  592.  
  593. "VBA32": "TrojanPSW.Stealer"
  594.  
  595.  
  596. "ALYac": "Gen:Variant.Strictor.191993"
  597.  
  598.  
  599. "ESET-NOD32": "MSIL/PSW.CoinStealer.BX"
  600.  
  601.  
  602. "Rising": "Spyware.Agent!8.C6 (CLOUD)"
  603.  
  604.  
  605. "Yandex": "Trojan.PowerShell!"
  606.  
  607.  
  608. "Ikarus": "Trojan.Rasftuby"
  609.  
  610.  
  611. "Fortinet": "AutoIt/Packed.NQ!tr"
  612.  
  613.  
  614. "AVG": "Win32:Trojan-gen"
  615.  
  616.  
  617. "Cybereason": "malicious.b688dd"
  618.  
  619.  
  620. "Panda": "Trj/Genetic.gen"
  621.  
  622.  
  623. "CrowdStrike": "win/malicious_confidence_60% (W)"
  624.  
  625.  
  626. "Qihoo-360": "Win32/Trojan.PSW.a23"
  627.  
  628.  
  629.  
  630.  
  631. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  632. "Details":
  633.  
  634.  
  635. "Description": "Attempts to modify proxy settings",
  636. "Details":
  637.  
  638.  
  639. "Description": "Harvests credentials from local FTP client softwares",
  640. "Details":
  641.  
  642. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
  643.  
  644.  
  645.  
  646.  
  647.  
  648. * Started Service:
  649.  
  650. * Mutexes:
  651. "DefaultTabtip-MainUI",
  652. "CicLoadWinStaWinSta0",
  653. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  654. "Local\\ZoneAttributeCacheCounterMutex",
  655. "Local\\ZonesCacheCounterMutex",
  656. "Local\\ZonesLockedCacheCounterMutex",
  657. "1019785913ENU_94687FE9746877523523",
  658. "Global\\CLR_CASOFF_MUTEX",
  659. "Global\\ADAP_WMI_ENTRY",
  660. "Global\\RefreshRA_Mutex",
  661. "Global\\RefreshRA_Mutex_Lib",
  662. "Global\\RefreshRA_Mutex_Flag"
  663.  
  664.  
  665. * Modified Files:
  666. "C:\\Users\\user\\AppData\\Roaming\\System\\__tmp_rar_sfx_access_check_10411359",
  667. "C:\\Users\\user\\AppData\\Roaming\\System\\Build.exe",
  668. "C:\\Users\\user\\AppData\\Roaming\\System\\1.cparam",
  669. "C:\\Users\\user\\AppData\\Roaming\\System\\WatchBull.exe",
  670. "C:\\Users\\user\\AppData\\Roaming\\System\\dogs\\dasHost.exe",
  671. "C:\\Users\\user\\AppData\\Roaming\\System\\dogs\\regedit.exe",
  672. "C:\\Users\\user\\AppData\\Roaming\\System\\dogs\\RuntimeBroker.exe",
  673. "C:\\Users\\user\\AppData\\Roaming\\System\\dogs\\WebHelper.exe",
  674. "C:\\Users\\user\\AppData\\Roaming\\System\\WatchDog.data",
  675. "C:\\Users\\user\\AppData\\Roaming\\System\\RegeditFrameHost.exe",
  676. "C:\\Users\\user\\AppData\\Roaming\\System\\rubydata\\RubyDog.exe",
  677. "C:\\Users\\user\\AppData\\Roaming\\System\\rubycon",
  678. "C:\\Users\\user\\AppData\\Roaming\\System\\e6ee5674bb9446c78bbc5729af6e2c28.exe",
  679. "C:\\Users\\user\\AppData\\Roaming\\System\\bsprot.dll",
  680. "C:\\Users\\user\\AppData\\Roaming\\System\\autopass.dll",
  681. "C:\\Users\\user\\AppData\\Roaming\\System\\Windows defender.exe",
  682. "C:\\Users\\user\\AppData\\Roaming\\System\\KrXzzhIXVKdi17YT7Z2CN0JlLQNM6x.bat",
  683. "C:\\Users\\user\\AppData\\Roaming\\System\\SQLite.Interop.dll",
  684. "C:\\Users\\user\\AppData\\Roaming\\System\\vmcheck32.dll",
  685. "C:\\Users\\user\\AppData\\Roaming\\System\\systemscr.exe",
  686. "C:\\Users\\user\\AppData\\Roaming\\System\\System.vbe",
  687. "C:\\Users\\user\\AppData\\Roaming\\System\\System.lnk",
  688. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\System.lnk",
  689. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\CHxReadingStringIME.exe",
  690. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\ENU_94687FE9746877523523",
  691. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  692. "C:\\Windows\\sysnative\\Tasks\\L-2-2-80-1356530792-1217701441-1366651400-3884\\YB1F21I-YBN1-QK3R-1KPA-DGB35R48H8TR",
  693. "\\Device\\LanmanDatagramReceiver",
  694. "\\??\\PIPE\\srvsvc",
  695. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  696. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  697. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
  698. "\\??\\WMIDataDevice",
  699. "C:\\Users\\user\\AppData\\Local\\Temp\\aut988C.tmp",
  700. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\CHxReadingStringIME.sqlite3.module.dll.3",
  701. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\CHxReadingStringIME.sqlite3.module.dll",
  702. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
  703. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data",
  704. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data",
  705. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\1\\Screen.jpg",
  706. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\1\\Cookies\\Google Chrome (2).txt",
  707. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
  708. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
  709. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D",
  710. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D",
  711. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771",
  712. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771",
  713. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B1FD6CC4C5C1AAE0D31739D4116C316B_8559BA441DBA460B8A6124F4B2DCE9B1",
  714. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B1FD6CC4C5C1AAE0D31739D4116C316B_8559BA441DBA460B8A6124F4B2DCE9B1",
  715. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4",
  716. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4",
  717. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_C7B398B93BFA7397A840C520A0E096A2",
  718. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_C7B398B93BFA7397A840C520A0E096A2",
  719. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\AD93EFAA98C44CFDF0C0461C0035283C_AA9ABE96428F172F2BD7F5545F8A77F2",
  720. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\AD93EFAA98C44CFDF0C0461C0035283C_AA9ABE96428F172F2BD7F5545F8A77F2",
  721. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\1\\Information.txt",
  722. "C:\\Users\\user\\AppData\\Local\\Temp\\autB274.tmp",
  723. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\CHxReadingStringIME.module.exe.3",
  724. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\CHxReadingStringIME.module.exe",
  725. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\ENU_94687FE9746877523523.7z",
  726. "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h",
  727. "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl.h",
  728. "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.ini"
  729.  
  730.  
  731. * Deleted Files:
  732. "C:\\Users\\user\\AppData\\Roaming\\System\\__tmp_rar_sfx_access_check_10411359",
  733. "C:\\Users\\user\\AppData\\Roaming\\System\\Build.exe",
  734. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.2224.10420859",
  735. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2224.10420859",
  736. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.2224.10420859",
  737. "C:\\Windows\\Tasks\\L-2-2-80-1356530792-1217701441-1366651400-3884.job",
  738. "C:\\Windows\\sysnative\\Tasks\\L-2-2-80-1356530792-1217701441-1366651400-3884",
  739. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
  740. "C:\\Users\\user\\AppData\\Local\\Temp\\aut988C.tmp",
  741. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\CHxReadingStringIME.sqlite3.module.dll.3",
  742. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\CHxReadingStringIME.sqlite3.module.dll",
  743. "C:\\Users\\user\\AppData\\Local\\Temp\\autB274.tmp",
  744. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\CHxReadingStringIME.module.exe.3",
  745. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\CHxReadingStringIME.module.exe",
  746. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\1",
  747. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\1\\Information.txt",
  748. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\1\\Screen.jpg",
  749. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\1\\Cookies",
  750. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\1\\Cookies\\Google Chrome (2).txt",
  751. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\ENU_94687FE9746877523523.7z",
  752. "C:\\Users\\user\\AppData\\Roaming\\amd64_microsoft-windows-setup-events\\ENU_94687FE9746877523523",
  753. "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl.h",
  754. "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h"
  755.  
  756.  
  757. * Modified Registry Keys:
  758. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  759. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  760. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\FD45961A-5F1B-458B-B481-533498CAD7C6\\Path",
  761. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\FD45961A-5F1B-458B-B481-533498CAD7C6\\Hash",
  762. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\L-2-2-80-1356530792-1217701441-1366651400-3884\\YB1F21I-YBN1-QK3R-1KPA-DGB35R48H8TR\\Id",
  763. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\L-2-2-80-1356530792-1217701441-1366651400-3884\\YB1F21I-YBN1-QK3R-1KPA-DGB35R48H8TR\\Index",
  764. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\FD45961A-5F1B-458B-B481-533498CAD7C6\\Triggers",
  765. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\FD45961A-5F1B-458B-B481-533498CAD7C6\\DynamicInfo",
  766. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable",
  767. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer",
  768. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings",
  769. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\IDE\\DiskVBOX_HARDDISK___________________________1.0_____\\5&33d1638a&0&0.0.0_0-00000000-0000-0000-0000-000000000000",
  770. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\advapi32.dllMofResourceName",
  771. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\en-US\\advapi32.dll.muiMofResourceName",
  772. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ACPI.sysACPIMOFResource",
  773. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ACPI.sys.muiACPIMOFResource",
  774. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ndis.sysMofResourceName",
  775. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ndis.sys.muiMofResourceName",
  776. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\mssmbios.sysMofResource",
  777. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\mssmbios.sys.muiMofResource",
  778. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\HDAudBus.sysHDAudioMofName",
  779. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\HDAudBus.sys.muiHDAudioMofName",
  780. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\intelppm.sysPROCESSORWMI",
  781. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\intelppm.sys.muiPROCESSORWMI",
  782. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\portcls.SYSPortclsMof",
  783. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\en-US\\portcls.SYS.muiPortclsMof",
  784. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sysMonitorWMI"
  785.  
  786.  
  787. * Deleted Registry Keys:
  788. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  789. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  790. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  791. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  792. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\L-2-2-80-1356530792-1217701441-1366651400-3884.job",
  793. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\L-2-2-80-1356530792-1217701441-1366651400-3884.job.fp",
  794. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyOverride",
  795. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL",
  796. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sysMonitorWMI"
  797.  
  798.  
  799. * DNS Communications:
  800.  
  801. "type": "A",
  802. "request": "api.telegram.org",
  803. "answers":
  804.  
  805. "data": "149.154.167.220",
  806. "type": "A"
  807.  
  808.  
  809.  
  810.  
  811. "type": "A",
  812. "request": "ocsp.godaddy.com",
  813. "answers":
  814.  
  815. "data": "ocsp.godaddy.com.akadns.net",
  816. "type": "CNAME"
  817.  
  818.  
  819. "data": "72.167.239.239",
  820. "type": "A"
  821.  
  822.  
  823.  
  824.  
  825. "type": "A",
  826. "request": "ipapi.co",
  827. "answers":
  828.  
  829. "data": "104.25.210.99",
  830. "type": "A"
  831.  
  832.  
  833. "data": "104.25.209.99",
  834. "type": "A"
  835.  
  836.  
  837.  
  838.  
  839. "type": "A",
  840. "request": "ocsp.comodoca4.com",
  841. "answers":
  842.  
  843. "data": "t3j2g9x7.stackpathcdn.com",
  844. "type": "CNAME"
  845.  
  846.  
  847. "data": "151.139.128.14",
  848. "type": "A"
  849.  
  850.  
  851.  
  852.  
  853.  
  854. * Domains:
  855.  
  856. "ip": "149.154.167.220",
  857. "domain": "api.telegram.org"
  858.  
  859.  
  860. "ip": "104.25.209.99",
  861. "domain": "ipapi.co"
  862.  
  863.  
  864. "ip": "151.139.128.14",
  865. "domain": "ocsp.comodoca4.com"
  866.  
  867.  
  868. "ip": "72.167.239.239",
  869. "domain": "ocsp.godaddy.com"
  870.  
  871.  
  872.  
  873. * Network Communication - ICMP:
  874.  
  875. * Network Communication - HTTP:
  876.  
  877. "count": 1,
  878. "body": "",
  879. "uri": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
  880. "user-agent": "Microsoft-CryptoAPI/6.1",
  881. "method": "GET",
  882. "host": "www.download.windowsupdate.com",
  883. "version": "1.1",
  884. "path": "/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
  885. "data": "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 17 May 2019 17:04:26 GMT\r\nIf-None-Match: \"089395d2cd51:0\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: www.download.windowsupdate.com\r\n\r\n",
  886. "port": 80
  887.  
  888.  
  889. "count": 1,
  890. "body": "",
  891. "uri": "http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D",
  892. "user-agent": "Microsoft-CryptoAPI/6.1",
  893. "method": "GET",
  894. "host": "ocsp.godaddy.com",
  895. "version": "1.1",
  896. "path": "//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D",
  897. "data": "GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.godaddy.com\r\n\r\n",
  898. "port": 80
  899.  
  900.  
  901. "count": 1,
  902. "body": "",
  903. "uri": "http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D",
  904. "user-agent": "Microsoft-CryptoAPI/6.1",
  905. "method": "GET",
  906. "host": "ocsp.godaddy.com",
  907. "version": "1.1",
  908. "path": "//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D",
  909. "data": "GET //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.godaddy.com\r\n\r\n",
  910. "port": 80
  911.  
  912.  
  913. "count": 1,
  914. "body": "",
  915. "uri": "http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQChwNmuhlFIyg%3D%3D",
  916. "user-agent": "Microsoft-CryptoAPI/6.1",
  917. "method": "GET",
  918. "host": "ocsp.godaddy.com",
  919. "version": "1.1",
  920. "path": "//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQChwNmuhlFIyg%3D%3D",
  921. "data": "GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQChwNmuhlFIyg%3D%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.godaddy.com\r\n\r\n",
  922. "port": 80
  923.  
  924.  
  925. "count": 1,
  926. "body": "",
  927. "uri": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D",
  928. "user-agent": "Microsoft-CryptoAPI/6.1",
  929. "method": "GET",
  930. "host": "ocsp.usertrust.com",
  931. "version": "1.1",
  932. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D",
  933. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D HTTP/1.1\r\nCache-Control: max-age = 94765\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Mon, 11 Mar 2019 04:19:13 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.usertrust.com\r\n\r\n",
  934. "port": 80
  935.  
  936.  
  937. "count": 1,
  938. "body": "",
  939. "uri": "http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D",
  940. "user-agent": "Microsoft-CryptoAPI/6.1",
  941. "method": "GET",
  942. "host": "ocsp.comodoca4.com",
  943. "version": "1.1",
  944. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D",
  945. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.comodoca4.com\r\n\r\n",
  946. "port": 80
  947.  
  948.  
  949. "count": 1,
  950. "body": "",
  951. "uri": "http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCEGbZBgaEG1afQkxO0Kqs%2FzU%3D",
  952. "user-agent": "Microsoft-CryptoAPI/6.1",
  953. "method": "GET",
  954. "host": "ocsp.comodoca4.com",
  955. "version": "1.1",
  956. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCEGbZBgaEG1afQkxO0Kqs%2FzU%3D",
  957. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCEGbZBgaEG1afQkxO0Kqs%2FzU%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.comodoca4.com\r\n\r\n",
  958. "port": 80
  959.  
  960.  
  961.  
  962. * Network Communication - SMTP:
  963.  
  964. * Network Communication - Hosts:
  965.  
  966. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!