API tools faq
paste
Advertisement
paladin316

Exes_2bafe52150d3c2f18382848d832e3211_exe_2019-07-15_20_30.txt

paladin316
Jul 15th, 2019
1,624
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 30.99 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "PWStealer"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Exes_2bafe52150d3c2f18382848d832e3211.exe"
  7. * File Size: 260096
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "0a4cc9853314d239f89249e5b6acae8ab2d3e5afbd9e124b6571517a12a00a80"
  10. * MD5: "2bafe52150d3c2f18382848d832e3211"
  11. * SHA1: "31182a580758a69c3dcdbe8fb3e6e4126bbc7dc0"
  12. * SHA512: "981c60770f7cefd705a010ac438f74cdefce2f7f5d6d0c4c3a5d519e8b662aa18b070514ce8c4cb6e70a81a1a9be7acd1e66b7a8035817abdac60ca86029dc5d"
  13. * CRC32: "95986EF4"
  14. * SSDEEP: "6144:8/FsObxyl2q+qGFcSRlQLyQrByo+kdwVBkKeX:8/hMl2FqGIRA9IwVBkX"
  15.  
  16. * Process Execution:
  17. "Exes_2bafe52150d3c2f18382848d832e3211.exe",
  18. "Exes_2bafe52150d3c2f18382848d832e3211.exe",
  19. "services.exe",
  20. "lsass.exe",
  21. "lsass.exe",
  22. "lsass.exe",
  23. "lsass.exe",
  24. "lsass.exe",
  25. "lsass.exe",
  26. "lsass.exe",
  27. "lsass.exe",
  28. "lsass.exe"
  29.  
  30.  
  31. * Executed Commands:
  32. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_2bafe52150d3c2f18382848d832e3211.exe --vwxyz",
  33. "C:\\Windows\\system32\\lsass.exe"
  34.  
  35.  
  36. * Signatures Detected:
  37.  
  38. "Description": "Attempts to connect to a dead IP:Port (3 unique times)",
  39. "Details":
  40.  
  41. "IP": "5.45.127.15:443"
  42.  
  43.  
  44. "IP": "192.35.177.64:80"
  45.  
  46.  
  47. "IP": "23.15.4.24:80"
  48.  
  49.  
  50.  
  51.  
  52. "Description": "Creates RWX memory",
  53. "Details":
  54.  
  55.  
  56. "Description": "Starts servers listening on 127.0.0.1:281, 127.0.0.1:402",
  57. "Details":
  58.  
  59.  
  60. "Description": "Reads data out of its own binary image",
  61. "Details":
  62.  
  63. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00000000, length: 0x00000600"
  64.  
  65.  
  66. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00000000, length: 0x00001000"
  67.  
  68.  
  69. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00000000, length: 0x00005e00"
  70.  
  71.  
  72. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00000000, length: 0x0003f800"
  73.  
  74.  
  75. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00000600, length: 0x00001200"
  76.  
  77.  
  78. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00001000, length: 0x0000fe00"
  79.  
  80.  
  81. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00001800, length: 0x00006800"
  82.  
  83.  
  84. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00005e00, length: 0x0000c800"
  85.  
  86.  
  87. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00008000, length: 0x00016c00"
  88.  
  89.  
  90. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00010e00, length: 0x00018a00"
  91.  
  92.  
  93. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00012600, length: 0x0000ca00"
  94.  
  95.  
  96. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x0001ec00, length: 0x0000b600"
  97.  
  98.  
  99. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x0001f000, length: 0x0000c800"
  100.  
  101.  
  102. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x0002a200, length: 0x00002600"
  103.  
  104.  
  105. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x0002b800, length: 0x00001200"
  106.  
  107.  
  108. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x0002c800, length: 0x00008200"
  109.  
  110.  
  111. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x0002ca00, length: 0x0000aa00"
  112.  
  113.  
  114. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00034a00, length: 0x0000b800"
  115.  
  116.  
  117. "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00037400, length: 0x00000a00"
  118.  
  119.  
  120.  
  121.  
  122. "Description": "Performs some HTTP requests",
  123. "Details":
  124.  
  125. "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
  126.  
  127.  
  128. "url": "http://apps.identrust.com/roots/dstrootcax3.p7c"
  129.  
  130.  
  131.  
  132.  
  133. "Description": "A process attempted to delay the analysis task by a long amount of time.",
  134. "Details":
  135.  
  136. "Process": "Exes_2bafe52150d3c2f18382848d832e3211.exe tried to sleep 13597 seconds, actually delayed analysis time by 0 seconds"
  137.  
  138.  
  139.  
  140.  
  141. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  142. "Details":
  143.  
  144. "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 14053278 times"
  145.  
  146.  
  147.  
  148.  
  149. "Description": "Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config",
  150. "Details":
  151.  
  152. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_8"
  153.  
  154.  
  155. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_7"
  156.  
  157.  
  158. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_6"
  159.  
  160.  
  161. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_5"
  162.  
  163.  
  164. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_4"
  165.  
  166.  
  167. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_3"
  168.  
  169.  
  170. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_2"
  171.  
  172.  
  173. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_1"
  174.  
  175.  
  176. "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_0"
  177.  
  178.  
  179.  
  180.  
  181. "Description": "Steals private information from local Internet browsers",
  182. "Details":
  183.  
  184. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  185.  
  186.  
  187. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  188.  
  189.  
  190. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  191.  
  192.  
  193. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  194.  
  195.  
  196. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  197.  
  198.  
  199. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  200.  
  201.  
  202. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  203.  
  204.  
  205. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  206.  
  207.  
  208. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  209.  
  210.  
  211. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  212.  
  213.  
  214. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
  215.  
  216.  
  217. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  218.  
  219.  
  220. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  221.  
  222.  
  223. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  224.  
  225.  
  226. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  227.  
  228.  
  229. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal"
  230.  
  231.  
  232. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  233.  
  234.  
  235. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  236.  
  237.  
  238. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies Backup"
  239.  
  240.  
  241. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  242.  
  243.  
  244. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  245.  
  246.  
  247. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data Backup"
  248.  
  249.  
  250. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal"
  251.  
  252.  
  253.  
  254.  
  255. "Description": "Behavior consistent with a dropper attempting to download the next stage.",
  256. "Details":
  257.  
  258. "File": "/rpersist4/-1785172236 was requested from hosts: madregobilsg.com, kladrykroptur.com, chaabattent.com, kerymarynicegross.com, pillygreamstronh.com"
  259.  
  260.  
  261.  
  262.  
  263. "Description": "File has been identified by 16 Antiviruses on VirusTotal as malicious",
  264. "Details":
  265.  
  266. "Cylance": "Unsafe"
  267.  
  268.  
  269. "Invincea": "heuristic"
  270.  
  271.  
  272. "APEX": "Malicious"
  273.  
  274.  
  275. "Rising": "Trojan.Generic@ML.100 (RDML:idADg3cfkKGf3ZIrT6BHeg)"
  276.  
  277.  
  278. "Endgame": "malicious (high confidence)"
  279.  
  280.  
  281. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.dh"
  282.  
  283.  
  284. "Trapmine": "malicious.high.ml.score"
  285.  
  286.  
  287. "FireEye": "Generic.mg.2bafe52150d3c2f1"
  288.  
  289.  
  290. "Microsoft": "Trojan:Win32/Fuerboos.E!cl"
  291.  
  292.  
  293. "Acronis": "suspicious"
  294.  
  295.  
  296. "VBA32": "BScope.Trojan.Azden"
  297.  
  298.  
  299. "ESET-NOD32": "a variant of Win32/Kryptik.GPLI"
  300.  
  301.  
  302. "SentinelOne": "DFI - Malicious PE"
  303.  
  304.  
  305. "Cybereason": "malicious.80758a"
  306.  
  307.  
  308. "CrowdStrike": "win/malicious_confidence_100% (W)"
  309.  
  310.  
  311. "Qihoo-360": "HEUR/QVM09.0.8B7D.Malware.Gen"
  312.  
  313.  
  314.  
  315.  
  316. "Description": "Checks the version of Bios, possibly for anti-virtualization",
  317. "Details":
  318.  
  319.  
  320. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  321. "Details":
  322.  
  323.  
  324. "Description": "Checks the presence of disk drives in the registry, possibly for anti-virtualization",
  325. "Details":
  326.  
  327.  
  328. "Description": "Attempts to modify browser security settings",
  329. "Details":
  330.  
  331.  
  332. "Description": "Harvests credentials from local FTP client softwares",
  333. "Details":
  334.  
  335. "file": "C:\\Program Files (x86)\\CuteFTP\\sm.dat"
  336.  
  337.  
  338. "file": "C:\\Users\\user\\AppData\\Local\\CuteFTP\\sm.dat"
  339.  
  340.  
  341. "file": "C:\\Users\\user\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\sm.dat"
  342.  
  343.  
  344. "file": "C:\\Users\\user\\AppData\\Roaming\\CuteFTP\\sm.dat"
  345.  
  346.  
  347. "file": "C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\sm.dat"
  348.  
  349.  
  350. "file": "C:\\ProgramData\\CuteFTP\\sm.dat"
  351.  
  352.  
  353. "file": "C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\sm.dat"
  354.  
  355.  
  356. "file": "C:\\Users\\user\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\sm.dat"
  357.  
  358.  
  359. "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\sitemanager.xml"
  360.  
  361.  
  362. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
  363.  
  364.  
  365. "file": "C:\\ProgramData\\FileZilla\\sitemanager.xml"
  366.  
  367.  
  368. "file": "C:\\ProgramData\\FileZilla\\recentservers.xml"
  369.  
  370.  
  371. "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\recentservers.xml"
  372.  
  373.  
  374. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
  375.  
  376.  
  377. "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Windows Commander"
  378.  
  379.  
  380. "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Windows Commander"
  381.  
  382.  
  383. "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
  384.  
  385.  
  386. "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Total Commander"
  387.  
  388.  
  389. "key": "HKEY_CURRENT_USER\\Software\\FileZilla"
  390.  
  391.  
  392. "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla"
  393.  
  394.  
  395. "key": "HKEY_CURRENT_USER\\Software\\FileZilla Client"
  396.  
  397.  
  398. "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla Client"
  399.  
  400.  
  401.  
  402.  
  403. "Description": "Harvests information related to installed mail clients",
  404. "Details":
  405.  
  406. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
  407.  
  408.  
  409. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Microsoft Outlook Internet Settings"
  410.  
  411.  
  412. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
  413.  
  414.  
  415. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
  416.  
  417.  
  418. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
  419.  
  420.  
  421. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP User"
  422.  
  423.  
  424. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
  425.  
  426.  
  427. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
  428.  
  429.  
  430. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Server"
  431.  
  432.  
  433. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
  434.  
  435.  
  436. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Server"
  437.  
  438.  
  439. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP User"
  440.  
  441.  
  442. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
  443.  
  444.  
  445. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
  446.  
  447.  
  448. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
  449.  
  450.  
  451. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
  452.  
  453.  
  454. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
  455.  
  456.  
  457. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
  458.  
  459.  
  460. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Server"
  461.  
  462.  
  463. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
  464.  
  465.  
  466. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  467.  
  468.  
  469. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
  470.  
  471.  
  472. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP User"
  473.  
  474.  
  475. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 User"
  476.  
  477.  
  478. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
  479.  
  480.  
  481. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
  482.  
  483.  
  484. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
  485.  
  486.  
  487. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
  488.  
  489.  
  490. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP User"
  491.  
  492.  
  493. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
  494.  
  495.  
  496. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 User"
  497.  
  498.  
  499. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Server"
  500.  
  501.  
  502. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Server"
  503.  
  504.  
  505. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
  506.  
  507.  
  508. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
  509.  
  510.  
  511. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
  512.  
  513.  
  514. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
  515.  
  516.  
  517. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
  518.  
  519.  
  520. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
  521.  
  522.  
  523. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Server"
  524.  
  525.  
  526. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
  527.  
  528.  
  529. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts"
  530.  
  531.  
  532. "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Internet Account Manager\\Accounts"
  533.  
  534.  
  535.  
  536.  
  537. "Description": "Collects information to fingerprint the system",
  538. "Details":
  539.  
  540.  
  541.  
  542. * Started Service:
  543. "KeyIso",
  544. "VaultSvc"
  545.  
  546.  
  547. * Mutexes:
  548. "ServiceEntryPointThread",
  549. "DBWinMutex"
  550.  
  551.  
  552. * Modified Files:
  553. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_2bafe52150d3c2f18382848d832e3211.inf",
  554. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
  555. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
  556. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
  557. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
  558. "\\??\\PIPE\\wkssvc",
  559. "\\??\\PIPE\\srvsvc",
  560. "C:\\Users\\user\\AppData\\Local\\Temp\\cookies.sqlite",
  561. "C:\\Users\\user\\AppData\\Local\\Temp\\cookies.sqlite-journal",
  562. "C:\\Users\\user\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\Cookies Backup",
  563. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies Backup",
  564. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data Backup",
  565. "C:\\Users\\user\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\Login Data Backup"
  566.  
  567.  
  568. * Deleted Files:
  569. "C:\\Users\\user\\AppData\\Local\\Temp\\cookies.sqlite-journal",
  570. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies Backup",
  571. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data Backup"
  572.  
  573.  
  574. * Modified Registry Keys:
  575. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\2500",
  576. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\2500",
  577. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2\\2500",
  578. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\2500",
  579. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4\\2500",
  580. "HKEY_CURRENT_USER\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs",
  581. "HKEY_CURRENT_USER\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Count",
  582. "HKEY_CURRENT_USER\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Path1",
  583. "HKEY_CURRENT_USER\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Section1",
  584. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_0",
  585. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_1",
  586. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_2",
  587. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_3",
  588. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_4",
  589. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_5",
  590. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_6",
  591. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_7",
  592. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_8",
  593. "HKEY_CURRENT_USER\\Software\\Microsoft\\2dc03b67-bbe0-46f6-a506-c0799ccb1f6b",
  594. "HKEY_CURRENT_USER\\Software\\Microsoft\\ec58180b-dfce-4a67-b18b-e6d83b3e979b",
  595. "HKEY_CURRENT_USER\\Software\\Microsoft\\7ade5bfc-66f6-4220-aa24-6032bdb90317",
  596. "HKEY_CURRENT_USER\\Software\\Microsoft\\102f49a9-80c9-42ee-8924-3256738fc621",
  597. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\VaultSvc\\Type",
  598. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\KeyIso\\Type"
  599.  
  600.  
  601. * Deleted Registry Keys:
  602. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_0",
  603. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_1",
  604. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_2",
  605. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_3",
  606. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_4",
  607. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_5",
  608. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_6",
  609. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_7",
  610. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_8",
  611. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_9",
  612. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_10",
  613. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_11",
  614. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_12",
  615. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_13",
  616. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_14",
  617. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_15",
  618. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_16",
  619. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_17",
  620. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_18",
  621. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_19",
  622. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_20",
  623. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_21",
  624. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_22",
  625. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_23",
  626. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_24",
  627. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_25",
  628. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_26",
  629. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_27",
  630. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_28",
  631. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_29",
  632. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_30",
  633. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_31",
  634. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_32",
  635. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_33",
  636. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_34",
  637. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_35",
  638. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_36",
  639. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_37",
  640. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_38",
  641. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_39",
  642. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_40",
  643. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_41",
  644. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_42",
  645. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_43",
  646. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_44",
  647. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_45",
  648. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_46",
  649. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_47",
  650. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_48",
  651. "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_49"
  652.  
  653.  
  654. * DNS Communications:
  655.  
  656. "type": "A",
  657. "request": "chaabattent.com",
  658. "answers":
  659.  
  660. "data": "5.45.127.15",
  661. "type": "A"
  662.  
  663.  
  664.  
  665.  
  666. "type": "A",
  667. "request": "kladrykroptur.com",
  668. "answers":
  669.  
  670. "data": "51.15.37.44",
  671. "type": "A"
  672.  
  673.  
  674.  
  675.  
  676. "type": "A",
  677. "request": "apps.identrust.com",
  678. "answers":
  679.  
  680. "data": "192.35.177.64",
  681. "type": "A"
  682.  
  683.  
  684. "data": "apps.digsigtrust.com",
  685. "type": "CNAME"
  686.  
  687.  
  688.  
  689.  
  690. "type": "A",
  691. "request": "madregobilsg.com",
  692. "answers":
  693.  
  694. "data": "",
  695. "type": "NXDOMAIN"
  696.  
  697.  
  698.  
  699.  
  700. "type": "A",
  701. "request": "kerymarynicegross.com",
  702. "answers":
  703.  
  704. "data": "",
  705. "type": "NXDOMAIN"
  706.  
  707.  
  708.  
  709.  
  710. "type": "A",
  711. "request": "pillygreamstronh.com",
  712. "answers":
  713.  
  714. "data": "",
  715. "type": "NXDOMAIN"
  716.  
  717.  
  718.  
  719.  
  720.  
  721. * Domains:
  722.  
  723. "ip": "",
  724. "domain": "pillygreamstronh.com"
  725.  
  726.  
  727. "ip": "",
  728. "domain": "madregobilsg.com"
  729.  
  730.  
  731. "ip": "51.15.37.44",
  732. "domain": "kladrykroptur.com"
  733.  
  734.  
  735. "ip": "192.35.177.64",
  736. "domain": "apps.identrust.com"
  737.  
  738.  
  739. "ip": "",
  740. "domain": "kerymarynicegross.com"
  741.  
  742.  
  743. "ip": "5.45.127.15",
  744. "domain": "chaabattent.com"
  745.  
  746.  
  747.  
  748. * Network Communication - ICMP:
  749.  
  750. * Network Communication - HTTP:
  751.  
  752. "count": 1,
  753. "body": "",
  754. "uri": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
  755. "user-agent": "Microsoft-CryptoAPI/6.1",
  756. "method": "GET",
  757. "host": "www.download.windowsupdate.com",
  758. "version": "1.1",
  759. "path": "/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
  760. "data": "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Feb 2019 16:53:13 GMT\r\nIf-None-Match: \"80e22c19cfcad41:0\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: www.download.windowsupdate.com\r\n\r\n",
  761. "port": 80
  762.  
  763.  
  764. "count": 1,
  765. "body": "",
  766. "uri": "http://apps.identrust.com/roots/dstrootcax3.p7c",
  767. "user-agent": "Microsoft-CryptoAPI/6.1",
  768. "method": "GET",
  769. "host": "apps.identrust.com",
  770. "version": "1.1",
  771. "path": "/roots/dstrootcax3.p7c",
  772. "data": "GET /roots/dstrootcax3.p7c HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: apps.identrust.com\r\n\r\n",
  773. "port": 80
  774.  
  775.  
  776.  
  777. * Network Communication - SMTP:
  778.  
  779. * Network Communication - Hosts:
  780.  
  781. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!