API tools faq
paste
Advertisement
ZeroShiftier

Untitled

ZeroShiftier
Dec 11th, 2017
7,901
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.49 KB | None | 0 0
raw download clone embed print report
  1.  
  2. Report generated with Buster Sandbox Analyzer 1.88 at 21:23:40 on 10/12/2017
  3.  
  4. [ General information ]
  5. * File name: C:\Documents and Settings\Administrator\My Documents\Downloads\GatherBattle_Final\SonicSAGE.exe
  6. * Process crashed
  7.  
  8. [ Changes to filesystem ]
  9. * Creates file (empty) C:\WINDOWS\system32\Alaelib.dll
  10. * Modifies file C:\Documents and Settings\Administrator\Cookies\index.dat
  11. * Modifies file C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
  12. * Modifies file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
  13. * Modifies file C:\Documents and Settings\Administrator\My Documents\Downloads\GatherBattle_Final\savedata
  14.  
  15. [ Changes to registry ]
  16. * Modifies value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
  17. old value empty
  18. * Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
  19. * Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
  20. * Creates value "ITBarLayout=110000004C00000000000000240000001B000000560000000100000020070000A00F00000500000062050000260000000200000021070000A00F00000400000021010000A00F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Toolbar\Explorer
  21. * Modifies value "iWindowPosX=00000051" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
  22. old value "iWindowPosX=00000003"
  23. * Modifies value "iWindowPosY=00000070" in key HKEY_CURRENT_USER\software\Microsoft\Notepad
  24. old value "iWindowPosY=00000078"
  25. * Modifies value "HRZR_EHACNGU=05000000990000000066DE6E2D72D301" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
  26. old value "HRZR_EHACNGU=05000000A5000000F0D93F9B8B72D301"
  27. * Creates value "FbavpFNTR.rkr=05000000080000000066DE6E2D72D301" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Fnaqobk\Nqzvavfgengbe\QrsnhygObk\hfre\pheerag\Zl Qbphzragf\Qbjaybnqf\TngureOnggyr_Svany
  28. * Creates Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017121020171211
  29. * Modifies value "WinPos1024x768(1).left=00000159" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell
  30. old value "WinPos1024x768(1).left=00000176"
  31. * Modifies value "WinPos1024x768(1).top=0000001D" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell
  32. old value "WinPos1024x768(1).top=0000003A"
  33. * Modifies value "WinPos1024x768(1).right=000003B1" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell
  34. old value "WinPos1024x768(1).right=000003CE"
  35. * Modifies value "WinPos1024x768(1).bottom=000001B1" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell
  36. old value "WinPos1024x768(1).bottom=000001CE"
  37. * Modifies value "WinPos1024x768(1).left=0000007B" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\72\Shell
  38. old value "WinPos1024x768(1).left=00000084"
  39. * Modifies value "WinPos1024x768(1).top=0000005B" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\72\Shell
  40. old value "WinPos1024x768(1).top=0000008A"
  41. * Modifies value "WinPos1024x768(1).right=0000039B" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\72\Shell
  42. old value "WinPos1024x768(1).right=000003A4"
  43. * Modifies value "WinPos1024x768(1).bottom=000002B3" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\72\Shell
  44. old value "WinPos1024x768(1).bottom=000002E2"
  45. * Modifies value "ColInfo=00000000000000000000000000000000FDDFDFFD0F0006002800100034004800000000000100000002000000030000000400000005000000B400600078007800B400B40000000000010000000200000003000000FFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\72\Shell
  46. old value "ColInfo=00000000000000000000000000000000FDDFDFFD0F0000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000"
  47. * Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
  48.  
  49. [ Network services ]
  50. * Looks for an Internet connection.
  51. * Queries DNS "whatsmyip.net".
  52. * Queries DNS "od.lk".
  53. * Queries DNS "www.sonicbattle.ga".
  54. * Queries DNS "play.google.com".
  55. * Queries DNS "play.l.google.com".
  56. * Queries DNS "tiles.services.mozilla.com".
  57. * Queries DNS "tiles.r53-2.services.mozilla.com".
  58. * Queries DNS "www.pastebin.com".
  59. * Queries DNS "pastebin.com".
  60. * Queries DNS "pub.freestar.io".
  61. * Queries DNS "cdn.carbonads.com".
  62. * Queries DNS "tags.expo9.exponential.com".
  63. * Queries DNS "cdn.fancybar.net".
  64. * Queries DNS "carbonads.bsa.netdna-cdn.com".
  65. * Queries DNS "www.google-analytics.com".
  66. * Queries DNS "fancybar.bsa.netdna-cdn.com".
  67. * Queries DNS "stats.g.doubleclick.net".
  68. * Queries DNS "tags.expo9.exponential.com.akadns.net".
  69. * Queries DNS "secure.quantserve.com".
  70. * Queries DNS "www-google-analytics.l.google.com".
  71. * Queries DNS "sb.scorecardresearch.com".
  72. * Queries DNS "stats.l.doubleclick.net".
  73. * Queries DNS "ocsp.comodoca.com".
  74. * Queries DNS "px-chg004.quantserve.com.akadns.net".
  75. * Queries DNS "e1879.e7.akamaiedge.net".
  76. * Queries DNS "ocsp.godaddy.com".
  77. * Queries DNS "rules.quantcount.com".
  78. * Queries DNS "ocsp.godaddy.com.akadns.net".
  79. * Queries DNS "d2fashanjl7d9f.cloudfront.net".
  80. * Queries DNS "s.tribalfusion.com".
  81. * Queries DNS "a-scl1.tribalfusion.com.akadns.net".
  82. * Queries DNS "pixel.quantserve.com".
  83. * Queries DNS "srv.carbonads.net".
  84. * Queries DNS "srv.buysellads.com".
  85. * Queries DNS "assets.servedby-buysellads.com".
  86. * Queries DNS "servedby.flashtalking.com".
  87. * Queries DNS "vip0x013.map2.ssl.hwcdn.net".
  88. * Queries DNS "proassets.bsa.netdna-cdn.com".
  89. * Queries DNS "cdnx.tribalfusion.com".
  90. * Queries DNS "www.googletagservices.com".
  91. * Queries DNS "e10524.g.akamaiedge.net".
  92. * Queries DNS "pixel.adsafeprotected.com".
  93. * Queries DNS "pagead46.l.doubleclick.net".
  94. * Queries DNS "anycast.pixel.adsafeprotected.com".
  95. * Queries DNS "ss.symcd.com".
  96. * Queries DNS "e8218.dscb1.akamaiedge.net".
  97. * Queries DNS "ad.doubleclick.net".
  98. * Queries DNS "dart.l.doubleclick.net".
  99. * Queries DNS "pagead2.googlesyndication.com".
  100. * Queries DNS "tpc.googlesyndication.com".
  101. * Queries DNS "pagead-googlehosted.l.google.com".
  102. * Queries DNS "sc.iasds01.com".
  103. * Queries DNS "dt.adsafeprotected.com".
  104. * Queries DNS "anycast.sc.iasds01.com".
  105. * Queries DNS "s0.2mdn.net".
  106. * Queries DNS "s0-2mdn-net.l.google.com".
  107. * Queries DNS "anycast.dt.adsafeprotected.com".
  108. * Queries DNS "cdn.krxd.net".
  109. * Queries DNS "googleads4.g.doubleclick.net".
  110. * Queries DNS "cdn-fastly.krxd.net.c.global-ssl.fastly.net".
  111. * Queries DNS "pagead.l.doubleclick.net".
  112. * Queries DNS "static.adsafeprotected.com".
  113. * Queries DNS "anycast.static.adsafeprotected.com".
  114. * Queries DNS "cdnjs.cloudflare.com".
  115. * Queries DNS "a.tribalfusion.com".
  116. * Queries DNS "ajax.googleapis.com".
  117. * Queries DNS "us-u.openx.net".
  118. * Queries DNS "googleapis.l.google.com".
  119. * Queries DNS "geo-um.btrll.com".
  120. * Queries DNS "simage2.pubmatic.com".
  121. * Queries DNS "pug33000n.pubmatic.com".
  122. * Queries DNS "pixel.rubiconproject.com".
  123. * Queries DNS "dpm.demdex.net".
  124. * Queries DNS "ums.adtechus.com".
  125. * Queries DNS "pixel.rubiconproject.net.akadns.net".
  126. * Queries DNS "dcs-edge-usw2-620097651.us-west-2.elb.amazonaws.com".
  127. * Queries DNS "dsum-sec.casalemedia.com".
  128. * Queries DNS "ib.adnxs.com".
  129. * Queries DNS "sync.adaptv.advertising.com".
  130. * Queries DNS "ads.stickyadstv.com".
  131. * Queries DNS "cm.g.doubleclick.net".
  132. * Queries DNS "pixel.advertising.com".
  133. * Queries DNS "e8037.g.akamaiedge.net".
  134. * Queries DNS "sync.search.spotxchange.com".
  135. * Queries DNS "cs939.wac.thetacdn.net".
  136. * Queries DNS "log-b-1270450396.us-west-1.elb.amazonaws.com".
  137. * Queries DNS "ib.anycast.adnxs.com".
  138. * Queries DNS "dmp-pixel.aolp-prd.public.aol.com".
  139. * Queries DNS "fonts.googleapis.com".
  140. * Queries DNS "cache.btrll.com".
  141. * Queries DNS "fp4.ads.stickyadstv.com.akadns.net".
  142. * Queries DNS "beacon.krxd.net".
  143. * Queries DNS "den01.sync.search.spotxchange.com".
  144. * Queries DNS "googleadapis.l.google.com".
  145. * Queries DNS "d1ibts9hn2apvm.cloudfront.net".
  146. * Queries DNS "beacon-17-537698933.us-east-1.elb.amazonaws.com".
  147. * Queries DNS "torque.admission.net".
  148. * Queries DNS "d14eam6yhxudjw.cloudfront.net".
  149. * Queries DNS "da.admission.net".
  150. * Queries DNS "combined-x-prod-1727023841.us-west-1.elb.amazonaws.com".
  151. * Queries DNS "ocsp.sca1b.amazontrust.com".
  152. * Queries DNS "cdn.admission.net".
  153. * Queries DNS "d2vbol2ne6iyzw.cloudfront.net".
  154. * Queries DNS "dt.admission.net".
  155. * Queries DNS "traffic.prod.cobaltgroup.com".
  156. * Queries DNS "nginxi-ext-las-prd.cdk.com".
  157. * Queries DNS "ocsp.digicert.com".
  158. * Queries DNS "cs9.wac.phicdn.net".
  159. * Queries DNS "z.moatads.com".
  160. * Queries DNS "e13136.g.akamaiedge.net".
  161. * Queries DNS "shavar.services.mozilla.com".
  162. * Queries DNS "shavar.prod.mozaws.net".
  163. * Queries DNS "px.moatads.com".
  164. * Queries DNS "safebrowsing.google.com".
  165. * Queries DNS "sb.l.google.com".
  166. * Queries DNS "safebrowsing-cache.google.com".
  167. * Queries DNS "safebrowsing.cache.l.google.com".
  168. * Queries DNS "web.opendrive.com".
  169. * Queries DNS "cs924.wac.thetacdn.net".
  170. * Queries DNS "log-c-2144142094.us-west-1.elb.amazonaws.com".
  171. * Queries DNS "www.microsoft.com".
  172. * Queries DNS "home.microsoft.com".
  173. * Queries DNS "www.msn.com".
  174. * Queries DNS "c.msn.com".
  175. * Queries DNS "otf.msn.com".
  176. * Queries DNS "at.atwola.com".
  177. * Queries DNS "static-global-s-msn-com.akamaized.net".
  178. * Queries DNS "c.bing.com".
  179. * Queries DNS "m.adnxs.com".
  180. * Queries DNS "ads-us.pictela.net".
  181. * Queries DNS "sp.analytics.yahoo.com".
  182. * Queries DNS "nym1-ib.adnxs.com".
  183. * Queries DNS "cdn.adnxs.com".
  184. * Queries DNS "static.onlinesyn.com".
  185. * Queries DNS "g.bing.com".
  186. * Queries DNS "static.chartbeat.com".
  187. * Queries DNS "www.bizographics.com".
  188. * Queries DNS "us-east-1.dc.ads.linkedin.com".
  189. * Queries DNS "ping.chartbeat.net".
  190. * Queries DNS "secure.adnxs.com".
  191. * Queries DNS "www.linkedin.com".
  192. * Queries DNS "dc.ads.linkedin.com".
  193. * Queries DNS "www.opendrive.com".
  194. * C:\Documents and Settings\Administrator\My Documents\Downloads\GatherBattle_Final\SonicSAGE.exe Connects to "141.138.200.249" on port 80 (TCP - HTTP).
  195. * C:\Documents and Settings\Administrator\My Documents\Downloads\GatherBattle_Final\SonicSAGE.exe Connects to "38.108.185.79" on port 443 (TCP - HTTPS).
  196. * C:\Documents and Settings\Administrator\My Documents\Downloads\GatherBattle_Final\SonicSAGE.exe Connects to "172.217.4.83" on port 80 (TCP - HTTP).
  197. * C:\Documents and Settings\Administrator\My Documents\Downloads\GatherBattle_Final\SonicSAGE.exe Connects to "192.168.239.133" on port 4295 (TCP - HTTPS).
  198. * Downloads file from "whatsmyip.net/".
  199. * Downloads file from "www.sonicbattle.ga/".
  200. * Opens next URLs:
  201. http://whatsmyip.net/
  202. https://od.lk/s/117124254_OnAttackSonic
  203. http://www.sonicbattle.ga
  204.  
  205. [ Process/window/string information ]
  206. * Gets user name information.
  207. * Gets computer name.
  208. * Checks for debuggers.
  209. * Creates a mutex "DirectSound DllMain mutex (0x000007A8)".
  210. * Creates a mutex "CTF.LBES.MutexDefaultS-1-5-21-484763869-630328440-725345543-500".
  211. * Creates a mutex "CTF.Compart.MutexDefaultS-1-5-21-484763869-630328440-725345543-500".
  212. * Creates a mutex "CTF.Asm.MutexDefaultS-1-5-21-484763869-630328440-725345543-500".
  213. * Creates a mutex "CTF.Layouts.MutexDefaultS-1-5-21-484763869-630328440-725345543-500".
  214. * Creates a mutex "CTF.TMD.MutexDefaultS-1-5-21-484763869-630328440-725345543-500".
  215. * Creates a mutex "CTF.TimListCache.FMPDefaultS-1-5-21-484763869-630328440-725345543-500MUTEX.DefaultS-1-5-21-484763869-630328440-725345543-500".
  216. * Creates a mutex "Local\_!MSFTHISTORY!_".
  217. * Creates a mutex "Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!".
  218. * Creates a mutex "Local\c:!documents and settings!administrator!cookies!".
  219. * Creates a mutex "Local\c:!documents and settings!administrator!local settings!history!history.ie5!".
  220. * Creates a mutex "RasPbFile".
  221. * Lists all entry names in a remote access phone book.
  222. * Opens a service named "RASMAN".
  223. * Opens a service named "Sens".
  224. * Creates a mutex "Local\ZonesCounterMutex".
  225. * Creates a mutex "Local\!IETld!Mutex".
  226. * Creates a mutex "Local\ZoneAttributeCacheCounterMutex".
  227. * Creates a mutex "Local\ZonesCacheCounterMutex".
  228. * Creates a mutex "Local\ZonesLockedCacheCounterMutex".
  229. * Creates a mutex "Local\c:!documents and settings!administrator!ietldcache!".
  230. * Creates a mutex "DDrawWindowListMutex".
  231. * Creates a mutex "__DDrawExclMode__".
  232. * Creates a mutex "__DDrawCheckExclMode__".
  233. * Enumerates running processes.
  234. * Creates process "null, C:\WINDOWS\system32\dwwin.exe -x -s 1252, C:\WINDOWS\system32".
  235. * Contains string Checked for AVG security software presence ("AVGW")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!