API tools faq
paste
Advertisement
paladin316

Ursnif_b4a626c867d7e38bfd9ccef983771c91_eMalware JSON Report

paladin316
Jun 17th, 2019
1,548
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 24.55 KB | None | 0 0
raw download clone embed print report
  1.  
  2. [*] MalFamily: ""
  3.  
  4. [*] MalScore: 9.4
  5.  
  6. [*] File Name: "Ursnif_b4a626c867d7e38bfd9ccef983771c91.exe"
  7. [*] File Size: 562688
  8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. [*] SHA256: "47df462c8233923d1fbb1a1af1c007bc39aff88db4558d0cee56e21cf18d4b3c"
  10. [*] MD5: "b4a626c867d7e38bfd9ccef983771c91"
  11. [*] SHA1: "cfb9f3c622b1195530c676cfb662d5fbdb616eeb"
  12. [*] SHA512: "b23b0aeae09fece92658c91a0990ada29e680bd53550481aed80fa6851794135f5c141e5ae2dfe41b9b899e69b1a6c32100195f2779c901c5dbc97d780f98d1b"
  13. [*] CRC32: "7D3B15E2"
  14. [*] SSDEEP: "6144:QkjP3Q+c/r94ON/cigBtt2S/ii50w8PNLIZUE:QkzFc6UgBttF/ii5BSNUZUE"
  15.  
  16. [*] Process Execution: [
  17. "Ursnif_b4a626c867d7e38bfd9ccef983771c91.exe",
  18. "services.exe",
  19. "svchost.exe",
  20. "WmiPrvSE.exe",
  21. "iexplore.exe",
  22. "iexplore.exe",
  23. "iexplore.exe",
  24. "iexplore.exe",
  25. "iexplore.exe",
  26. "iexplore.exe",
  27. "iexplore.exe",
  28. "iexplore.exe",
  29. "iexplore.exe",
  30. "iexplore.exe",
  31. "iexplore.exe",
  32. "iexplore.exe",
  33. "iexplore.exe",
  34. "iexplore.exe",
  35. "iexplore.exe",
  36. "iexplore.exe",
  37. "iexplore.exe",
  38. "iexplore.exe",
  39. "iexplore.exe",
  40. "iexplore.exe",
  41. "iexplore.exe",
  42. "iexplore.exe",
  43. "iexplore.exe",
  44. "iexplore.exe",
  45. "iexplore.exe",
  46. "iexplore.exe",
  47. "iexplore.exe",
  48. "iexplore.exe",
  49. "iexplore.exe",
  50. "iexplore.exe",
  51. "WmiPrvSE.exe",
  52. "iexplore.exe",
  53. "iexplore.exe",
  54. "msiexec.exe",
  55. "GoogleUpdate.exe",
  56. "taskhost.exe",
  57. "WMIADAP.exe"
  58. ]
  59.  
  60. [*] Signatures Detected: [
  61. {
  62. "Description": "Attempts to connect to a dead IP:Port (3 unique times)",
  63. "Details": [
  64. {
  65. "IP": "204.79.197.200:80"
  66. },
  67. {
  68. "IP": "47.254.82.18:80"
  69. },
  70. {
  71. "IP": "172.217.0.35:443"
  72. }
  73. ]
  74. },
  75. {
  76. "Description": "Creates RWX memory",
  77. "Details": []
  78. },
  79. {
  80. "Description": "A process attempted to delay the analysis task.",
  81. "Details": [
  82. {
  83. "Process": "WmiPrvSE.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
  84. },
  85. {
  86. "Process": "Ursnif_b4a626c867d7e38bfd9ccef983771c91.exe tried to sleep 1336 seconds, actually delayed analysis time by 0 seconds"
  87. }
  88. ]
  89. },
  90. {
  91. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
  92. "Details": [
  93. {
  94. "ioc": "http://crl.globalsign.net/root-r2.crl0"
  95. }
  96. ]
  97. },
  98. {
  99. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  100. "Details": [
  101. {
  102. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  103. },
  104. {
  105. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
  106. },
  107. {
  108. "suspicious_request": "http://api.frame303.at/index.htm"
  109. },
  110. {
  111. "suspicious_request": "http://47.254.82.18/favicon.ico"
  112. },
  113. {
  114. "suspicious_request": "http://cde.frame303.at/index.htm"
  115. },
  116. {
  117. "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D"
  118. },
  119. {
  120. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D"
  121. },
  122. {
  123. "suspicious_request": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D"
  124. },
  125. {
  126. "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D"
  127. },
  128. {
  129. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D"
  130. },
  131. {
  132. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D"
  133. },
  134. {
  135. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D"
  136. },
  137. {
  138. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D"
  139. },
  140. {
  141. "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D"
  142. },
  143. {
  144. "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D"
  145. },
  146. {
  147. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D"
  148. },
  149. {
  150. "suspicious_request": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D"
  151. },
  152. {
  153. "suspicious_request": "http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D"
  154. },
  155. {
  156. "suspicious_request": "http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D"
  157. },
  158. {
  159. "suspicious_request": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D"
  160. },
  161. {
  162. "suspicious_request": "http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D"
  163. },
  164. {
  165. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D"
  166. },
  167. {
  168. "suspicious_request": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D"
  169. },
  170. {
  171. "suspicious_request": "http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D"
  172. },
  173. {
  174. "suspicious_request": "http://redirector.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe"
  175. },
  176. {
  177. "suspicious_request": "http://r5---sn-a5meknl7.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=172.83.40.106&mm=28&mn=sn-a5meknl7&ms=nvh&mt=1560761503&mv=m&pl=24&shardbypass=yes"
  178. }
  179. ]
  180. },
  181. {
  182. "Description": "Performs some HTTP requests",
  183. "Details": [
  184. {
  185. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
  186. },
  187. {
  188. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
  189. },
  190. {
  191. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
  192. },
  193. {
  194. "url": "http://www.bing.com/favicon.ico"
  195. },
  196. {
  197. "url": "http://api.frame303.at/index.htm"
  198. },
  199. {
  200. "url": "http://47.254.82.18/favicon.ico"
  201. },
  202. {
  203. "url": "http://cde.frame303.at/index.htm"
  204. },
  205. {
  206. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D"
  207. },
  208. {
  209. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D"
  210. },
  211. {
  212. "url": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D"
  213. },
  214. {
  215. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D"
  216. },
  217. {
  218. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D"
  219. },
  220. {
  221. "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
  222. },
  223. {
  224. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D"
  225. },
  226. {
  227. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D"
  228. },
  229. {
  230. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D"
  231. },
  232. {
  233. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D"
  234. },
  235. {
  236. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D"
  237. },
  238. {
  239. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D"
  240. },
  241. {
  242. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D"
  243. },
  244. {
  245. "url": "http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D"
  246. },
  247. {
  248. "url": "http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D"
  249. },
  250. {
  251. "url": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D"
  252. },
  253. {
  254. "url": "http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D"
  255. },
  256. {
  257. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D"
  258. },
  259. {
  260. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D"
  261. },
  262. {
  263. "url": "http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D"
  264. },
  265. {
  266. "url": "http://redirector.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe"
  267. },
  268. {
  269. "url": "http://r5---sn-a5meknl7.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=172.83.40.106&mm=28&mn=sn-a5meknl7&ms=nvh&mt=1560761503&mv=m&pl=24&shardbypass=yes"
  270. }
  271. ]
  272. },
  273. {
  274. "Description": "Crashed cuckoomon during analysis. Report this error to the Github repo.",
  275. "Details": [
  276. {
  277. "pid": 1692
  278. },
  279. {
  280. "message": "Exception reported at offset 0x1967e in cuckoomon itself while accessing 0xd0d5f8 from hook RtlDispatchException"
  281. },
  282. {
  283. "pid": 1692
  284. },
  285. {
  286. "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  287. },
  288. {
  289. "pid": 1692
  290. },
  291. {
  292. "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0xd0d5fc from hook RtlDispatchException"
  293. },
  294. {
  295. "pid": 1692
  296. },
  297. {
  298. "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  299. },
  300. {
  301. "pid": 1692
  302. },
  303. {
  304. "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0xd0d5f4 from hook RtlDispatchException"
  305. },
  306. {
  307. "pid": 1692
  308. },
  309. {
  310. "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  311. },
  312. {
  313. "pid": 1692
  314. },
  315. {
  316. "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0xd0d5f0 from hook RtlDispatchException"
  317. },
  318. {
  319. "pid": 1692
  320. },
  321. {
  322. "message": "Exception reported at offset 0x19689 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  323. },
  324. {
  325. "pid": 1692
  326. },
  327. {
  328. "message": "Exception reported at offset 0x19699 in cuckoomon itself while accessing 0xd0d600 from hook RtlDispatchException"
  329. },
  330. {
  331. "pid": 1692
  332. },
  333. {
  334. "message": "Exception reported at offset 0x1969b in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  335. },
  336. {
  337. "pid": 1692
  338. },
  339. {
  340. "message": "Exception reported at offset 0x1969f in cuckoomon itself while accessing 0xd0d604 from hook RtlDispatchException"
  341. },
  342. {
  343. "pid": 1692
  344. },
  345. {
  346. "message": "Exception reported at offset 0x196a2 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  347. },
  348. {
  349. "pid": 1692
  350. },
  351. {
  352. "message": "Exception reported at offset 0x196aa in cuckoomon itself while accessing 0xd0d608 from hook RtlDispatchException"
  353. },
  354. {
  355. "pid": 1692
  356. },
  357. {
  358. "message": "Exception reported at offset 0x196ad in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  359. },
  360. {
  361. "pid": 1692
  362. },
  363. {
  364. "message": "Exception reported at offset 0x196bd in cuckoomon itself while accessing 0xd0d60c from hook RtlDispatchException"
  365. },
  366. {
  367. "pid": 1692
  368. },
  369. {
  370. "message": "Exception reported at offset 0x196c0 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  371. },
  372. {
  373. "pid": 1692
  374. },
  375. {
  376. "message": "Exception reported at offset 0x19bfc in cuckoomon itself while accessing 0xd0d5f0 from hook RtlDispatchException"
  377. },
  378. {
  379. "pid": 1692
  380. },
  381. {
  382. "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  383. },
  384. {
  385. "pid": 1692
  386. },
  387. {
  388. "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0xd0d5f4 from hook RtlDispatchException"
  389. },
  390. {
  391. "pid": 1692
  392. },
  393. {
  394. "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  395. },
  396. {
  397. "pid": 1692
  398. },
  399. {
  400. "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0xd0d5f8 from hook RtlDispatchException"
  401. },
  402. {
  403. "pid": 1692
  404. },
  405. {
  406. "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  407. },
  408. {
  409. "pid": 1692
  410. },
  411. {
  412. "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0xd0d5fc from hook RtlDispatchException"
  413. },
  414. {
  415. "pid": 1692
  416. },
  417. {
  418. "message": "Exception reported at offset 0x19c07 in cuckoomon itself while accessing 0x0 from hook RtlDispatchException"
  419. },
  420. {
  421. "pid": 1692
  422. },
  423. {
  424. "message": "Exception reported at offset 0x1967e in cuckoomon itself while accessing 0xd0d678 from hook RtlDispatchException"
  425. },
  426. {
  427. "pid": 1692
  428. },
  429. {
  430. "message": "Exception reported at offset 0x19681 in cuckoomon itself while accessing 0xd0d67c from hook RtlDispatchException"
  431. },
  432. {
  433. "pid": 1692
  434. },
  435. {
  436. "message": "Exception reported at offset 0x19684 in cuckoomon itself while accessing 0xd0d674 from hook RtlDispatchException"
  437. },
  438. {
  439. "pid": 1692
  440. },
  441. {
  442. "message": "Exception reported at offset 0x19687 in cuckoomon itself while accessing 0xd0d670 from hook RtlDispatchException"
  443. },
  444. {
  445. "pid": 1692
  446. },
  447. {
  448. "message": "Exception reported at offset 0x19699 in cuckoomon itself while accessing 0xd0d630 from hook RtlDispatchException"
  449. },
  450. {
  451. "pid": 1692
  452. },
  453. {
  454. "message": "Exception reported at offset 0x1969f in cuckoomon itself while accessing 0xd0d634 from hook RtlDispatchException"
  455. },
  456. {
  457. "pid": 1692
  458. },
  459. {
  460. "message": "Exception reported at offset 0x196aa in cuckoomon itself while accessing 0xd0d638 from hook RtlDispatchException"
  461. },
  462. {
  463. "pid": 1692
  464. },
  465. {
  466. "message": "Exception reported at offset 0x196bd in cuckoomon itself while accessing 0xd0d63c from hook RtlDispatchException"
  467. },
  468. {
  469. "pid": 1692
  470. },
  471. {
  472. "message": "Exception reported at offset 0x19bfc in cuckoomon itself while accessing 0xd0d670 from hook RtlDispatchException"
  473. },
  474. {
  475. "pid": 1692
  476. },
  477. {
  478. "message": "Exception reported at offset 0x19bfe in cuckoomon itself while accessing 0xd0d674 from hook RtlDispatchException"
  479. },
  480. {
  481. "pid": 1692
  482. },
  483. {
  484. "message": "Exception reported at offset 0x19c01 in cuckoomon itself while accessing 0xd0d678 from hook RtlDispatchException"
  485. },
  486. {
  487. "pid": 1692
  488. },
  489. {
  490. "message": "Exception reported at offset 0x19c04 in cuckoomon itself while accessing 0xd0d67c from hook RtlDispatchException"
  491. }
  492. ]
  493. },
  494. {
  495. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  496. "Details": [
  497. {
  498. "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 10546537 times"
  499. }
  500. ]
  501. },
  502. {
  503. "Description": "Creates a hidden or system file",
  504. "Details": [
  505. {
  506. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low"
  507. },
  508. {
  509. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF22455c7.TMP"
  510. },
  511. {
  512. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF222dfa2.TMP"
  513. },
  514. {
  515. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF222ed6d.TMP"
  516. },
  517. {
  518. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF222fc23.TMP"
  519. },
  520. {
  521. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF2230c5f.TMP"
  522. },
  523. {
  524. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF2235c15.TMP"
  525. },
  526. {
  527. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF2236e36.TMP"
  528. },
  529. {
  530. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF22396dc.TMP"
  531. },
  532. {
  533. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF223a7f3.TMP"
  534. },
  535. {
  536. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF223bac0.TMP"
  537. },
  538. {
  539. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF223ccb1.TMP"
  540. },
  541. {
  542. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF223ff89.TMP"
  543. },
  544. {
  545. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF2251dda.TMP"
  546. },
  547. {
  548. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF226e50d.TMP"
  549. },
  550. {
  551. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\28c8b86deab549a1.customDestinations-ms~RF227077a.TMP"
  552. }
  553. ]
  554. },
  555. {
  556. "Description": "Attempts to modify proxy settings",
  557. "Details": []
  558. }
  559. ]
  560.  
  561. [*] Started Service: [
  562. "msiserver",
  563. "gupdate"
  564. ]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!