API tools faq
paste
Advertisement
spamreports

cdn.discordapp[.]com/attachments/643981855841845252/64398192

spamreports
Nov 25th, 2019
319
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.50 KB | None | 0 0
raw download clone embed print report
  1. BITS
  2. Reported IOC
  3. BITS
  4. C:\Windows\Debug\ESE.TXT File opened for modification
  5. C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp File opened for modification
  6. C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp File created
  7. C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp File opened for modification
  8. C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp File created
  9. Suspicious use of WriteProcessMemory
  10. iexplore.exe
  11. SppExtComObj.exe
  12. AcroRd32.exe
  13. RdrCEF.exe
  14. Reported IOC
  15. iexplore.exe
  16. PID 4952 wrote to memory of 5020
  17. PID 4952 wrote to memory of 4556
  18. Reported IOC
  19. SppExtComObj.exe
  20. PID 1792 wrote to memory of 1020
  21. Reported IOC
  22. AcroRd32.exe
  23. PID 4556 wrote to memory of 4672
  24. PID 4556 wrote to memory of 4692
  25. Reported IOC
  26. RdrCEF.exe
  27. PID 4672 wrote to memory of 4396
  28. PID 4672 wrote to memory of 4372
  29. PID 4672 wrote to memory of 4196
  30. PID 4672 wrote to memory of 4784
  31. PID 4672 wrote to memory of 4840
  32. Enumerates system info in registry
  33. AcroRd32.exe
  34. Matched TTPs
  35. Query Registry
  36. System Information Discovery
  37. Reported IOC
  38. AcroRd32.exe
  39. \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Key opened
  40. \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key value queried
  41. Suspicious behavior: EnumeratesProcesses
  42. AcroRd32.exe
  43. Windows security modification
  44. wscsvc
  45. Matched TTPs
  46. Disabling Security Tools
  47. Modify Registry
  48. Reported IOC
  49. wscsvc
  50. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int)
  51. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" Set value (int)
  52. Modifies Internet Explorer settings
  53. iexplore.exe
  54. IEXPLORE.EXE
  55. Matched TTPs
  56. Modify Registry
  57. Reported IOC
  58. iexplore.exe
  59. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" Set value (int)
  60. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E731488A-0FB2-11EA-BD7F-DA387AC80F0B} = "0" Set value (int)
  61. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Set value (str)
  62. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" Set value (str)
  63. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 Set value (data)
  64. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" Set value (int)
  65. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" Set value (int)
  66. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 4c6bfe76f785d501 Set value (data)
  67. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{632A8819-8B4F-40B7-88A0-3A09974625F2}" Set value (str)
  68. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3153415177" Set value (int)
  69. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30778303" Set value (int)
  70. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" Set value (int)
  71. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" Set value (int)
  72. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3153415177" Set value (int)
  73. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30778303" Set value (int)
  74. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 Set value (data)
  75. Reported IOC
  76. IEXPLORE.EXE
  77. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3187821977" Set value (int)
  78. \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30778303" Set value (int)
  79. Suspicious use of SetWindowsHookEx
  80. iexplore.exe
  81. IEXPLORE.EXE
  82. AcroRd32.exe
  83. Uses Volume Shadow Copy WMI provider
  84. iexplore.exe
  85. Reported IOC
  86. iexplore.exe
  87. \Registry\Machine\Software\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C} Key opened
  88. \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C} Key queried
  89. \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} Key opened
  90. Suspicious use of FindShellTrayWindow
  91. iexplore.exe
  92. Modifies system certificate store
  93. IEXPLORE.EXE
  94. Matched TTPs
  95. Install Root Certificate
  96. Modify Registry
  97. Reported IOC
  98. IEXPLORE.EXE
  99. \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030753000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 Set value (data)
  100. Uses Task Scheduler COM API
  101. iexplore.exe
  102. Matched TTPs
  103. Query Registry
  104. Reported IOC
  105. iexplore.exe
  106. \Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Key opened
  107. \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Key queried
  108. \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} Key opened
  109. Checks system information in the registry (likely anti-VM)
  110. DoSvc
  111. Matched TTPs
  112. Query Registry
  113. System Information Discovery
  114. Reported IOC
  115. DoSvc
  116. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried
  117. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName Key value queried
  118. Uses Volume Shadow Copy Service COM API
  119. iexplore.exe
  120. Reported IOC
  121. iexplore.exe
  122. \Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623} Key opened
  123. \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623} Key queried
  124. \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} Key opened
  125. Checks processor information in registry (likely anti-VM)
  126. AcroRd32.exe
  127. Matched TTPs
  128. Query Registry
  129. System Information Discovery
  130. Reported IOC
  131. AcroRd32.exe
  132. \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Key opened
  133. \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key value queried
  134.  
  135. C:\Program Files\Internet Explorer\iexplore.exe
  136. "C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.discordapp.com/attachments/643981855841845252/643981920396640256/Revised_Proforma_Invoice_73544021.pdf.gz
  137. Suspicious use of WriteProcessMemoryModifies Internet Explorer settingsSuspicious use of SetWindowsHookExUses Volume Shadow Copy WMI providerSuspicious use of FindShellTrayWindowUses Task Scheduler COM APIUses Volume Shadow Copy Service COM API
  138. PID: 4952
  139. C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  140. "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\Revised_Proforma_Invoice_73544021.pdf.pdf"
  141. Suspicious use of WriteProcessMemoryEnumerates system info in registrySuspicious behavior: EnumeratesProcessesSuspicious use of SetWindowsHookExChecks processor information in registry (likely anti-VM)
  142. PID: 4556
  143. C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  144. "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  145. Suspicious use of WriteProcessMemory
  146. PID: 4672
  147. C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  148. "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9D41BB7A56F602561B5A9164A74A63BC --mojo-platform-channel-handle=2196 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
  149. PID: 4196
  150. C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  151. "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E1BF8FCBBF3B27A5573055AC68474235 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E1BF8FCBBF3B27A5573055AC68474235 --renderer-client-id=2 --mojo-platform-channel-handle=1608 --allow-no-sandbox-job /prefetch:1
  152. PID: 4372
  153. C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  154. "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AD6D1F7DC1EC290E22988ECD54C44733 --mojo-platform-channel-handle=1616 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
  155. PID: 4396
  156. C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  157. "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=24916BF7E51E278632D26636B7DC8415 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
  158. PID: 4784
  159. C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  160. "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=32248511A7623B3BC329708E1D4685CF --mojo-platform-channel-handle=1716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
  161. PID: 4840
  162. C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  163. "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  164. PID: 4692
  165. C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  166. "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4952 CREDAT:82945 /prefetch:2
  167. Modifies Internet Explorer settingsSuspicious use of SetWindowsHookExModifies system certificate store
  168. PID: 5020
  169. SppExtComObj.exe
  170. C:\Windows\system32\SppExtComObj.exe -Embedding
  171. Suspicious use of WriteProcessMemory
  172. PID: 1792
  173. SLUI.exe
  174. "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
  175. PID: 1020
  176. svchost.exe
  177. C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
  178. PID: 2964
  179. svchost.exe
  180. c:\windows\system32\svchost.exe -k netsvcs -s lfsvc
  181. PID: 3420
  182. svchost.exe
  183. c:\windows\system32\svchost.exe -k netsvcs -s BITS
  184. Drops file in system dir
  185. PID: 4820
  186. svchost.exe
  187. c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
  188. PID: 4588
  189. svchost.exe
  190. c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
  191. Checks system information in the registry (likely anti-VM)
  192. PID: 2328
  193. svchost.exe
  194. c:\windows\system32\svchost.exe -k unistacksvcgroup
  195. PID: 4148
  196. svchost.exe
  197. c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
  198. PID: 3584
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!