Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1514
- * MalFamily: "Nanocore"
- * MalScore: 10.0
- * File Name: "NanoCore_6efc03ae042064ae311eee1cd9ba5a65.exe"
- * File Size: 1370908
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "862bef9f39e5ad960be979bce8ce94f411af38cae2853d093ef957c96a5d50b8"
- * MD5: "6efc03ae042064ae311eee1cd9ba5a65"
- * SHA1: "206668484d3d96ac9c47b3f925b058a002a93774"
- * SHA512: "10b11a39bafffc8ddfbaf905fde10c044f4e14a1fac5c87d0329a0e4e57dea1ea75c4c487e8bbe53d15d719308395a838d0fed115e59013b45571867b614fe32"
- * CRC32: "C6035098"
- * SSDEEP: "24576:8NA3R5drXgJOr2/1CeWn1GXHEwpgz6l6u1h6LId7nf1RMMaReV5BHFA8C:95EOK1CeWn1ApJ1h6LIdzfXMf25Bl8"
- * Process Execution:
- "waCoVInV.exe",
- "wscript.exe",
- "fhl.exe",
- "RegSvcs.exe"
- * Executed Commands:
- "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fsa.vbs\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fsa.vbs ",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fhl.exe\" klp=jib",
- "fhl.exe klp=jib"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP_ioc": "185.11.146.171:3999 (Netherlands)"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "Detected script timer window indicative of sleep style evasion",
- "Details":
- "Window": "WSH-Timer"
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details":
- "ioc": "v2.0.50727"
- "Description": "Expresses interest in specific running processes",
- "Details":
- "process": "RegSvcs.exe"
- "process": "taskhost.exe"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00000000, length: 0x00000007"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00000000, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00000007, length: 0x0014eb15"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00001ff0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00003fe0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00005fd0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00007fc0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00009fb0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0000bfa0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0000df90, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0000ff80, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00011f70, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00013f60, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00015f50, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00017f40, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00019f30, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0001bf20, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0001df10, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0001ff00, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00021ef0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00023ee0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00025ed0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00027ec0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00029eb0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0002bea0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0002de90, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0002fe80, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00031e70, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00033e60, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00035e50, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00037e40, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00039e30, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0003be20, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0003de10, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0003fe00, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00041df0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00043de0, length: 0x00002000"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00045600, length: 0x00103f95"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014974b, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00149957, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00149b30, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00149d1b, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00149ee5, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014a0d0, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014a2bb, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014a48a, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014a678, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014a859, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014aa77, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014ac56, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014ae39, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014b03c, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014b21f, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014b40e, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014b603, length: 0x00000029"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014b7f2, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014b9c4, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014bb99, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014bd87, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014bf8b, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014c185, length: 0x00000027"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014c380, length: 0x00000029"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014c551, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014c74b, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014c965, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014cb42, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014cd2b, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014cef8, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014d11b, length: 0x00000027"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014d302, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014d4ef, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014d6fc, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014d8e2, length: 0x00000027"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014dae1, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014dce9, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014decf, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014e0da, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014e2a9, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014e485, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014e6a9, length: 0x00000028"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014e889, length: 0x00000029"
- "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014ea61, length: 0x0000001b"
- "self_read": "process: wscript.exe, pid: 2140, offset: 0x00000000, length: 0x00000040"
- "self_read": "process: wscript.exe, pid: 2140, offset: 0x000000f0, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 2140, offset: 0x000001e8, length: 0x00000078"
- "self_read": "process: wscript.exe, pid: 2140, offset: 0x00018000, length: 0x00000020"
- "self_read": "process: wscript.exe, pid: 2140, offset: 0x00018058, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 2140, offset: 0x000181a8, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 2140, offset: 0x00018470, length: 0x00000010"
- "self_read": "process: wscript.exe, pid: 2140, offset: 0x00018640, length: 0x00000012"
- "self_read": "process: RegSvcs.exe, pid: 1632, offset: 0x00000000, length: 0x00001000"
- "self_read": "process: RegSvcs.exe, pid: 1632, offset: 0x00000080, length: 0x00000200"
- "self_read": "process: RegSvcs.exe, pid: 1632, offset: 0x00000178, length: 0x00000200"
- "self_read": "process: RegSvcs.exe, pid: 1632, offset: 0x00005b20, length: 0x00000200"
- "self_read": "process: RegSvcs.exe, pid: 1632, offset: 0x00005b3c, length: 0x00000200"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fhl.exe"
- "Description": "A scripting utility was executed",
- "Details":
- "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fsa.vbs\""
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "fhl.exe(1896) -> RegSvcs.exe(1632)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "fhl.exe(1896) -> RegSvcs.exe(1632)"
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe:Zone.Identifier"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
- "Details":
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\desktop"
- "data": "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fhl.exe C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\KLP_JI~1"
- "Description": "Exhibits behavior characteristic of Nanocore RAT",
- "Details":
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fhl.exe"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\92572591"
- "file": "C:\\Users\\user\\temp"
- "Description": "File has been identified by 26 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.6efc03ae042064ae"
- "K7AntiVirus": "Riskware ( 0040eff71 )"
- "K7GW": "Riskware ( 0040eff71 )"
- "CrowdStrike": "win/malicious_confidence_80% (D)"
- "APEX": "Malicious"
- "Kaspersky": "Trojan.Win32.Autoit.foa"
- "AegisLab": "Trojan.BAT.Crypter.tqa8"
- "F-Secure": "Dropper.DR/AutoIt.Gen"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Backdoor.tc"
- "Trapmine": "suspicious.low.ml.score"
- "Paloalto": "generic.ml"
- "Cyren": "W32/AutoIt.EN.gen!Eldorado"
- "Avira": "VBS/Runner.hzdd"
- "Antiy-AVL": "TrojanArcBomb/Win32.Agent"
- "Microsoft": "Trojan:Win32/AutoitInject.BI!MTB"
- "ZoneAlarm": "Trojan.Win32.Autoit.foa"
- "AhnLab-V3": "Malware/Win32.RL_Generic.R286428"
- "Malwarebytes": "Trojan.MalPack.AISFX"
- "Zoner": "Probably RARAutorun"
- "ESET-NOD32": "VBS/Runner.NHZ"
- "Rising": "Trojan.Pack-RAR!1.BB61 (CLASSIC)"
- "Yandex": "Trojan.Agent!nS7qVYN4VgU"
- "Fortinet": "W32/Generic.AC.45A0E1!tr"
- "Cybereason": "malicious.84d3d9"
- "Qihoo-360": "HEUR/QVM10.1.C881.Malware.Gen"
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "dropped": "clamav:Win.Trojan.Autoit-6922942-0, sha256:fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b , guest_paths:C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fhl.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "Description": "Collects information to fingerprint the system",
- "Details":
- * Started Service:
- * Mutexes:
- "DefaultTabtip-MainUI",
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\ac45ed91-6e1d-4915-abef-33900ef60335",
- "Global\\.net clr networking"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\__tmp_rar_sfx_access_check_11298218",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\gjd.log",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\klp=jib",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fsa.vbs",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fhl.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\duh.log",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\dxv.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\mbn.xls",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\qux.pdf",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\gic.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\hdp.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\urh.xls",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\hjx.pdf",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\nkt.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\ieg.ini",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\apo.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\aqu.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\ppm.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fjb.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\mau.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\uat.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\emk.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\lpv.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\gkx.pdf",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\upf.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\iix.cpl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\ura.cpl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\dtd.xls",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\lkw.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\vlo.log",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\bom.cpl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\xjl.msc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\osk.jpg",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\bik.xls",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\hqs.msc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\vdo.pdf",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\wvr.xls",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\qpl.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\pia.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\acn.xls",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\mba.pdf",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\qig.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\aka.bin",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\hcw.ini",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\wkw.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\loe.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\mss.ppt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\rje.cpl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\kvu.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\tnj.log",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\rja.ini",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\xgg.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\mhx.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fvu.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\hfw.bin",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\gbp.msc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fqj.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\ldc.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\pea.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\rbx.pdf",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\rwa.xls",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\cuc.pdf",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\qtm.xls",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\saj.ppt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\jgu.docx",
- "C:\\Users\\user\\temp\\gjd.log",
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat"
- * Deleted Files:
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe:Zone.Identifier"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\desktop"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Netherlands",
- "ip": "185.11.146.171",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement