Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "NetWire"
- * MalScore: 10.0
- * File Name: "NetWire_43d31275989308a86e53a1f91f180078.exe"
- * File Size: 1366713
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "6d2417c4ffb93cb5ce7bb53f6e9b9e4026646d10411d907c1b16d58eeac0b2fd"
- * MD5: "43d31275989308a86e53a1f91f180078"
- * SHA1: "6bc580ea5a10a2eef4569bf0d58f953a3df8bf51"
- * SHA512: "0dad66922c79de1722186d5017c46c440872ad0f13b2e61e358d70236a7c9f9d8e92af5c14617b512240fb70392935d875e1fa4f270b72137a275d430988f646"
- * CRC32: "F3C86DDF"
- * SSDEEP: "24576:bNA3R5drXTLPddvaCZzdtWcwfh3va4F9lj5MeDbeibsRfGZojnTIa4JX:G5Pldimlwp3vbF/jmUbsR0a4B"
- * Process Execution:
- "NetWire_43d31275989308a86e53a1f91f180078.exe",
- "wscript.exe",
- "pxa.exe",
- "pxa.exe",
- "RegSvcs.exe",
- "services.exe",
- "lsass.exe",
- "sdclt.exe",
- "taskhost.exe",
- "sc.exe",
- "svchost.exe",
- "svchost.exe",
- "WerFault.exe",
- "wermgr.exe"
- * Executed Commands:
- "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ouo.vbs\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ouo.vbs ",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pxa.exe\" nnx=igd",
- "pxa.exe nnx=igd",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pxa.exe C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\BSOED",
- "C:\\Windows\\system32\\lsass.exe",
- "C:\\Windows\\System32\\sdclt.exe /CONFIGNOTIFICATION",
- "taskhost.exe $(Arg0)",
- "C:\\Windows\\system32\\sc.exe start w32time task_started",
- "C:\\Windows\\system32\\svchost.exe -k LocalService",
- "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
- "C:\\Windows\\system32\\WerFault.exe -u -p 380 -s 288",
- "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\""
- * Signatures Detected:
- "Description": "At least one process apparently crashed during execution",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "pxa.exe, PID 2424"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Detected script timer window indicative of sleep style evasion",
- "Details":
- "Window": "WSH-Timer"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00000000, length: 0x00000007"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00000000, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00000007, length: 0x0014dab2"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00001ff0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00003fe0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00005fd0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00007fc0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00009fb0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0000bfa0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0000df90, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0000ff80, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00011f70, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00013f60, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00015f50, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00017f40, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00019f30, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0001bf20, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0001df10, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0001ff00, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00021ef0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00023ee0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00025ed0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00027ec0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00029eb0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0002bea0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0002de90, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0002fe80, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00031e70, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00033e60, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00035e50, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00037e40, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00039e30, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0003be20, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0003de10, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0003fe00, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00041df0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00043de0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00045dd0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00047dc0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00049db0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0004bda0, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0004dd90, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0004fd80, length: 0x00002000"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00050a00, length: 0x00000032"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x00050a1a, length: 0x000f9834"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014a3ee, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014a5cc, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014a7d2, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014a9ab, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014ab9e, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014ad68, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014af85, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014b166, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014b3a4, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014b573, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014b758, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014b964, length: 0x00000027"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014bb6e, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014bd4c, length: 0x00000029"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014bf42, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014c128, length: 0x00000027"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014c32e, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014c52c, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014c6fc, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014c8f2, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014caf3, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014ccfa, length: 0x00000027"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014ceda, length: 0x00000029"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014d0b7, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014d285, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014d455, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014d647, length: 0x00000027"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014d818, length: 0x00000028"
- "self_read": "process: NetWire_43d31275989308a86e53a1f91f180078.exe, pid: 1948, offset: 0x0014d9fd, length: 0x0000001b"
- "self_read": "process: wscript.exe, pid: 2644, offset: 0x00000000, length: 0x00000040"
- "self_read": "process: wscript.exe, pid: 2644, offset: 0x000000f0, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 2644, offset: 0x000001e8, length: 0x00000078"
- "self_read": "process: wscript.exe, pid: 2644, offset: 0x00018000, length: 0x00000020"
- "self_read": "process: wscript.exe, pid: 2644, offset: 0x00018058, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 2644, offset: 0x000181a8, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 2644, offset: 0x00018470, length: 0x00000010"
- "self_read": "process: wscript.exe, pid: 2644, offset: 0x00018640, length: 0x00000012"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "RegSvcs.exe -> "
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pxa.exe"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "pxa.exe(2428) -> RegSvcs.exe(2020)"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 12492414 times"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate"
- "data": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pxa.exe C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\NNX_IG~1"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pxa.exe"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\avf.ppt"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bcd.ico"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bot.bmp"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bpr.xl"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\buh.bmp"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bvw.bmp"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\des.docx"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\drr.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ebe.mp3"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\gfa.docx"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ggr.icm"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ghp.mp4"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\gsb.mp3"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hfi.xl"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hig.ico"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hpa.ico"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hvt.mp3"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ijg.ico"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ixo.jpg"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\jqu.mp3"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\jrm.xl"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\jxf.mp4"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\lwa.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\mnp.mp4"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\mtg.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ngk.ico"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\nnx=igd"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\nuu.jpg"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\oro.ico"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ouo.vbs"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pwx.xl"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\rkg.ico"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\rmr.bmp"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\rrp.jpg"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\siu.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\sjj.pdf"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\smt.pdf"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\sof.xl"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\tjk.xl"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\tuo.ico"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\txp.ico"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ucc.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\uke.icm"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\uvi.mp3"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\vld.icm"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\vlw.mp3"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\vow.docx"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\wme.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\xen.docx"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\21831356"
- "Description": "File has been identified by 22 Antiviruses on VirusTotal as malicious",
- "Details":
- "McAfee": "Artemis!43D312759893"
- "AegisLab": "Trojan.Multi.Generic.4!c"
- "K7GW": "Riskware ( 0040eff71 )"
- "K7AntiVirus": "Riskware ( 0040eff71 )"
- "Invincea": "heuristic"
- "Symantec": "Trojan Horse"
- "APEX": "Malicious"
- "Kaspersky": "UDS:DangerousObject.Multi.Generic"
- "Alibaba": "Trojan:Win32/Starter.ali2000005"
- "McAfee-GW-Edition": "BehavesLike.Win32.Backdoor.tc"
- "FireEye": "Generic.mg.43d31275989308a8"
- "MAX": "malware (ai score=96)"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
- "Microsoft": "Trojan:AutoIt/Wiausf.AC!MTB"
- "AhnLab-V3": "Trojan/Win32.RL_Agent.R273974"
- "Zoner": "Probably RARAutorun"
- "ESET-NOD32": "Win32/Injector.Autoit.EDS"
- "AVG": "FileRepMetagen Malware"
- "Cybereason": "malicious.a5a10a"
- "Paloalto": "generic.ml"
- "CrowdStrike": "win/malicious_confidence_70% (W)"
- "Description": "Checks the system manufacturer, likely for anti-virtualization",
- "Details":
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- * Started Service:
- "VaultSvc",
- "WerSvc",
- "W32Time"
- * Mutexes:
- "DefaultTabtip-MainUI",
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "-",
- "Local\\WERReportingForProcess380",
- "Global\\\\xe5\\x88\\x90\\xc2\\x8f",
- "Global\\\\xed\\x95\\xb0\\xc7\\x8a",
- "WERUI_BEX64-42c345fcd81471f41bc2fed99624a23f3ee315c"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\__tmp_rar_sfx_access_check_13422046",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\jrm.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\nnx=igd",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ouo.vbs",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pxa.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\siu.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\gfa.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ebe.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ngk.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\rmr.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bcd.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\tjk.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\vlw.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\avf.ppt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bvw.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bot.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\uvi.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\mnp.mp4",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ijg.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\oro.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\smt.pdf",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\vow.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hig.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\sjj.pdf",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\rrp.jpg",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\tuo.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\jqu.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\drr.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hpa.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\gsb.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\wme.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hvt.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ggr.icm",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\mtg.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\pwx.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\vld.icm",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\des.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\rkg.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\bpr.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ixo.jpg",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\uke.icm",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\jxf.mp4",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ghp.mp4",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\txp.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\sof.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\xen.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\nuu.jpg",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\lwa.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\ucc.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\hfi.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\buh.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\BSOED",
- "\\??\\PIPE\\wkssvc",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\History.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\WmM4O6.bat",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\2ce1541b-c7b1-4ba0-8974-722d18a3c54d",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\4e6828f4-11de-47bf-b7df-2249f4bdea4e",
- "\\??\\PIPE\\lsarpc",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB5AB.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB9F2.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBA22.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERC270.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\WERB5AB.tmp.appcompat.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\WERB9F2.tmp.WERInternalMetadata.xml",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\WERBA22.tmp.hdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\WERC270.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\Report.wer",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\Report.wer.tmp"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\__tmp_rar_sfx_access_check_13422046",
- "C:\\Users\\user\\AppData\\Local\\Temp\\21831356\\BSOED",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB5AB.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB5AB.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB9F2.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB9F2.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBA22.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBA22.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERC270.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERC270.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_42c345fcd81471f41bc2fed99624a23f3ee315c_cab_07169bf8\\Report.wer.tmp"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate",
- "HKEY_CURRENT_USER\\SOFTWARE\\NetWire",
- "HKEY_CURRENT_USER\\Software\\NetWire\\HostId",
- "HKEY_CURRENT_USER\\Software\\NetWire\\Install Date",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement