Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "PWStealer"
- * MalScore: 10.0
- * File Name: "Exes_2bafe52150d3c2f18382848d832e3211.exe"
- * File Size: 260096
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "0a4cc9853314d239f89249e5b6acae8ab2d3e5afbd9e124b6571517a12a00a80"
- * MD5: "2bafe52150d3c2f18382848d832e3211"
- * SHA1: "31182a580758a69c3dcdbe8fb3e6e4126bbc7dc0"
- * SHA512: "981c60770f7cefd705a010ac438f74cdefce2f7f5d6d0c4c3a5d519e8b662aa18b070514ce8c4cb6e70a81a1a9be7acd1e66b7a8035817abdac60ca86029dc5d"
- * CRC32: "95986EF4"
- * SSDEEP: "6144:8/FsObxyl2q+qGFcSRlQLyQrByo+kdwVBkKeX:8/hMl2FqGIRA9IwVBkX"
- * Process Execution:
- "Exes_2bafe52150d3c2f18382848d832e3211.exe",
- "Exes_2bafe52150d3c2f18382848d832e3211.exe",
- "services.exe",
- "lsass.exe",
- "lsass.exe",
- "lsass.exe",
- "lsass.exe",
- "lsass.exe",
- "lsass.exe",
- "lsass.exe",
- "lsass.exe",
- "lsass.exe"
- * Executed Commands:
- "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_2bafe52150d3c2f18382848d832e3211.exe --vwxyz",
- "C:\\Windows\\system32\\lsass.exe"
- * Signatures Detected:
- "Description": "Attempts to connect to a dead IP:Port (3 unique times)",
- "Details":
- "IP": "5.45.127.15:443"
- "IP": "192.35.177.64:80"
- "IP": "23.15.4.24:80"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Starts servers listening on 127.0.0.1:281, 127.0.0.1:402",
- "Details":
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00000000, length: 0x00000600"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00000000, length: 0x00001000"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00000000, length: 0x00005e00"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00000000, length: 0x0003f800"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00000600, length: 0x00001200"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00001000, length: 0x0000fe00"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00001800, length: 0x00006800"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00005e00, length: 0x0000c800"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00008000, length: 0x00016c00"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00010e00, length: 0x00018a00"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00012600, length: 0x0000ca00"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x0001ec00, length: 0x0000b600"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x0001f000, length: 0x0000c800"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x0002a200, length: 0x00002600"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x0002b800, length: 0x00001200"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x0002c800, length: 0x00008200"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x0002ca00, length: 0x0000aa00"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00034a00, length: 0x0000b800"
- "self_read": "process: Exes_2bafe52150d3c2f18382848d832e3211.exe, pid: 2084, offset: 0x00037400, length: 0x00000a00"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
- "url": "http://apps.identrust.com/roots/dstrootcax3.p7c"
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details":
- "Process": "Exes_2bafe52150d3c2f18382848d832e3211.exe tried to sleep 13597 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 14053278 times"
- "Description": "Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config",
- "Details":
- "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_8"
- "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_7"
- "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_6"
- "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_5"
- "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_4"
- "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_3"
- "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_2"
- "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_1"
- "regkeyval": "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_0"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies Backup"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data Backup"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal"
- "Description": "Behavior consistent with a dropper attempting to download the next stage.",
- "Details":
- "File": "/rpersist4/-1785172236 was requested from hosts: madregobilsg.com, kladrykroptur.com, chaabattent.com, kerymarynicegross.com, pillygreamstronh.com"
- "Description": "File has been identified by 16 Antiviruses on VirusTotal as malicious",
- "Details":
- "Cylance": "Unsafe"
- "Invincea": "heuristic"
- "APEX": "Malicious"
- "Rising": "Trojan.Generic@ML.100 (RDML:idADg3cfkKGf3ZIrT6BHeg)"
- "Endgame": "malicious (high confidence)"
- "McAfee-GW-Edition": "BehavesLike.Win32.Generic.dh"
- "Trapmine": "malicious.high.ml.score"
- "FireEye": "Generic.mg.2bafe52150d3c2f1"
- "Microsoft": "Trojan:Win32/Fuerboos.E!cl"
- "Acronis": "suspicious"
- "VBA32": "BScope.Trojan.Azden"
- "ESET-NOD32": "a variant of Win32/Kryptik.GPLI"
- "SentinelOne": "DFI - Malicious PE"
- "Cybereason": "malicious.80758a"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Qihoo-360": "HEUR/QVM09.0.8B7D.Malware.Gen"
- "Description": "Checks the version of Bios, possibly for anti-virtualization",
- "Details":
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Checks the presence of disk drives in the registry, possibly for anti-virtualization",
- "Details":
- "Description": "Attempts to modify browser security settings",
- "Details":
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Program Files (x86)\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\CuteFTP\\sm.dat"
- "file": "C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\ProgramData\\CuteFTP\\sm.dat"
- "file": "C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\sitemanager.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
- "file": "C:\\ProgramData\\FileZilla\\sitemanager.xml"
- "file": "C:\\ProgramData\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Windows Commander"
- "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Windows Commander"
- "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
- "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Total Commander"
- "key": "HKEY_CURRENT_USER\\Software\\FileZilla"
- "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla"
- "key": "HKEY_CURRENT_USER\\Software\\FileZilla Client"
- "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla Client"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Microsoft Outlook Internet Settings"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Internet Account Manager\\Accounts"
- "Description": "Collects information to fingerprint the system",
- "Details":
- * Started Service:
- "KeyIso",
- "VaultSvc"
- * Mutexes:
- "ServiceEntryPointThread",
- "DBWinMutex"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_2bafe52150d3c2f18382848d832e3211.inf",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
- "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
- "\\??\\PIPE\\wkssvc",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\cookies.sqlite",
- "C:\\Users\\user\\AppData\\Local\\Temp\\cookies.sqlite-journal",
- "C:\\Users\\user\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\Cookies Backup",
- "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies Backup",
- "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data Backup",
- "C:\\Users\\user\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\Login Data Backup"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\cookies.sqlite-journal",
- "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies Backup",
- "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data Backup"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\2500",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\2500",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2\\2500",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\2500",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4\\2500",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Count",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Path1",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\IEAK\\GroupPolicy\\PendingGPOs\\Section1",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_0",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_1",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_2",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_3",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_4",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_5",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_6",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_7",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_8",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\2dc03b67-bbe0-46f6-a506-c0799ccb1f6b",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\ec58180b-dfce-4a67-b18b-e6d83b3e979b",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\7ade5bfc-66f6-4220-aa24-6032bdb90317",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\102f49a9-80c9-42ee-8924-3256738fc621",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\VaultSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\KeyIso\\Type"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_0",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_1",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_2",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_3",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_4",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_5",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_6",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_7",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_8",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_9",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_10",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_11",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_12",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_13",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_14",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_15",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_16",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_17",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_18",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_19",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_20",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_21",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_22",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_23",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_24",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_25",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_26",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_27",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_28",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_29",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_30",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_31",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_32",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_33",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_34",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_35",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_36",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_37",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_38",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_39",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_40",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_41",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_42",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_43",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_44",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_45",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_46",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_47",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_48",
- "HKEY_CURRENT_USER\\Software\\AppDataLow\\DWMag_49"
- * DNS Communications:
- "type": "A",
- "request": "chaabattent.com",
- "answers":
- "data": "5.45.127.15",
- "type": "A"
- "type": "A",
- "request": "kladrykroptur.com",
- "answers":
- "data": "51.15.37.44",
- "type": "A"
- "type": "A",
- "request": "apps.identrust.com",
- "answers":
- "data": "192.35.177.64",
- "type": "A"
- "data": "apps.digsigtrust.com",
- "type": "CNAME"
- "type": "A",
- "request": "madregobilsg.com",
- "answers":
- "data": "",
- "type": "NXDOMAIN"
- "type": "A",
- "request": "kerymarynicegross.com",
- "answers":
- "data": "",
- "type": "NXDOMAIN"
- "type": "A",
- "request": "pillygreamstronh.com",
- "answers":
- "data": "",
- "type": "NXDOMAIN"
- * Domains:
- "ip": "",
- "domain": "pillygreamstronh.com"
- "ip": "",
- "domain": "madregobilsg.com"
- "ip": "51.15.37.44",
- "domain": "kladrykroptur.com"
- "ip": "192.35.177.64",
- "domain": "apps.identrust.com"
- "ip": "",
- "domain": "kerymarynicegross.com"
- "ip": "5.45.127.15",
- "domain": "chaabattent.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "www.download.windowsupdate.com",
- "version": "1.1",
- "path": "/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
- "data": "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Feb 2019 16:53:13 GMT\r\nIf-None-Match: \"80e22c19cfcad41:0\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: www.download.windowsupdate.com\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://apps.identrust.com/roots/dstrootcax3.p7c",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "apps.identrust.com",
- "version": "1.1",
- "path": "/roots/dstrootcax3.p7c",
- "data": "GET /roots/dstrootcax3.p7c HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: apps.identrust.com\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement