Fareit_649235066887f12b1074b4ddcd305c91_exe_2019-08-18_14_40.txt

1.  
2. * MalFamily: "Pony"
3.  
4. * MalScore: 10.0
5.  
6. * File Name: "Pony_649235066887f12b1074b4ddcd305c91.exe"
7. * File Size: 92672
8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. * SHA256: "e656a87f9ee91482ad7ff860d2c5898b1b4a2405af7d5b6026952a387c29813e"
10. * MD5: "649235066887f12b1074b4ddcd305c91"
11. * SHA1: "7d5fba0411d54f954756494013ce54a74563f33b"
12. * SHA512: "30f756748ec73e99cee19ac5cbd57689c2474f48c5011ca890f3ca70494b04d7d30b2f82fe6f58deba1a079c0ecfee4c506f9be5931e042a00d9c36c31cb7607"
13. * CRC32: "45E57B4D"
14. * SSDEEP: "1536:RYC88FhqqTDQ8pquJXBaxcem4tJjglVQChLYO7fixpTvMEIokzmaI:GC8snqURocem4HKAO7vEIUaI"
15.  
16. * Process Execution:
17. "tQpQ9ImfhEt6i3.exe",
18. "cmd.exe"
19.  
20.  
21. * Executed Commands:
22. "\"C:\\Users\\user\\AppData\\Local\\Temp\\8967062.bat\" \"C:\\Users\\user\\AppData\\Local\\Temp\\tQpQ9ImfhEt6i3.exe\"",
23. "C:\\Users\\user\\AppData\\Local\\Temp\\8967062.bat \"C:\\Users\\user\\AppData\\Local\\Temp\\tQpQ9ImfhEt6i3.exe\""
24.  
25.  
26. * Signatures Detected:
27.  
28. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
29. "Details":
30.  
31.  
32. "Description": "Possible date expiration check, exits too soon after checking local time",
33. "Details":
34.  
35. "process": "tQpQ9ImfhEt6i3.exe, PID 2284"
36.  
37.  
38.  
39.  
40. "Description": "A process created a hidden window",
41. "Details":
42.  
43. "Process": "tQpQ9ImfhEt6i3.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\8967062.bat"
44.  
45.  
46.  
47.  
48. "Description": "Uses Windows utilities for basic functionality",
49. "Details":
50.  
51. "command": "C:\\Users\\user\\AppData\\Local\\Temp\\8967062.bat \"C:\\Users\\user\\AppData\\Local\\Temp\\tQpQ9ImfhEt6i3.exe\""
52.  
53.  
54.  
55.  
56. "Description": "Deletes its original binary from disk",
57. "Details":
58.  
59.  
60. "Description": "Steals private information from local Internet browsers",
61. "Details":
62.  
63. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal"
64.  
65.  
66. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
67.  
68.  
69. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal"
70.  
71.  
72. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
73.  
74.  
75.  
76.  
77. "Description": "Exhibits behavior characteristic of Pony malware",
78. "Details":
79.  
80. "C2": "https://nztnyavroi.ru.net/server/Pony.exe"
81.  
82.  
83.  
84.  
85. "Description": "Collects information about installed applications",
86. "Details":
87.  
88. "Program": "Google Update Helper"
89.  
90.  
91. "Program": "Microsoft Excel MUI 2013"
92.  
93.  
94. "Program": "Microsoft Outlook MUI 2013"
95.  
96.  
97.  
98.  
99. "Program": "Google Chrome"
100.  
101.  
102. "Program": "Adobe Flash Player 29 NPAPI"
103.  
104.  
105. "Program": "Adobe Flash Player 29 ActiveX"
106.  
107.  
108. "Program": "Microsoft DCF MUI 2013"
109.  
110.  
111. "Program": "Microsoft Access MUI 2013"
112.  
113.  
114. "Program": "Microsoft Office Proofing Tools 2013 - English"
115.  
116.  
117. "Program": "Adobe Acrobat Reader DC"
118.  
119.  
120. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
121.  
122.  
123. "Program": "Microsoft Publisher MUI 2013"
124.  
125.  
126. "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
127.  
128.  
129. "Program": "Microsoft Office Shared MUI 2013"
130.  
131.  
132. "Program": "Microsoft Office OSM MUI 2013"
133.  
134.  
135. "Program": "Microsoft InfoPath MUI 2013"
136.  
137.  
138. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
139.  
140.  
141. "Program": "Microsoft Word MUI 2013"
142.  
143.  
144. "Program": "Microsoft Groove MUI 2013"
145.  
146.  
147.  
148.  
149. "Program": "Microsoft Access Setup Metadata MUI 2013"
150.  
151.  
152. "Program": "Microsoft Office OSM UX MUI 2013"
153.  
154.  
155. "Program": "Microsoft Office Professional Plus 2013"
156.  
157.  
158. "Program": "Adobe Refresh Manager"
159.  
160.  
161. "Program": "Microsoft Office Proofing 2013"
162.  
163.  
164. "Program": "Microsoft Lync MUI 2013"
165.  
166.  
167.  
168.  
169. "Program": "Microsoft OneNote MUI 2013"
170.  
171.  
172.  
173.  
174. "Description": "CAPE detected the Fareit malware family",
175. "Details":
176.  
177.  
178. "Description": "File has been identified by 58 Antiviruses on VirusTotal as malicious",
179. "Details":
180.  
181. "MicroWorld-eScan": "Generic.StealerA.6113F943"
182.  
183.  
184. "FireEye": "Generic.mg.649235066887f12b"
185.  
186.  
187. "CAT-QuickHeal": "Trojanpws.Tepfer.20303"
188.  
189.  
190. "ALYac": "Generic.StealerA.6113F943"
191.  
192.  
193. "Cylance": "Unsafe"
194.  
195.  
196. "K7AntiVirus": "Password-Stealer ( 0040f4f51 )"
197.  
198.  
199. "Alibaba": "TrojanPSW:Win32/Tepfer.2ef57dfe"
200.  
201.  
202. "K7GW": "Password-Stealer ( 0040f4f51 )"
203.  
204.  
205. "Cybereason": "malicious.66887f"
206.  
207.  
208. "Arcabit": "Generic.StealerA.6113F943"
209.  
210.  
211. "Invincea": "heuristic"
212.  
213.  
214. "Baidu": "Win32.Trojan-PSW.Fareit.a"
215.  
216.  
217. "F-Prot": "W32/Bloop.A.gen!Eldorado"
218.  
219.  
220. "Symantec": "Infostealer!im"
221.  
222.  
223. "APEX": "Malicious"
224.  
225.  
226. "Avast": "Sf:Crypt-AS Trj"
227.  
228.  
229. "ClamAV": "Win.Trojan.Fareit-403"
230.  
231.  
232. "Kaspersky": "Trojan-PSW.Win32.Tepfer.gen"
233.  
234.  
235. "BitDefender": "Generic.StealerA.6113F943"
236.  
237.  
238. "NANO-Antivirus": "Trojan.Win32.Siggen.evgeyh"
239.  
240.  
241. "Paloalto": "generic.ml"
242.  
243.  
244. "Ad-Aware": "Generic.StealerA.6113F943"
245.  
246.  
247. "Emsisoft": "Generic.StealerA.6113F943 (B)"
248.  
249.  
250. "Comodo": "TrojWare.Win32.PWS.Fareit.GS@5t8zib"
251.  
252.  
253. "F-Secure": "Trojan.TR/PSW.Fareit.iloen"
254.  
255.  
256. "DrWeb": "Trojan.PWS.Stealer.1932"
257.  
258.  
259. "TrendMicro": "BKDR_PONY.SM"
260.  
261.  
262. "McAfee-GW-Edition": "BehavesLike.Win32.PWSZbot.nh"
263.  
264.  
265. "Trapmine": "malicious.high.ml.score"
266.  
267.  
268. "Sophos": "Mal/Pony-A"
269.  
270.  
271. "SentinelOne": "DFI - Malicious PE"
272.  
273.  
274. "Cyren": "W32/Bloop.A.gen!Eldorado"
275.  
276.  
277. "Jiangmin": "Trojan/PSW.Tepfer.btny"
278.  
279.  
280. "Avira": "TR/PSW.Fareit.iloen"
281.  
282.  
283. "MAX": "malware (ai score=100)"
284.  
285.  
286. "Antiy-AVL": "TrojanPSW/Win32.Tepfer"
287.  
288.  
289. "Microsoft": "PWS:Win32/Fareit"
290.  
291.  
292. "Endgame": "malicious (high confidence)"
293.  
294.  
295. "AegisLab": "Trojan.Win32.Generic.mtwx"
296.  
297.  
298. "ZoneAlarm": "Trojan-PSW.Win32.Tepfer.gen"
299.  
300.  
301. "GData": "Win32.Trojan-Stealer.Zbot.AB"
302.  
303.  
304. "AhnLab-V3": "Trojan/Win32.Tepfer.R93111"
305.  
306.  
307. "Acronis": "suspicious"
308.  
309.  
310. "McAfee": "PWS-Zbot.gen.ate"
311.  
312.  
313. "TACHYON": "Trojan-PWS/W32.Tepfer.92672.R"
314.  
315.  
316. "VBA32": "SScope.Malware-Cryptor.Ponik"
317.  
318.  
319. "Malwarebytes": "Spyware.Pony"
320.  
321.  
322. "ESET-NOD32": "a variant of Win32/PSW.Fareit.A"
323.  
324.  
325. "TrendMicro-HouseCall": "BKDR_PONY.SM"
326.  
327.  
328. "Rising": "Stealer.Fareit!1.B777 (CLASSIC)"
329.  
330.  
331. "Yandex": "Trojan.PonyPass.Gen.LH"
332.  
333.  
334. "Ikarus": "Trojan-Spy.Fareit"
335.  
336.  
337. "eGambit": "Unsafe.AI_Score_99%"
338.  
339.  
340. "Fortinet": "W32/Agent.NTM!tr"
341.  
342.  
343. "AVG": "Sf:Crypt-AS Trj"
344.  
345.  
346. "Panda": "Trj/Tepfer.D"
347.  
348.  
349. "CrowdStrike": "win/malicious_confidence_100% (W)"
350.  
351.  
352. "Qihoo-360": "Win32/Trojan.PSW.c13"
353.  
354.  
355.  
356.  
357. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
358. "Details":
359.  
360. "target": "clamav:Win.Trojan.Fareit-403, sha256:e656a87f9ee91482ad7ff860d2c5898b1b4a2405af7d5b6026952a387c29813e, type:PE32 executable (GUI) Intel 80386, for MS Windows"
361.  
362.  
363.  
364.  
365. "Description": "Harvests credentials from local FTP client softwares",
366. "Details":
367.  
368. "file": "C:\\Program Files (x86)\\CuteFTP\\sm.dat"
369.  
370.  
371. "file": "C:\\Users\\user\\AppData\\Local\\CuteFTP\\sm.dat"
372.  
373.  
374. "file": "C:\\Users\\user\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\sm.dat"
375.  
376.  
377. "file": "C:\\Users\\user\\AppData\\Roaming\\CuteFTP\\sm.dat"
378.  
379.  
380. "file": "C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\sm.dat"
381.  
382.  
383. "file": "C:\\ProgramData\\CuteFTP\\sm.dat"
384.  
385.  
386. "file": "C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\sm.dat"
387.  
388.  
389. "file": "C:\\Users\\user\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\sm.dat"
390.  
391.  
392. "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\4\\Sites.dat"
393.  
394.  
395. "file": "C:\\ProgramData\\FlashFXP\\3\\Sites.dat"
396.  
397.  
398. "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\3\\Sites.dat"
399.  
400.  
401. "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\4\\Sites.dat"
402.  
403.  
404. "file": "C:\\ProgramData\\FlashFXP\\4\\Sites.dat"
405.  
406.  
407. "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\3\\Sites.dat"
408.  
409.  
410. "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\3\\Quick.dat"
411.  
412.  
413. "file": "C:\\ProgramData\\FlashFXP\\4\\Quick.dat"
414.  
415.  
416. "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\4\\Quick.dat"
417.  
418.  
419. "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\4\\Quick.dat"
420.  
421.  
422. "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\3\\Quick.dat"
423.  
424.  
425. "file": "C:\\ProgramData\\FlashFXP\\3\\Quick.dat"
426.  
427.  
428. "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\sitemanager.xml"
429.  
430.  
431. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
432.  
433.  
434. "file": "C:\\ProgramData\\FileZilla\\sitemanager.xml"
435.  
436.  
437. "file": "C:\\ProgramData\\FileZilla\\recentservers.xml"
438.  
439.  
440. "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\recentservers.xml"
441.  
442.  
443. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
444.  
445.  
446. "file": "C:\\Users\\user\\AppData\\Local\\VanDyke\\Config\\Sessions\\*.*"
447.  
448.  
449. "file": "C:\\Users\\user\\AppData\\Roaming\\VanDyke\\Config\\Sessions\\*.*"
450.  
451.  
452. "file": "C:\\ProgramData\\VanDyke\\Config\\Sessions\\*.*"
453.  
454.  
455. "file": "C:\\Users\\user\\AppData\\Roaming\\FTP Explorer\\*.*"
456.  
457.  
458. "file": "C:\\Users\\user\\AppData\\Local\\FTP Explorer\\*.*"
459.  
460.  
461. "file": "C:\\ProgramData\\FTP Explorer\\*.*"
462.  
463.  
464. "file": "C:\\Users\\user\\AppData\\Roaming\\SmartFTP\\*.*"
465.  
466.  
467. "file": "C:\\Users\\user\\AppData\\Local\\SmartFTP\\*.*"
468.  
469.  
470. "file": "C:\\ProgramData\\SmartFTP\\*.*"
471.  
472.  
473. "file": "C:\\Users\\user\\AppData\\Roaming\\TurboFTP\\*.*"
474.  
475.  
476. "file": "C:\\Users\\user\\AppData\\Local\\TurboFTP\\*.*"
477.  
478.  
479. "file": "C:\\ProgramData\\TurboFTP\\*.*"
480.  
481.  
482. "file": "C:\\Users\\user\\AppData\\Roaming\\FTPRush\\*.*"
483.  
484.  
485. "file": "C:\\Users\\user\\AppData\\Local\\FTPRush\\*.*"
486.  
487.  
488. "file": "C:\\ProgramData\\FTPRush\\*.*"
489.  
490.  
491. "file": "C:\\ProgramData\\LeapWare\\LeapFTP\\*.*"
492.  
493.  
494. "file": "C:\\Users\\user\\AppData\\Local\\LeapWare\\LeapFTP\\*.*"
495.  
496.  
497. "file": "C:\\Users\\user\\AppData\\Roaming\\LeapWare\\LeapFTP\\*.*"
498.  
499.  
500. "file": "C:\\Users\\user\\AppData\\Local\\FTPGetter\\*.*"
501.  
502.  
503. "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\*.*"
504.  
505.  
506. "file": "C:\\ProgramData\\FTPGetter\\*.*"
507.  
508.  
509. "file": "C:\\Users\\user\\AppData\\Local\\Estsoft\\ALFTP\\*.*"
510.  
511.  
512. "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\*.*"
513.  
514.  
515. "file": "C:\\ProgramData\\Estsoft\\ALFTP\\*.*"
516.  
517.  
518. "file": "C:\\Program Files (x86)\\Common Files\\Ipswitch\\WS_FTP\\*.*"
519.  
520.  
521. "key": "HKEY_CURRENT_USER\\Software\\Far Manager\\Plugins\\FTP\\Hosts"
522.  
523.  
524. "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
525.  
526.  
527. "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
528.  
529.  
530. "key": "HKEY_CURRENT_USER\\Software\\Far\\SavedDialogHistory\\FTPHost"
531.  
532.  
533. "key": "HKEY_CURRENT_USER\\Software\\Far2\\SavedDialogHistory\\FTPHost"
534.  
535.  
536. "key": "HKEY_CURRENT_USER\\Software\\Far Manager\\SavedDialogHistory\\FTPHost"
537.  
538.  
539. "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 7 Professional\\QCToolbar"
540.  
541.  
542. "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 8 Professional\\QCToolbar"
543.  
544.  
545. "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 8 Home\\QCToolbar"
546.  
547.  
548. "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 6 Professional\\QCToolbar"
549.  
550.  
551. "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 6 Home\\QCToolbar"
552.  
553.  
554. "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 7 Home\\QCToolbar"
555.  
556.  
557. "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Windows Commander"
558.  
559.  
560. "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Windows Commander"
561.  
562.  
563. "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
564.  
565.  
566. "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Total Commander"
567.  
568.  
569. "key": "HKEY_CURRENT_USER\\Software\\BPFTP\\Bullet Proof FTP\\Options"
570.  
571.  
572. "key": "HKEY_CURRENT_USER\\Software\\BPFTP\\Bullet Proof FTP\\Main"
573.  
574.  
575. "key": "HKEY_CURRENT_USER\\Software\\FileZilla"
576.  
577.  
578. "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla"
579.  
580.  
581. "key": "HKEY_CURRENT_USER\\Software\\FileZilla Client"
582.  
583.  
584. "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla Client"
585.  
586.  
587. "key": "HKEY_CURRENT_USER\\Software\\TurboFTP"
588.  
589.  
590. "key": "HKEY_LOCAL_MACHINE\\Software\\TurboFTP"
591.  
592.  
593. "key": "HKEY_CURRENT_USER\\Software\\Sota\\FFFTP\\Options"
594.  
595.  
596. "key": "HKEY_CURRENT_USER\\Software\\Sota\\FFFTP"
597.  
598.  
599. "key": "HKEY_CURRENT_USER\\Software\\FTPWare\\COREFTP\\Sites"
600.  
601.  
602. "key": "HKEY_CURRENT_USER\\Software\\FTP Explorer\\FTP Explorer\\Workspace\\MFCToolBar-224"
603.  
604.  
605. "key": "HKEY_CURRENT_USER\\Software\\FTP Explorer\\Profiles"
606.  
607.  
608. "key": "HKEY_LOCAL_MACHINE\\Software\\FTPClient\\Sites"
609.  
610.  
611. "key": "HKEY_CURRENT_USER\\Software\\FTPClient\\Sites"
612.  
613.  
614. "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
615.  
616.  
617. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Robo-FTP 3.7\\Scripts"
618.  
619.  
620. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Robo-FTP 3.7\\FTPServers"
621.  
622.  
623. "key": "HKEY_CURRENT_USER\\SOFTWARE\\Robo-FTP 3.7\\FTPServers"
624.  
625.  
626. "key": "HKEY_CURRENT_USER\\SOFTWARE\\Robo-FTP 3.7\\Scripts"
627.  
628.  
629. "key": "HKEY_CURRENT_USER\\Software\\MAS-Soft\\FTPInfo\\Setup"
630.  
631.  
632. "key": "HKEY_LOCAL_MACHINE\\Software\\SoftX.org\\FTPClient\\Sites"
633.  
634.  
635. "key": "HKEY_CURRENT_USER\\Software\\SoftX.org\\FTPClient\\Sites"
636.  
637.  
638. "key": "HKEY_CURRENT_USER\\Software\\BulletProof Software\\BulletProof FTP Client\\Main"
639.  
640.  
641. "key": "HKEY_CURRENT_USER\\Software\\BulletProof Software\\BulletProof FTP Client\\Options"
642.  
643.  
644.  
645.  
646. "Description": "Harvests information related to installed mail clients",
647. "Details":
648.  
649. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
650.  
651.  
652. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Microsoft Outlook Internet Settings"
653.  
654.  
655. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
656.  
657.  
658. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts"
659.  
660.  
661. "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Internet Account Manager\\Accounts"
662.  
663.  
664.  
665.  
666.  
667. * Started Service:
668.  
669. * Mutexes:
670. "Local\\_!MSFTHISTORY!_",
671. "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
672. "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
673. "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!"
674.  
675.  
676. * Modified Files:
677. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
678. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
679. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
680. "\\??\\PIPE\\samr",
681. "C:\\Users\\user\\AppData\\Local\\Temp\\8967062.bat"
682.  
683.  
684. * Deleted Files:
685. "C:\\Users\\user\\AppData\\Local\\Temp\\tQpQ9ImfhEt6i3.exe",
686. "C:\\Users\\user\\AppData\\Local\\Temp\\8967062.bat"
687.  
688.  
689. * Modified Registry Keys:
690. "HKEY_CURRENT_USER\\Software\\WinRAR",
691. "HKEY_CURRENT_USER\\Software\\WinRAR\\HWID"
692.  
693.  
694. * Deleted Registry Keys:
695.  
696. * DNS Communications:
697.  
698. "type": "A",
699. "request": "nztnyavroi.ru.net",
700. "answers":
701.  
702.  
703.  
704. * Domains:
705.  
706. "ip": "",
707. "domain": "nztnyavroi.ru.net"
708.  
709.  
710.  
711. * Network Communication - ICMP:
712.  
713. * Network Communication - HTTP:
714.  
715. * Network Communication - SMTP:
716.  
717. * Network Communication - Hosts:
718.  
719. * Network Communication - IRC: