Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Installrite Analysis
- The installation performed the following activity:
- 4 files added
- 3 files deleted
- 2 files updated
- 22 registry entries added
- 0 registry entries deleted
- 11 registry entries updated
- Installed 10/24/2019 4:51:54 AM
- All Files
- - Added Files
- > C:\WINDOWS\msagent\msfnhu.com
- > C:\WINDOWS\system32\msaueo.com
- > C:\WINDOWS\system32\mshost.exe
- - Modified Files
- > C:\WINDOWS\system32\config\system.log
- Registry
- - Added Registry
- > HKU\S-1-5-21-839522115-796845957-
- 2147137731-1003\Software\Microsoft\Windows
- \CurrentVersion\Policies\Explorer\Run
- > COM Service
- > HKLM\WINDOWS\Microsoft\Windows
- \CurrentVersion\Policies\Explorer\Run
- > COM Service
- > HKLM\WINDOWS\Microsoft\Active Setup
- \INstalled Components\{44CC0112-AB51-22EF-BA32-
- 20AA12E6115C}
- > StubPath
- > HKCU\WINDOWS\Microsoft\Windows
- \CurrentVersion\Policies\Explorer\Run
- > COM Service
- > HKCU\Software\Microsoft\RAS AutoDial
- \Control
- > LoginSessionDisable
- - Modified Registries
- > HKU\S-1-5-21-839522115-796845957-
- 2147137731-1003...
- > HKLM\SYSTEM\CurrentControlSet\Services
- \SharedAccess\Epoch: Epoch
- > HKLM\SOFTWARE\Microsoft\Cryptography\RNG:
- Seed
- >HKCU\Software\Microsoft\Windows
- \CurrentVersion\Explorer\User Assist\{75048700-
- EF1F-11D0-9888-006097DEACF9}\Count
- Autostarts:
- - COM Service c:\windows\msagent
- \msfnhu.com
- - n/a (Not verified) c:\windows
- \system32\msaueo.com
- Ports:
- mshost.exe:1372 TCP winxpsp2:6666 winxpsp2:0
- LISTENING
- Dump
- mail.hotmail.com
- mail.flashmail.com
- za.mx.aol.com
- ns1.ip-plus.net
- Explorer.exe
- winmm.dll
- advapi.dll
- wininet.dll
- C:\WINDOWS\System32\aueo.blf
- wwp.mirabilis.com:80
- Behavior:
- Opens a port
- Can create and send email
- a) Name of the detected file to test:
- b) What files were created / dropped? (if count is
- more than 10; just indicate the number)
- c) What files were modified / changed? (if count is
- more than 10; just indicate the number)
- d) What files were deleted / moved? (if count is
- more than 10; just indicate the number)
- e) What registries were created / dropped? (if count
- is more than 10; just indicate the number)
- f) What registries were modified / changed? (if
- count is more than 10; just indicate the number)
- g) What registries were deleted / moved? (if count
- is more than 10; just indicate the number)
- h) What autostarts did the program use? (if count is
- more than 10; just indicate the number)
- i) What process was used / corresponding port / URL/
- IP address it was trying to connect to?
- j) What process and dependencies did it run?
- k) Is the program memory resident? What process is
- it using in memory?
- l) Does it exhibit malicious behavior? If yes, what
- malware/ grayware type and classification is it?
- m) What will be your recommendation or resolution or
- action?
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement