Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2382
- * MalFamily: "Pony"
- * MalScore: 10.0
- * File Name: "Pony_e66b8fb74f7a5d490b39b718be129134.exe"
- * File Size: 291840
- * File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
- * SHA256: "13d47b45e8f68e833d6cb30a463f2ae09aa5a14e95230780efc48237cb2be624"
- * MD5: "e66b8fb74f7a5d490b39b718be129134"
- * SHA1: "9a71153ee74ffe942b9bcba9109e6e392e22c02b"
- * SHA512: "77c6b0568a41c51ff47c5de1356009af63cc1c16041fd2446b850bd3310a25e9a36f49cdc228dd3a7e69946727bc6dc7ede6d11af8a289917e8bedadfb3d1f64"
- * CRC32: "48D777CC"
- * SSDEEP: "6144:+0MZPlvCy5lpzT8zoEnr8ym7OKUNQyVqTmZ6MBJSmAuCCI0JC:sxCy5LzT8zoKvmKKUCyV7LBEnCI0J"
- * Process Execution:
- "gEsyGd2lbPPD5M.exe",
- "schtasks.exe",
- "gEsyGd2lbPPD5M.exe",
- "cmd.exe",
- "svchost.exe",
- "taskeng.exe",
- "taskeng.exe",
- "msoia.exe",
- "msoia.exe",
- "taskeng.exe",
- "taskeng.exe",
- "WMIADAP.exe"
- * Executed Commands:
- "\"C:\\Windows\\System32\\schtasks.exe\" /Create /TN \"Updates\\RrDcAB\" /XML \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpABBE.tmp\"",
- "schtasks.exe /Create /TN \"Updates\\RrDcAB\" /XML \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpABBE.tmp\"",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\gEsyGd2lbPPD5M.exe\"",
- "taskeng.exe CAB5771A-AB87-4C98-8663-C97502A312F1 S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe ADF97C4D-7715-42B7-A464-679E889ACA30 S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
- "taskeng.exe ADBB9E87-285F-47FB-9A72-77BB6D9513A9 S-1-5-18:NT AUTHORITY\\System:Service:",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\11376031.bat\" \"C:\\Users\\user\\AppData\\Local\\Temp\\gEsyGd2lbPPD5M.exe\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\11376031.bat \"C:\\Users\\user\\AppData\\Local\\Temp\\gEsyGd2lbPPD5M.exe\"",
- "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "svchost.exe tried to sleep 315 seconds, actually delayed analysis time by 0 seconds"
- "Process": "taskeng.exe tried to sleep 678 seconds, actually delayed analysis time by 0 seconds"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "gEsyGd2lbPPD5M.exe -> schtasks.exe"
- "Process": "gEsyGd2lbPPD5M.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\11376031.bat"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .text, entropy: 7.70, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00045400, virtual_size: 0x00045304"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"C:\\Windows\\System32\\schtasks.exe\" /Create /TN \"Updates\\RrDcAB\" /XML \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpABBE.tmp\""
- "command": "schtasks.exe /Create /TN \"Updates\\RrDcAB\" /XML \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpABBE.tmp\""
- "command": "C:\\Users\\user\\AppData\\Local\\Temp\\11376031.bat \"C:\\Users\\user\\AppData\\Local\\Temp\\gEsyGd2lbPPD5M.exe\""
- "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "gEsyGd2lbPPD5M.exe(1528) -> gEsyGd2lbPPD5M.exe(2216)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "gEsyGd2lbPPD5M.exe(1528) -> gEsyGd2lbPPD5M.exe(2216)"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details":
- "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
- "Description": "Exhibits behavior characteristic of Pony malware",
- "Details":
- "C2": "http://acousticallysound.com.au/include/shit.exe"
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Adobe Acrobat Reader DC"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\RrDcAB.exe"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\RrDcAB.exe"
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Program Files (x86)\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\CuteFTP\\sm.dat"
- "file": "C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\ProgramData\\CuteFTP\\sm.dat"
- "file": "C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\4\\Sites.dat"
- "file": "C:\\ProgramData\\FlashFXP\\3\\Sites.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\3\\Sites.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\4\\Sites.dat"
- "file": "C:\\ProgramData\\FlashFXP\\4\\Sites.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\3\\Sites.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\3\\Quick.dat"
- "file": "C:\\ProgramData\\FlashFXP\\4\\Quick.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\4\\Quick.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\4\\Quick.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\3\\Quick.dat"
- "file": "C:\\ProgramData\\FlashFXP\\3\\Quick.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\sitemanager.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
- "file": "C:\\ProgramData\\FileZilla\\sitemanager.xml"
- "file": "C:\\ProgramData\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Local\\VanDyke\\Config\\Sessions\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\VanDyke\\Config\\Sessions\\*.*"
- "file": "C:\\ProgramData\\VanDyke\\Config\\Sessions\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FTP Explorer\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\FTP Explorer\\*.*"
- "file": "C:\\ProgramData\\FTP Explorer\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\SmartFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\SmartFTP\\*.*"
- "file": "C:\\ProgramData\\SmartFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\TurboFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\TurboFTP\\*.*"
- "file": "C:\\ProgramData\\TurboFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FTPRush\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\FTPRush\\*.*"
- "file": "C:\\ProgramData\\FTPRush\\*.*"
- "file": "C:\\ProgramData\\LeapWare\\LeapFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\LeapWare\\LeapFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\LeapWare\\LeapFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\FTPGetter\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\*.*"
- "file": "C:\\ProgramData\\FTPGetter\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\Estsoft\\ALFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\*.*"
- "file": "C:\\ProgramData\\Estsoft\\ALFTP\\*.*"
- "file": "C:\\Program Files (x86)\\Common Files\\Ipswitch\\WS_FTP\\*.*"
- "key": "HKEY_CURRENT_USER\\Software\\Far Manager\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Far\\SavedDialogHistory\\FTPHost"
- "key": "HKEY_CURRENT_USER\\Software\\Far2\\SavedDialogHistory\\FTPHost"
- "key": "HKEY_CURRENT_USER\\Software\\Far Manager\\SavedDialogHistory\\FTPHost"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 7 Professional\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 8 Professional\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 8 Home\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 6 Professional\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 6 Home\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 7 Home\\QCToolbar"
- "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Windows Commander"
- "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Windows Commander"
- "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
- "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Total Commander"
- "key": "HKEY_CURRENT_USER\\Software\\BPFTP\\Bullet Proof FTP\\Options"
- "key": "HKEY_CURRENT_USER\\Software\\BPFTP\\Bullet Proof FTP\\Main"
- "key": "HKEY_CURRENT_USER\\Software\\FileZilla"
- "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla"
- "key": "HKEY_CURRENT_USER\\Software\\FileZilla Client"
- "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla Client"
- "key": "HKEY_CURRENT_USER\\Software\\TurboFTP"
- "key": "HKEY_LOCAL_MACHINE\\Software\\TurboFTP"
- "key": "HKEY_CURRENT_USER\\Software\\Sota\\FFFTP\\Options"
- "key": "HKEY_CURRENT_USER\\Software\\Sota\\FFFTP"
- "key": "HKEY_CURRENT_USER\\Software\\FTPWare\\COREFTP\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\FTP Explorer\\FTP Explorer\\Workspace\\MFCToolBar-224"
- "key": "HKEY_CURRENT_USER\\Software\\FTP Explorer\\Profiles"
- "key": "HKEY_LOCAL_MACHINE\\Software\\FTPClient\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\FTPClient\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Robo-FTP 3.7\\Scripts"
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Robo-FTP 3.7\\FTPServers"
- "key": "HKEY_CURRENT_USER\\SOFTWARE\\Robo-FTP 3.7\\FTPServers"
- "key": "HKEY_CURRENT_USER\\SOFTWARE\\Robo-FTP 3.7\\Scripts"
- "key": "HKEY_CURRENT_USER\\Software\\MAS-Soft\\FTPInfo\\Setup"
- "key": "HKEY_LOCAL_MACHINE\\Software\\SoftX.org\\FTPClient\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\SoftX.org\\FTPClient\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\BulletProof Software\\BulletProof FTP Client\\Main"
- "key": "HKEY_CURRENT_USER\\Software\\BulletProof Software\\BulletProof FTP Client\\Options"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Microsoft Outlook Internet Settings"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Internet Account Manager\\Accounts"
- * Started Service:
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Local\\_!MSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
- "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
- "C:\\Users\\user\\AppData\\Roaming\\RrDcAB.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmpABBE.tmp",
- "\\Device\\LanmanDatagramReceiver",
- "\\??\\PIPE\\srvsvc",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "\\??\\PIPE\\samr",
- "C:\\Users\\user\\AppData\\Local\\Temp\\11376031.bat"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmpABBE.tmp",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1528.11291953",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1528.11291953",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1528.11291968",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
- "C:\\Users\\user\\AppData\\Local\\Temp\\gEsyGd2lbPPD5M.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\11376031.bat"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A027D22A-0941-4A3D-8BCD-DE460257E5C4\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A027D22A-0941-4A3D-8BCD-DE460257E5C4\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Updates\\RrDcAB\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Updates\\RrDcAB\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A027D22A-0941-4A3D-8BCD-DE460257E5C4\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A027D22A-0941-4A3D-8BCD-DE460257E5C4\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\PreviousServiceShutdown",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\CAB5771A-AB87-4C98-8663-C97502A312F1",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\ADF97C4D-7715-42B7-A464-679E889ACA30",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\ADBB9E87-285F-47FB-9A72-77BB6D9513A9",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\AF2270C1-F974-4E3F-AD92-89C3808BD043",
- "HKEY_CURRENT_USER\\Software\\WinRAR",
- "HKEY_CURRENT_USER\\Software\\WinRAR\\HWID",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\CAB5771A-AB87-4C98-8663-C97502A312F1\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\ADF97C4D-7715-42B7-A464-679E889ACA30\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\ADBB9E87-285F-47FB-9A72-77BB6D9513A9\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\AF2270C1-F974-4E3F-AD92-89C3808BD043\\data"
- * Deleted Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart"
- * DNS Communications:
- "type": "A",
- "request": "acousticallysound.com.au",
- "answers":
- * Domains:
- "ip": "116.0.23.168",
- "domain": "acousticallysound.com.au"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement