API tools faq
paste
Advertisement
paladin316

1688Exes_97816f8dd94d63a4f608d76338b0d9ef_exe_2019-09-12_14_30.txt

paladin316
Sep 12th, 2019
1,607
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.76 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 1688
  3. * MalFamily: "Trojan.Autoit"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_97816f8dd94d63a4f608d76338b0d9ef.exe"
  8. * File Size: 1129635
  9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  10. * SHA256: "0d310e6d0f42fddaa21866fb4254f27f4fae7b95689f7bf3593429cee2b7acec"
  11. * MD5: "97816f8dd94d63a4f608d76338b0d9ef"
  12. * SHA1: "acb680f732f9257d89c4a16f9e474a573e0d06c8"
  13. * SHA512: "b54958f57490c707066a146f733d7996e25af1890d0dfadb37ae9761bff01c7c8a7c5e871b9fa1f35c777fe34061cca35cfc01bd3fb81d05ca121c63a728c492"
  14. * CRC32: "515CF846"
  15. * SSDEEP: "12288:8hkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aaZjupXgOcwywYbKPm7cia:0RmJkcoQricOIQxiZY1iaozLNPenjLqe"
  16.  
  17. * Process Execution:
  18. "JLe2ujwgu6.exe",
  19. "cmd.exe",
  20. "schtasks.exe",
  21. "wscript.exe",
  22. "svchost.exe",
  23. "WmiPrvSE.exe",
  24. "svchost.exe",
  25. "taskeng.exe",
  26. "taskeng.exe",
  27. "msoia.exe",
  28. "msoia.exe",
  29. "WMIADAP.exe",
  30. "taskeng.exe",
  31. "taskeng.exe",
  32. "explorer.exe"
  33.  
  34.  
  35. * Executed Commands:
  36. "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1",
  37. "WSCript C:\\Users\\user\\AppData\\Local\\Temp\\EPGNVR.vbs",
  38. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
  39. "taskeng.exe BA95BF75-FDB3-4DB7-B60E-48341AA969B1 S-1-5-18:NT AUTHORITY\\System:Service:",
  40. "taskeng.exe C05BF83C-5ED3-4408-992C-5513FEBEE1FC S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
  41. "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
  42. "taskeng.exe 8A32D3B5-B47B-4B57-88CB-A81D3D24443A S-1-5-18:NT AUTHORITY\\System:Service:",
  43. "taskeng.exe 22690220-5953-4AA7-B8C2-186F354EF3FB S-1-5-18:NT AUTHORITY\\System:Service:",
  44. "schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1",
  45. "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
  46. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
  47. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
  48.  
  49.  
  50. * Signatures Detected:
  51.  
  52. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  53. "Details":
  54.  
  55.  
  56. "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
  57. "Details":
  58.  
  59. "command": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
  60.  
  61.  
  62.  
  63.  
  64. "Description": "Creates RWX memory",
  65. "Details":
  66.  
  67.  
  68. "Description": "Guard pages use detected - possible anti-debugging.",
  69. "Details":
  70.  
  71.  
  72. "Description": "Detected script timer window indicative of sleep style evasion",
  73. "Details":
  74.  
  75. "Window": "WSH-Timer"
  76.  
  77.  
  78.  
  79.  
  80. "Description": "Expresses interest in specific running processes",
  81. "Details":
  82.  
  83. "process": "wscript.exe"
  84.  
  85.  
  86.  
  87.  
  88. "Description": "Reads data out of its own binary image",
  89. "Details":
  90.  
  91. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00000000, length: 0x00010000"
  92.  
  93.  
  94. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0000ffec, length: 0x00010000"
  95.  
  96.  
  97. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00010000, length: 0x00010000"
  98.  
  99.  
  100. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0001ffd8, length: 0x00010000"
  101.  
  102.  
  103. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00020000, length: 0x00010000"
  104.  
  105.  
  106. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0002ffc4, length: 0x00010000"
  107.  
  108.  
  109. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00030000, length: 0x00010000"
  110.  
  111.  
  112. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0003ffb0, length: 0x00010000"
  113.  
  114.  
  115. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00040000, length: 0x00020000"
  116.  
  117.  
  118. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0004ff9c, length: 0x00010000"
  119.  
  120.  
  121. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0005ff88, length: 0x00010000"
  122.  
  123.  
  124. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00060000, length: 0x00030000"
  125.  
  126.  
  127. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0006ff74, length: 0x00010000"
  128.  
  129.  
  130. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0007ff60, length: 0x00010000"
  131.  
  132.  
  133. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0008ff4c, length: 0x00010000"
  134.  
  135.  
  136. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00090000, length: 0x00040000"
  137.  
  138.  
  139. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x0009ff38, length: 0x00010000"
  140.  
  141.  
  142. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x000a2614, length: 0x00001000"
  143.  
  144.  
  145. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x000a2628, length: 0x00000200"
  146.  
  147.  
  148. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x000a26bd, length: 0x00000200"
  149.  
  150.  
  151. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x000a26d9, length: 0x000715ca"
  152.  
  153.  
  154. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x000d0000, length: 0x00043ca3"
  155.  
  156.  
  157. "self_read": "process: JLe2ujwgu6.exe, pid: 3236, offset: 0x00113c9b, length: 0x00000008"
  158.  
  159.  
  160. "self_read": "process: wscript.exe, pid: 4092, offset: 0x00000000, length: 0x00000040"
  161.  
  162.  
  163. "self_read": "process: wscript.exe, pid: 4092, offset: 0x000000f0, length: 0x00000018"
  164.  
  165.  
  166. "self_read": "process: wscript.exe, pid: 4092, offset: 0x000001e8, length: 0x00000078"
  167.  
  168.  
  169. "self_read": "process: wscript.exe, pid: 4092, offset: 0x00018000, length: 0x00000020"
  170.  
  171.  
  172. "self_read": "process: wscript.exe, pid: 4092, offset: 0x00018058, length: 0x00000018"
  173.  
  174.  
  175. "self_read": "process: wscript.exe, pid: 4092, offset: 0x000181a8, length: 0x00000018"
  176.  
  177.  
  178. "self_read": "process: wscript.exe, pid: 4092, offset: 0x00018470, length: 0x00000010"
  179.  
  180.  
  181. "self_read": "process: wscript.exe, pid: 4092, offset: 0x00018640, length: 0x00000012"
  182.  
  183.  
  184.  
  185.  
  186. "Description": "A process created a hidden window",
  187. "Details":
  188.  
  189. "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
  190.  
  191.  
  192.  
  193.  
  194. "Description": "A scripting utility was executed",
  195. "Details":
  196.  
  197. "command": "WSCript C:\\Users\\user\\AppData\\Local\\Temp\\EPGNVR.vbs"
  198.  
  199.  
  200.  
  201.  
  202. "Description": "Uses Windows utilities for basic functionality",
  203. "Details":
  204.  
  205. "command": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
  206.  
  207.  
  208. "command": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
  209.  
  210.  
  211. "command": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
  212.  
  213.  
  214. "command": "schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
  215.  
  216.  
  217. "command": "schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
  218.  
  219.  
  220. "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
  221.  
  222.  
  223.  
  224.  
  225. "Description": "Sniffs keystrokes",
  226. "Details":
  227.  
  228. "SetWindowsHookExW": "Process: explorer.exe(1884)"
  229.  
  230.  
  231.  
  232.  
  233. "Description": "Behavioural detection: Transacted Hollowing",
  234. "Details":
  235.  
  236.  
  237. "Description": "A process attempted to delay the analysis task by a long amount of time.",
  238. "Details":
  239.  
  240. "Process": "wscript.exe tried to sleep 2100 seconds, actually delayed analysis time by 0 seconds"
  241.  
  242.  
  243. "Process": "svchost.exe tried to sleep 307 seconds, actually delayed analysis time by 0 seconds"
  244.  
  245.  
  246. "Process": "taskeng.exe tried to sleep 361 seconds, actually delayed analysis time by 0 seconds"
  247.  
  248.  
  249. "Process": "WmiPrvSE.exe tried to sleep 1920 seconds, actually delayed analysis time by 0 seconds"
  250.  
  251.  
  252.  
  253.  
  254. "Description": "Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config",
  255. "Details":
  256.  
  257. "regkeyval": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage2\\ProgramsCache"
  258.  
  259.  
  260.  
  261.  
  262. "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  263. "Details":
  264.  
  265. "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  266.  
  267.  
  268.  
  269.  
  270. "Description": "Installs itself for autorun at Windows startup",
  271. "Details":
  272.  
  273. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\EPGNVR"
  274.  
  275.  
  276. "data": "\"C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe\""
  277.  
  278.  
  279. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\EPGNVR.lnk"
  280.  
  281.  
  282. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\EPGNVR.lnk"
  283.  
  284.  
  285. "task": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn EPGNVR.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe /sc minute /mo 1"
  286.  
  287.  
  288.  
  289.  
  290. "Description": "File has been identified by 28 Antiviruses on VirusTotal as malicious",
  291. "Details":
  292.  
  293. "MicroWorld-eScan": "AIT:Trojan.Nymeria.705"
  294.  
  295.  
  296. "FireEye": "Generic.mg.97816f8dd94d63a4"
  297.  
  298.  
  299. "Cybereason": "malicious.dd94d6"
  300.  
  301.  
  302. "APEX": "Malicious"
  303.  
  304.  
  305. "Paloalto": "generic.ml"
  306.  
  307.  
  308. "Kaspersky": "Trojan-Spy.PowerShell.KeyLogger.c"
  309.  
  310.  
  311. "BitDefender": "AIT:Trojan.Nymeria.705"
  312.  
  313.  
  314. "Endgame": "malicious (high confidence)"
  315.  
  316.  
  317. "Emsisoft": "AIT:Trojan.Nymeria.705 (B)"
  318.  
  319.  
  320. "F-Secure": "Heuristic.HEUR/AGEN.1034185"
  321.  
  322.  
  323. "Invincea": "heuristic"
  324.  
  325.  
  326. "McAfee-GW-Edition": "BehavesLike.Win32.TrojanAitInject.tc"
  327.  
  328.  
  329. "Trapmine": "malicious.high.ml.score"
  330.  
  331.  
  332. "Avira": "HEUR/AGEN.1034185"
  333.  
  334.  
  335. "MAX": "malware (ai score=88)"
  336.  
  337.  
  338. "ZoneAlarm": "Trojan-Spy.PowerShell.KeyLogger.c"
  339.  
  340.  
  341. "GData": "AIT:Trojan.Nymeria.705 (2x)"
  342.  
  343.  
  344. "Acronis": "suspicious"
  345.  
  346.  
  347. "VBA32": "Trojan.Autoit.F"
  348.  
  349.  
  350. "ALYac": "AIT:Trojan.Nymeria.705"
  351.  
  352.  
  353. "Ad-Aware": "AIT:Trojan.Nymeria.705"
  354.  
  355.  
  356. "ESET-NOD32": "a variant of Win32/Autoit.DB"
  357.  
  358.  
  359. "Rising": "Trojan.Agent/Autoit!1.BC29 (CLASSIC)"
  360.  
  361.  
  362. "Ikarus": "Trojan.Autoit"
  363.  
  364.  
  365. "eGambit": "Unsafe.AI_Score_70%"
  366.  
  367.  
  368. "Fortinet": "AutoIt/Agent.DB!tr"
  369.  
  370.  
  371. "CrowdStrike": "win/malicious_confidence_100% (W)"
  372.  
  373.  
  374. "Qihoo-360": "HEUR/QVM10.1.D67D.Malware.Gen"
  375.  
  376.  
  377.  
  378.  
  379. "Description": "Creates a copy of itself",
  380. "Details":
  381.  
  382. "copy": "C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe"
  383.  
  384.  
  385.  
  386.  
  387. "Description": "Anomalous binary characteristics",
  388. "Details":
  389.  
  390. "anomaly": "Actual checksum does not match that reported in PE header"
  391.  
  392.  
  393.  
  394.  
  395.  
  396. * Started Service:
  397.  
  398. * Mutexes:
  399. "Global\\ADAP_WMI_ENTRY",
  400. "Global\\RefreshRA_Mutex",
  401. "Global\\RefreshRA_Mutex_Lib",
  402. "Global\\RefreshRA_Mutex_Flag"
  403.  
  404.  
  405. * Modified Files:
  406. "C:\\Users\\user\\AppData\\Roaming\\Windata\\winnettask.exe",
  407. "\\??\\PIPE\\srvsvc",
  408. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\EPGNVR.lnk",
  409. "C:\\Users\\user\\AppData\\Local\\Temp\\EPGNVR.vbs",
  410. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  411. "\\Device\\LanmanDatagramReceiver",
  412. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  413. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  414. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
  415.  
  416.  
  417. * Deleted Files:
  418. "C:\\Windows\\Tasks\\EPGNVR.exe.job",
  419. "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask",
  420. "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
  421. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
  422.  
  423.  
  424. * Modified Registry Keys:
  425. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\EPGNVR",
  426. "HKEY_CURRENT_USER\\Software\\Win32",
  427. "HKEY_CURRENT_USER\\Software\\Win32\\EPGNVR",
  428. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\BDF81CCC-EE92-45F2-874A-49B237F964AF\\Path",
  429. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\BDF81CCC-EE92-45F2-874A-49B237F964AF\\Hash",
  430. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\EPGNVR.exe\\Id",
  431. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\EPGNVR.exe\\Index",
  432. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\BDF81CCC-EE92-45F2-874A-49B237F964AF\\Triggers",
  433. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\BDF81CCC-EE92-45F2-874A-49B237F964AF\\DynamicInfo",
  434. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F23C90F8-7F8A-47A8-8A78-2147F4A03645\\Path",
  435. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F23C90F8-7F8A-47A8-8A78-2147F4A03645\\Hash",
  436. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Id",
  437. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Index",
  438. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F23C90F8-7F8A-47A8-8A78-2147F4A03645\\Triggers",
  439. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F23C90F8-7F8A-47A8-8A78-2147F4A03645\\DynamicInfo",
  440. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
  441. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\BA95BF75-FDB3-4DB7-B60E-48341AA969B1",
  442. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
  443. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\C05BF83C-5ED3-4408-992C-5513FEBEE1FC",
  444. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
  445. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\8A32D3B5-B47B-4B57-88CB-A81D3D24443A",
  446. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\22690220-5953-4AA7-B8C2-186F354EF3FB",
  447. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage2\\ProgramsCache",
  448. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  449. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
  450. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
  451. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting",
  452. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\BA95BF75-FDB3-4DB7-B60E-48341AA969B1\\data",
  453. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\C05BF83C-5ED3-4408-992C-5513FEBEE1FC\\data",
  454. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\8A32D3B5-B47B-4B57-88CB-A81D3D24443A\\data"
  455.  
  456.  
  457. * Deleted Registry Keys:
  458. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
  459. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0\\CustomPropertyHwIdKey",
  460. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\EPGNVR.exe.job",
  461. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\EPGNVR.exe.job.fp"
  462.  
  463.  
  464. * DNS Communications:
  465.  
  466. "type": "A",
  467. "request": "plunder.nsupdate.info",
  468. "answers":
  469.  
  470.  
  471.  
  472. * Domains:
  473.  
  474. "ip": "185.58.205.148",
  475. "domain": "plunder.nsupdate.info"
  476.  
  477.  
  478.  
  479. * Network Communication - ICMP:
  480.  
  481. * Network Communication - HTTP:
  482.  
  483. * Network Communication - SMTP:
  484.  
  485. * Network Communication - Hosts:
  486.  
  487. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!