SHARE
TWEET

agenttesla_98c4879c5185c0f41a15dcfb339ebc24f0dcd3e28e7a123fa5f6f3ce410ab313_2019-08-21_11_20.txt

paladin316 Aug 21st, 2019 61 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. * MalFamily: ""
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "agenttesla_98c4879c5185c0f41a15dcfb339ebc24f0dcd3e28e7a123fa5f6f3ce410ab313"
  7. * File Size: 860312
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
  9. * SHA256: "98c4879c5185c0f41a15dcfb339ebc24f0dcd3e28e7a123fa5f6f3ce410ab313"
  10. * MD5: "4001638fbb947c4c440840f4c9a9aa11"
  11. * SHA1: "92f9587a641e1d84dec4d6ecb8e568d912438b1e"
  12. * SHA512: "f0d938d67d7fd1f97fe833c2b1606b4029d9775190e419651b46a94e14b33eb08f702dbcbad32dcc4d301bb2fc107eda982d00f9d168251aaba4f4c7b5cf714b"
  13. * CRC32: "AD65CB00"
  14. * SSDEEP: "12288:qquErHF6xC9D6DmR1J98w4oknqOKw1FciUkV4PUSR0OvXzwJ8lbSi0IfsBCgKfzR:frl6kD68JmloO1jOv84bX0IfsaRIxm"
  15.  
  16. * Process Execution:
  17.     "agenttesla_98c4879c5185c0f41a15dcfb339ebc24f0dcd3e28e7a123fa5f6f3ce410ab313.exe",
  18.     "RegSvcs.exe",
  19.     "services.exe",
  20.     "svchost.exe",
  21.     "WmiPrvSE.exe",
  22.     "svchost.exe",
  23.     "WMIADAP.exe",
  24.     "lsass.exe",
  25.     "taskhost.exe"
  26.  
  27.  
  28. * Executed Commands:
  29.     "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
  30.     "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
  31.     "C:\\Windows\\system32\\lsass.exe"
  32.  
  33.  
  34. * Signatures Detected:
  35.    
  36.         "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  37.         "Details":
  38.            
  39.                 "IP": "208.91.198.54:587"
  40.            
  41.        
  42.    
  43.    
  44.         "Description": "Creates RWX memory",
  45.         "Details":
  46.    
  47.    
  48.         "Description": "Reads data out of its own binary image",
  49.         "Details":
  50.            
  51.                 "self_read": "process: agenttesla_98c4879c5185c0f41a15dcfb339ebc24f0dcd3e28e7a123fa5f6f3ce410ab313.exe, pid: 2580, offset: 0x00000000, length: 0x000d2098"
  52.            
  53.        
  54.    
  55.    
  56.         "Description": "A process created a hidden window",
  57.         "Details":
  58.            
  59.                 "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
  60.            
  61.        
  62.    
  63.    
  64.         "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  65.         "Details":
  66.            
  67.                 "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
  68.            
  69.            
  70.                 "suspicious_request": "http://checkip.amazonaws.com/"
  71.            
  72.        
  73.    
  74.    
  75.         "Description": "Performs some HTTP requests",
  76.         "Details":
  77.            
  78.                 "url": "http://checkip.amazonaws.com/"
  79.            
  80.        
  81.    
  82.    
  83.         "Description": "The binary likely contains encrypted or compressed data.",
  84.         "Details":
  85.            
  86.                 "section": "name: UPX1, entropy: 7.94, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00055600, virtual_size: 0x00056000"
  87.            
  88.            
  89.                 "section": "name: .rsrc, entropy: 7.65, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0007c600, virtual_size: 0x0007d000"
  90.            
  91.        
  92.    
  93.    
  94.         "Description": "The executable is compressed using UPX",
  95.         "Details":
  96.            
  97.                 "section": "name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x000fb000"
  98.            
  99.        
  100.    
  101.    
  102.         "Description": "Executed a process and injected code into it, probably while unpacking",
  103.         "Details":
  104.            
  105.                 "Injection": "agenttesla_98c4879c5185c0f41a15dcfb339ebc24f0dcd3e28e7a123fa5f6f3ce410ab313.exe(2580) -> RegSvcs.exe(2724)"
  106.            
  107.        
  108.    
  109.    
  110.         "Description": "Attempts to remove evidence of file being downloaded from the Internet",
  111.         "Details":
  112.            
  113.                 "file": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe:Zone.Identifier"
  114.            
  115.        
  116.    
  117.    
  118.         "Description": "Sniffs keystrokes",
  119.         "Details":
  120.            
  121.                 "SetWindowsHookExW": "Process: RegSvcs.exe(2724)"
  122.            
  123.        
  124.    
  125.    
  126.         "Description": "A process attempted to delay the analysis task by a long amount of time.",
  127.         "Details":
  128.            
  129.                 "Process": "RegSvcs.exe tried to sleep 5482 seconds, actually delayed analysis time by 0 seconds"
  130.            
  131.            
  132.                 "Process": "WmiPrvSE.exe tried to sleep 663 seconds, actually delayed analysis time by 0 seconds"
  133.            
  134.        
  135.    
  136.    
  137.         "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  138.         "Details":
  139.            
  140.                 "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 17563315 times"
  141.            
  142.        
  143.    
  144.    
  145.         "Description": "Steals private information from local Internet browsers",
  146.         "Details":
  147.            
  148.                 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  149.            
  150.        
  151.    
  152.    
  153.         "Description": "Installs itself for autorun at Windows startup",
  154.         "Details":
  155.            
  156.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MyApp"
  157.            
  158.            
  159.                 "data": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
  160.            
  161.            
  162.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load"
  163.            
  164.            
  165.                 "data": "C:\\Users\\user\\AppData\\Roaming\\catsrv\\DPTopologyApp.exe"
  166.            
  167.        
  168.    
  169.    
  170.         "Description": "Creates a hidden or system file",
  171.         "Details":
  172.            
  173.                 "file": "C:\\Users\\user\\AppData\\Roaming\\catsrv"
  174.            
  175.            
  176.                 "file": "C:\\Users\\user\\AppData\\Roaming\\catsrv\\DPTopologyApp.exe"
  177.            
  178.            
  179.                 "file": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
  180.            
  181.        
  182.    
  183.    
  184.         "Description": "Retrieves Windows ProductID, probably to fingerprint the sandbox",
  185.         "Details":
  186.    
  187.    
  188.         "Description": "File has been identified by 49 Antiviruses on VirusTotal as malicious",
  189.         "Details":
  190.            
  191.                 "MicroWorld-eScan": "Trojan.GenericKD.41585363"
  192.            
  193.            
  194.                 "McAfee": "Packed-FTE!4001638FBB94"
  195.            
  196.            
  197.                 "K7AntiVirus": "Riskware ( 0040eff71 )"
  198.            
  199.            
  200.                 "K7GW": "Riskware ( 0040eff71 )"
  201.            
  202.            
  203.                 "Cybereason": "malicious.fbb947"
  204.            
  205.            
  206.                 "Arcabit": "Trojan.Generic.D27A8AD3"
  207.            
  208.            
  209.                 "Invincea": "heuristic"
  210.            
  211.            
  212.                 "Cyren": "W32/FakeDoc.J.gen!Eldorado"
  213.            
  214.            
  215.                 "Symantec": "Trojan Horse"
  216.            
  217.            
  218.                 "APEX": "Malicious"
  219.            
  220.            
  221.                 "Paloalto": "generic.ml"
  222.            
  223.            
  224.                 "ClamAV": "Win.Malware.Autoit-6968679-0"
  225.            
  226.            
  227.                 "Kaspersky": "Backdoor.Win32.AutoIt.ed"
  228.            
  229.            
  230.                 "BitDefender": "Trojan.GenericKD.41585363"
  231.            
  232.            
  233.                 "NANO-Antivirus": "Trojan.Win32.AutoIt.fvyjwe"
  234.            
  235.            
  236.                 "Avast": "Win32:Trojan-gen"
  237.            
  238.            
  239.                 "Ad-Aware": "Trojan.GenericKD.41585363"
  240.            
  241.            
  242.                 "Emsisoft": "Trojan.GenericKD.41585363 (B)"
  243.            
  244.            
  245.                 "F-Secure": "Trojan.TR/Agent.agqt"
  246.            
  247.            
  248.                 "DrWeb": "Trojan.AutoIt.421"
  249.            
  250.            
  251.                 "Zillya": "Trojan.Packed.Win32.156979"
  252.            
  253.            
  254.                 "TrendMicro": "Trojan.AutoIt.CRYPTINJECT.SMA"
  255.            
  256.            
  257.                 "McAfee-GW-Edition": "BehavesLike.Win32.Generic.cc"
  258.            
  259.            
  260.                 "Trapmine": "malicious.moderate.ml.score"
  261.            
  262.            
  263.                 "FireEye": "Generic.mg.4001638fbb947c4c"
  264.            
  265.            
  266.                 "Sophos": "Troj/AutoIt-CLG"
  267.            
  268.            
  269.                 "Ikarus": "Trojan-Spy.HawkEye"
  270.            
  271.            
  272.                 "F-Prot": "W32/FakeDoc.J.gen!Eldorado"
  273.            
  274.            
  275.                 "Avira": "TR/Agent.agqt"
  276.            
  277.            
  278.                 "MAX": "malware (ai score=82)"
  279.            
  280.            
  281.                 "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
  282.            
  283.            
  284.                 "Microsoft": "Trojan:Win32/AgentTesla!rfn"
  285.            
  286.            
  287.                 "Endgame": "malicious (moderate confidence)"
  288.            
  289.            
  290.                 "ZoneAlarm": "Backdoor.Win32.AutoIt.ed"
  291.            
  292.            
  293.                 "GData": "Trojan.GenericKD.41585363"
  294.            
  295.            
  296.                 "AhnLab-V3": "Trojan/Win32.Injector.C3240121"
  297.            
  298.            
  299.                 "Acronis": "suspicious"
  300.            
  301.            
  302.                 "VBA32": "TrojanPSW.AgentTesla"
  303.            
  304.            
  305.                 "ALYac": "Trojan.GenericKD.41585363"
  306.            
  307.            
  308.                 "Malwarebytes": "Trojan.MalPack.Generic"
  309.            
  310.            
  311.                 "Zoner": "Trojan.Win32.78190"
  312.            
  313.            
  314.                 "ESET-NOD32": "a variant of Win32/Packed.AutoIt.PK"
  315.            
  316.            
  317.                 "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
  318.            
  319.            
  320.                 "Rising": "PUF.Pack-AutoIt!1.B8E7 (CLASSIC)"
  321.            
  322.            
  323.                 "Fortinet": "AutoIt/Scar.RWET!tr"
  324.            
  325.            
  326.                 "MaxSecure": "Win.MxResIcn.Heur.Gen"
  327.            
  328.            
  329.                 "AVG": "Win32:Trojan-gen"
  330.            
  331.            
  332.                 "CrowdStrike": "win/malicious_confidence_90% (W)"
  333.            
  334.            
  335.                 "Qihoo-360": "HEUR/QVM11.1.5883.Malware.Gen"
  336.            
  337.        
  338.    
  339.    
  340.         "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  341.         "Details":
  342.    
  343.    
  344.         "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  345.         "Details":
  346.            
  347.                 "target": "clamav:Win.Malware.Autoit-6968679-0, sha256:98c4879c5185c0f41a15dcfb339ebc24f0dcd3e28e7a123fa5f6f3ce410ab313, type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
  348.            
  349.            
  350.                 "dropped": "clamav:Win.Malware.Autoit-6968679-0, sha256:80a9d1df3a2b24c9acbf429fa3391850fa649032354be10a1f29a7ffcf445f3c , guest_paths:C:\\Users\\user\\AppData\\Roaming\\catsrv\\DPTopologyApp.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
  351.            
  352.        
  353.    
  354.    
  355.         "Description": "Harvests credentials from local FTP client softwares",
  356.         "Details":
  357.            
  358.                 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
  359.            
  360.            
  361.                 "file": "C:\\Users\\user\\AppData\\Roaming\\SmartFTP\\Client 2.0\\Favorites\\Quick Connect\\"
  362.            
  363.            
  364.                 "file": "C:\\Users\\user\\AppData\\Roaming\\SmartFTP\\Client 2.0\\Favorites\\Quick Connect\\*.xml"
  365.            
  366.            
  367.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Ipswitch\\WS_FTP\\Sites\\ws_ftp.ini"
  368.            
  369.            
  370.                 "file": "C:\\cftp\\Ftplist.txt"
  371.            
  372.            
  373.                 "key": "HKEY_CURRENT_USER\\Software\\FTPWare\\COREFTP\\Sites"
  374.            
  375.        
  376.    
  377.    
  378.         "Description": "Harvests information related to installed mail clients",
  379.         "Details":
  380.            
  381.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Thunderbird\\profiles.ini"
  382.            
  383.            
  384.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676"
  385.            
  386.            
  387.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  388.            
  389.            
  390.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
  391.            
  392.            
  393.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
  394.            
  395.            
  396.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Password"
  397.            
  398.            
  399.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  400.            
  401.            
  402.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Password"
  403.            
  404.            
  405.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
  406.            
  407.            
  408.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
  409.            
  410.            
  411.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
  412.            
  413.            
  414.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
  415.            
  416.            
  417.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
  418.            
  419.            
  420.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
  421.            
  422.            
  423.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
  424.            
  425.            
  426.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
  427.            
  428.            
  429.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
  430.            
  431.        
  432.    
  433.    
  434.         "Description": "Creates a slightly modified copy of itself",
  435.         "Details":
  436.            
  437.                 "file": "C:\\Users\\user\\AppData\\Roaming\\catsrv\\DPTopologyApp.exe"
  438.            
  439.            
  440.                 "percent_match": 99
  441.            
  442.        
  443.    
  444.    
  445.         "Description": "Collects information to fingerprint the system",
  446.         "Details":
  447.    
  448.  
  449.  
  450. * Started Service:
  451.     "VaultSvc"
  452.  
  453.  
  454. * Mutexes:
  455.     "Global\\CLR_PerfMon_WrapMutex",
  456.     "Global\\CLR_CASOFF_MUTEX",
  457.     "Local\\_!MSFTHISTORY!_",
  458.     "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
  459.     "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
  460.     "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
  461.     "Global\\.net clr networking",
  462.     "Global\\ADAP_WMI_ENTRY"
  463.  
  464.  
  465. * Modified Files:
  466.     "C:\\Users\\user\\AppData\\Roaming\\catsrv\\DPTopologyApp.exe",
  467.     "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe",
  468.     "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
  469.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  470.     "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
  471.     "C:\\Users\\user\\AppData\\Roaming\\W8QhDkG3q8.jpeg",
  472.     "C:\\Users\\user\\AppData\\Roaming\\Qs2eXjq446.jpeg",
  473.     "C:\\Users\\user\\AppData\\Roaming\\V4u6erP6kX.jpeg",
  474.     "\\??\\PIPE\\samr",
  475.     "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
  476.     "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
  477.     "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
  478.     "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
  479.     "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
  480.     "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
  481.     "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
  482.     "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
  483.     "\\??\\WMIDataDevice",
  484.     "\\??\\PIPE\\wkssvc",
  485.     "\\??\\PIPE\\srvsvc",
  486.     "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8"
  487.  
  488.  
  489. * Deleted Files:
  490.     "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe:Zone.Identifier"
  491.  
  492.  
  493. * Modified Registry Keys:
  494.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load",
  495.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MyApp",
  496.     "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RegSvcs_RASAPI32",
  497.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegSvcs_RASAPI32\\EnableFileTracing",
  498.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegSvcs_RASAPI32\\EnableConsoleTracing",
  499.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegSvcs_RASAPI32\\FileTracingMask",
  500.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegSvcs_RASAPI32\\ConsoleTracingMask",
  501.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegSvcs_RASAPI32\\MaxFileSize",
  502.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegSvcs_RASAPI32\\FileDirectory",
  503.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
  504.     "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
  505.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
  506.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
  507.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
  508.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
  509.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
  510.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
  511.  
  512.  
  513. * Deleted Registry Keys:
  514.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load"
  515.  
  516.  
  517. * DNS Communications:
  518.    
  519.         "type": "A",
  520.         "request": "checkip.amazonaws.com",
  521.         "answers":
  522.            
  523.                 "data": "52.55.255.113",
  524.                 "type": "A"
  525.            
  526.            
  527.                 "data": "52.44.169.135",
  528.                 "type": "A"
  529.            
  530.            
  531.                 "data": "checkip.us-east-1.prod.check-ip.aws.a2z.com",
  532.                 "type": "CNAME"
  533.            
  534.            
  535.                 "data": "18.205.71.63",
  536.                 "type": "A"
  537.            
  538.            
  539.                 "data": "checkip.check-ip.aws.a2z.com",
  540.                 "type": "CNAME"
  541.            
  542.            
  543.                 "data": "3.224.145.145",
  544.                 "type": "A"
  545.            
  546.            
  547.                 "data": "18.204.189.102",
  548.                 "type": "A"
  549.            
  550.            
  551.                 "data": "34.196.181.158",
  552.                 "type": "A"
  553.            
  554.        
  555.    
  556.    
  557.         "type": "A",
  558.         "request": "mail.dimeholidays.com",
  559.         "answers":
  560.            
  561.                 "data": "208.91.198.54",
  562.                 "type": "A"
  563.            
  564.            
  565.                 "data": "dimeholidays.com",
  566.                 "type": "CNAME"
  567.            
  568.        
  569.    
  570.  
  571.  
  572. * Domains:
  573.    
  574.         "ip": "52.55.255.113",
  575.         "domain": "checkip.amazonaws.com"
  576.    
  577.    
  578.         "ip": "208.91.198.54",
  579.         "domain": "mail.dimeholidays.com"
  580.    
  581.  
  582.  
  583. * Network Communication - ICMP:
  584.  
  585. * Network Communication - HTTP:
  586.    
  587.         "count": 2,
  588.         "body": "",
  589.         "uri": "http://checkip.amazonaws.com/",
  590.         "user-agent": "",
  591.         "method": "GET",
  592.         "host": "checkip.amazonaws.com",
  593.         "version": "1.1",
  594.         "path": "/",
  595.         "data": "GET / HTTP/1.1\r\nHost: checkip.amazonaws.com\r\nConnection: Keep-Alive\r\n\r\n",
  596.         "port": 80
  597.    
  598.    
  599.         "count": 1,
  600.         "body": "",
  601.         "uri": "http://checkip.amazonaws.com/",
  602.         "user-agent": "",
  603.         "method": "GET",
  604.         "host": "checkip.amazonaws.com",
  605.         "version": "1.1",
  606.         "path": "/",
  607.         "data": "GET / HTTP/1.1\r\nHost: checkip.amazonaws.com\r\n\r\n",
  608.         "port": 80
  609.    
  610.  
  611.  
  612. * Network Communication - SMTP:
  613.  
  614. * Network Communication - Hosts:
  615.  
  616. * Network Communication - IRC:
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top