Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 894
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Exes_1381c4eafba0a330272c831d78f60dfa.exe"
- * File Size: 576000
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "ece090a78dd15d62d2135e97df60c4aadd91a47febfa871394155bf367fde6fd"
- * MD5: "1381c4eafba0a330272c831d78f60dfa"
- * SHA1: "763f07b2bbfe567cfeefabab39aca50a5e061ee4"
- * SHA512: "a4e07839d3cc27f3bcba3c1f1bba82a1a90984d752ee74930ad72ec148fd154dda29b5d328b9142a5b8790ccf1e506014d36df744d1625df9ed9cfbf065429cd"
- * CRC32: "1441EB5D"
- * SSDEEP: "6144:ijFLYna3ZqRK2CZDcdMOupj8RM6V/rBuZoE:ijFLYn0ecYdtIj8"
- * Process Execution:
- "HrpgLQTnnBCWLXm.exe",
- "powershell.exe",
- "images.exe",
- "powershell.exe",
- "cmd.exe",
- "explorer.exe",
- "services.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "svchost.exe",
- "taskeng.exe",
- "taskeng.exe",
- "msoia.exe",
- "msoia.exe",
- "WMIADAP.exe",
- "taskeng.exe",
- "taskeng.exe",
- "lsass.exe",
- "lsass.exe"
- * Executed Commands:
- "powershell Add-MpPreference -ExclusionPath C:\\",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
- "C:\\Windows\\system32\\DllHost.exe /Processid:AB8902B4-09CA-4BB6-B78D-A8F59079A8D5",
- "taskeng.exe D1A85936-A218-4880-B98E-1C6343DC28B9 S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe 38108F88-B76B-42EF-980A-DE405EE60CCA S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
- "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
- "taskeng.exe 73538847-DCD8-4533-A2DD-843A91504054 S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe 532C5A80-7BBA-4032-81AB-A964888EF7EB S-1-5-18:NT AUTHORITY\\System:Service:",
- "C:\\Windows\\system32\\lsass.exe",
- "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Anomalous file deletion behavior detected (10+)",
- "Details":
- "DeletedFile": "C:\\ProgramData\\images.exe:Zone.Identifier"
- "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2800.6127875"
- "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2800.6127875"
- "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2800.6127875"
- "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\ljfpHsg.tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\xjqeeJ..tmp"
- "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF4ff721.TMP"
- "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.3716.5240781"
- "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.3716.5240781"
- "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.3716.5240781"
- "DeletedFile": "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask"
- "DeletedFile": "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan"
- "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: images.exe, pid: 3028, offset: 0x00000000, length: 0x0008ca00"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "images.exe -> C:\\Windows\\System32\\cmd.exe"
- "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
- "Description": "A scripting utility was executed",
- "Details":
- "command": "powershell Add-MpPreference -ExclusionPath C:\\"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\ProgramData\\images.exe:Zone.Identifier"
- "Description": "Code injection with CreateRemoteThread in a remote process",
- "Details":
- "Injection": "images.exe(3028) -> cmd.exe(4056)"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
- "Details":
- "Description": "Behavioural detection: Transacted Hollowing",
- "Details":
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details":
- "Process": "cmd.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
- "Process": "HrpgLQTnnBCWLXm.exe tried to sleep 1000 seconds, actually delayed analysis time by 0 seconds"
- "Process": "svchost.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
- "Process": "images.exe tried to sleep 37181 seconds, actually delayed analysis time by 0 seconds"
- "Process": "taskeng.exe tried to sleep 541 seconds, actually delayed analysis time by 0 seconds"
- "Process": "WmiPrvSE.exe tried to sleep 420 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 8347028 times"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images"
- "data": "C:\\ProgramData\\images.exe"
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "HrpgLQTnnBCWLXm.exe:1432"
- "process": "taskeng.exe:880"
- "process": "images.exe:3028"
- "process": "svchost.exe:888"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF4ff721.TMP"
- "Description": "File has been identified by 22 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.1381c4eafba0a330"
- "Cylance": "Unsafe"
- "CrowdStrike": "win/malicious_confidence_90% (D)"
- "K7GW": "Riskware ( 0040eff71 )"
- "K7AntiVirus": "Riskware ( 0040eff71 )"
- "APEX": "Malicious"
- "Avast": "Win32:Trojan-gen"
- "Kaspersky": "Trojan-Spy.Win32.AveMaria.bvf"
- "Paloalto": "generic.ml"
- "Endgame": "malicious (high confidence)"
- "F-Secure": "Trojan.TR/AD.MortyStealer.yepni"
- "DrWeb": "Trojan.PWS.Maria.3"
- "SentinelOne": "DFI - Malicious PE"
- "Avira": "TR/AD.MortyStealer.yepni"
- "Antiy-AVL": "TrojanSpy/Win32.AveMaria"
- "ZoneAlarm": "Trojan-Spy.Win32.AveMaria.bvf"
- "Malwarebytes": "Backdoor.AveMaria"
- "Fortinet": "W32/AveMaria.BVF!tr"
- "AVG": "Win32:Trojan-gen"
- "Cybereason": "malicious.2bbfe5"
- "Panda": "Trj/GdSda.A"
- "Qihoo-360": "HEUR/QVM20.1.A46F.Malware.Gen"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\ProgramData\\images.exe"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\ProgramData\\images.exe"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Account Name"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 User"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Account Name"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Server"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- "Description": "Collects information to fingerprint the system",
- "Details":
- * Started Service:
- "VaultSvc"
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\ProgramData\\images.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ZPXQ6249RQCJ26AS9S77.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
- "C:\\Users\\user\\AppData\\Local\\Microsoft Vision\\03-09-2019_18.30.48",
- "C:\\Users\\user\\AppData\\Roaming\\ljfpHsg.tmp",
- "C:\\Users\\user\\AppData\\Roaming\\xjqeeJ..tmp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\POX8OKPOITTXA23CIZCU.temp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF4ff721.TMP",
- "\\Device\\LanmanDatagramReceiver",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
- * Deleted Files:
- "C:\\ProgramData\\images.exe:Zone.Identifier",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ZPXQ6249RQCJ26AS9S77.temp",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2800.6127875",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2800.6127875",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2800.6127875",
- "C:\\Users\\user\\AppData\\Roaming\\ljfpHsg.tmp",
- "C:\\Users\\user\\AppData\\Roaming\\xjqeeJ..tmp",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF4ff721.TMP",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.3716.5240781",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.3716.5240781",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.3716.5240781",
- "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask",
- "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\XOT3FKWSJT",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\XOT3FKWSJT\\inst",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.106\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.101\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.103\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.100\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.102\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.104\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\55EB258D-A9EA-4DA4-A816-2937F5A950CE\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\55EB258D-A9EA-4DA4-A816-2937F5A950CE\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\55EB258D-A9EA-4DA4-A816-2937F5A950CE\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\55EB258D-A9EA-4DA4-A816-2937F5A950CE\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\D1A85936-A218-4880-B98E-1C6343DC28B9",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\38108F88-B76B-42EF-980A-DE405EE60CCA",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\73538847-DCD8-4533-A2DD-843A91504054",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\532C5A80-7BBA-4032-81AB-A964888EF7EB",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\VaultSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\D1A85936-A218-4880-B98E-1C6343DC28B9\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\38108F88-B76B-42EF-980A-DE405EE60CCA\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\73538847-DCD8-4533-A2DD-843A91504054\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\532C5A80-7BBA-4032-81AB-A964888EF7EB\\data"
- * Deleted Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0\\CustomPropertyHwIdKey"
- * DNS Communications:
- "type": "A",
- "request": "warzo.duckdns.org",
- "answers":
- "data": "23.105.131.202",
- "type": "A"
- * Domains:
- "ip": "23.105.131.202",
- "domain": "warzo.duckdns.org"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United States",
- "ip": "23.105.131.202",
- "inaddrarpa": "",
- "hostname": "warzo.duckdns.org"
- * Network Communication - IRC:
Add Comment
Please, Sign In to add comment