API tools faq
paste
paladin316

Exes_b387816ee869fe5a8cfcd6ef4dd46c23_exe_2019-08-27_19_30.txt

paladin316
Aug 27th, 2019
2,361
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.94 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "AutoIT"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Exes_b387816ee869fe5a8cfcd6ef4dd46c23.exe"
  7. * File Size: 805888
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
  9. * SHA256: "a402b91d84f226b0cbbe9c5f4fd8e079ace27a8dc66047d6e10685462e2b26bf"
  10. * MD5: "b387816ee869fe5a8cfcd6ef4dd46c23"
  11. * SHA1: "1c2cbe88597f8b0893abfc2e11c63e8d56bb75a4"
  12. * SHA512: "cb4e2a5482455a3033a43dc319dd1771b88e31c071729bfa1ede057326a09ff308daf0b1a7e4c0a64327c617473efbaa1758686ea0be19315925ae793b133808"
  13. * CRC32: "47BBBFB1"
  14. * SSDEEP: "12288:gXe9PPlowWX0t6mOQwg1Qd15CcYk0We1HJkeJ8fer6tgEyU9jSXdzFBEmzha9MR2:9hloDX0XOf4seWfZtgEohMMRC/B"
  15.  
  16. * Process Execution:
  17. "tslCJf.exe",
  18. "cmd.exe",
  19. "schtasks.exe",
  20. "wscript.exe",
  21. "svchost.exe",
  22. "WmiPrvSE.exe",
  23. "explorer.exe",
  24. "cmd.exe",
  25. "svchost.exe",
  26. "taskeng.exe",
  27. "taskeng.exe",
  28. "msoia.exe",
  29. "msoia.exe",
  30. "taskeng.exe",
  31. "taskeng.exe",
  32. "WMIADAP.exe",
  33. "taskhost.exe"
  34.  
  35.  
  36. * Executed Commands:
  37. "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn GCWGGK.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\wintaskhost.exe /sc minute /mo 1",
  38. "WSCript C:\\Users\\user\\AppData\\Local\\Temp\\GCWGGK.vbs",
  39. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
  40. "C:\\Windows\\system32\\DllHost.exe /Processid:AB8902B4-09CA-4BB6-B78D-A8F59079A8D5",
  41. "schtasks /create /tn GCWGGK.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\wintaskhost.exe /sc minute /mo 1",
  42. "\"C:\\Users\\user\\AppData\\Local\\Temp\\tslCJf.exe\"",
  43. "C:\\Users\\user\\AppData\\Local\\Temp\\tslCJf.exe ",
  44. "taskeng.exe FEB62FD4-1C1D-45E8-946A-9AA5085B45BB S-1-5-18:NT AUTHORITY\\System:Service:",
  45. "taskeng.exe C34C0583-B73E-4BF1-AA7F-CD741EFE824D S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
  46. "taskeng.exe 996AA9D0-EAB8-491E-954D-9CD5AC2F08F6 S-1-5-18:NT AUTHORITY\\System:Service:",
  47. "taskeng.exe CAB5771A-AB87-4C98-A6EF-CE7502A312F1 S-1-5-18:NT AUTHORITY\\System:Service:",
  48. "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
  49. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
  50. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
  51.  
  52.  
  53. * Signatures Detected:
  54.  
  55. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  56. "Details":
  57.  
  58.  
  59. "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
  60. "Details":
  61.  
  62. "command": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn GCWGGK.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\wintaskhost.exe /sc minute /mo 1"
  63.  
  64.  
  65.  
  66.  
  67. "Description": "Creates RWX memory",
  68. "Details":
  69.  
  70.  
  71. "Description": "Detected script timer window indicative of sleep style evasion",
  72. "Details":
  73.  
  74. "Window": "WSH-Timer"
  75.  
  76.  
  77.  
  78.  
  79. "Description": "Expresses interest in specific running processes",
  80. "Details":
  81.  
  82. "process": "wscript.exe"
  83.  
  84.  
  85.  
  86.  
  87. "Description": "Reads data out of its own binary image",
  88. "Details":
  89.  
  90. "self_read": "process: tslCJf.exe, pid: 1528, offset: 0x00000000, length: 0x00010000"
  91.  
  92.  
  93. "self_read": "process: tslCJf.exe, pid: 1528, offset: 0x00000000, length: 0x000c4c00"
  94.  
  95.  
  96. "self_read": "process: wscript.exe, pid: 1108, offset: 0x00000000, length: 0x00000040"
  97.  
  98.  
  99. "self_read": "process: wscript.exe, pid: 1108, offset: 0x000000f0, length: 0x00000018"
  100.  
  101.  
  102. "self_read": "process: wscript.exe, pid: 1108, offset: 0x000001e8, length: 0x00000078"
  103.  
  104.  
  105. "self_read": "process: wscript.exe, pid: 1108, offset: 0x00018000, length: 0x00000020"
  106.  
  107.  
  108. "self_read": "process: wscript.exe, pid: 1108, offset: 0x00018058, length: 0x00000018"
  109.  
  110.  
  111. "self_read": "process: wscript.exe, pid: 1108, offset: 0x000181a8, length: 0x00000018"
  112.  
  113.  
  114. "self_read": "process: wscript.exe, pid: 1108, offset: 0x00018470, length: 0x00000010"
  115.  
  116.  
  117. "self_read": "process: wscript.exe, pid: 1108, offset: 0x00018640, length: 0x00000012"
  118.  
  119.  
  120.  
  121.  
  122. "Description": "The binary likely contains encrypted or compressed data.",
  123. "Details":
  124.  
  125. "section": "name: UPX1, entropy: 7.94, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00054400, virtual_size: 0x00055000"
  126.  
  127.  
  128. "section": "name: .rsrc, entropy: 7.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00070400, virtual_size: 0x00071000"
  129.  
  130.  
  131.  
  132.  
  133. "Description": "The executable is compressed using UPX",
  134. "Details":
  135.  
  136. "section": "name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x000f3000"
  137.  
  138.  
  139.  
  140.  
  141. "Description": "A scripting utility was executed",
  142. "Details":
  143.  
  144. "command": "WSCript C:\\Users\\user\\AppData\\Local\\Temp\\GCWGGK.vbs"
  145.  
  146.  
  147.  
  148.  
  149. "Description": "Uses Windows utilities for basic functionality",
  150. "Details":
  151.  
  152. "command": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn GCWGGK.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\wintaskhost.exe /sc minute /mo 1"
  153.  
  154.  
  155. "command": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn GCWGGK.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\wintaskhost.exe /sc minute /mo 1"
  156.  
  157.  
  158. "command": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn GCWGGK.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\wintaskhost.exe /sc minute /mo 1"
  159.  
  160.  
  161. "command": "schtasks /create /tn GCWGGK.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\wintaskhost.exe /sc minute /mo 1"
  162.  
  163.  
  164. "command": "schtasks /create /tn GCWGGK.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\wintaskhost.exe /sc minute /mo 1"
  165.  
  166.  
  167. "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
  168.  
  169.  
  170.  
  171.  
  172. "Description": "Sniffs keystrokes",
  173. "Details":
  174.  
  175. "SetWindowsHookExW": "Process: explorer.exe(2044)"
  176.  
  177.  
  178.  
  179.  
  180. "Description": "A process attempted to delay the analysis task by a long amount of time.",
  181. "Details":
  182.  
  183. "Process": "wscript.exe tried to sleep 2160 seconds, actually delayed analysis time by 0 seconds"
  184.  
  185.  
  186. "Process": "taskeng.exe tried to sleep 670 seconds, actually delayed analysis time by 0 seconds"
  187.  
  188.  
  189. "Process": "svchost.exe tried to sleep 375 seconds, actually delayed analysis time by 0 seconds"
  190.  
  191.  
  192. "Process": "WmiPrvSE.exe tried to sleep 1680 seconds, actually delayed analysis time by 0 seconds"
  193.  
  194.  
  195.  
  196.  
  197. "Description": "Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config",
  198. "Details":
  199.  
  200. "regkeyval": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage2\\ProgramsCache"
  201.  
  202.  
  203.  
  204.  
  205. "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  206. "Details":
  207.  
  208. "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  209.  
  210.  
  211.  
  212.  
  213. "Description": "Installs itself for autorun at Windows startup",
  214. "Details":
  215.  
  216. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GCWGGK"
  217.  
  218.  
  219. "data": "\"C:\\Users\\user\\AppData\\Roaming\\Windata\\wintaskhost.exe\""
  220.  
  221.  
  222. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\GCWGGK.lnk"
  223.  
  224.  
  225. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\GCWGGK.lnk"
  226.  
  227.  
  228. "task": "C:\\Windows\\system32\\cmd.exe /c schtasks /create /tn GCWGGK.exe /tr C:\\Users\\user\\AppData\\Roaming\\Windata\\wintaskhost.exe /sc minute /mo 1"
  229.  
  230.  
  231.  
  232.  
  233. "Description": "File has been identified by 45 Antiviruses on VirusTotal as malicious",
  234. "Details":
  235.  
  236. "MicroWorld-eScan": "Trojan.GenericKD.32294281"
  237.  
  238.  
  239. "FireEye": "Generic.mg.b387816ee869fe5a"
  240.  
  241.  
  242. "CAT-QuickHeal": "Trojanspy.Powershell"
  243.  
  244.  
  245. "McAfee": "RDN/Generic PWS.y"
  246.  
  247.  
  248. "K7AntiVirus": "Trojan ( 00479c481 )"
  249.  
  250.  
  251. "Alibaba": "TrojanSpy:PowerShell/KeyLogger.8458d687"
  252.  
  253.  
  254. "K7GW": "Trojan ( 00479c481 )"
  255.  
  256.  
  257. "Cybereason": "malicious.ee869f"
  258.  
  259.  
  260. "Arcabit": "Trojan.Generic.D1ECC589"
  261.  
  262.  
  263. "Invincea": "heuristic"
  264.  
  265.  
  266. "Cyren": "W32/Trojan.QJEI-9092"
  267.  
  268.  
  269. "Symantec": "Trojan.Gen.MBT"
  270.  
  271.  
  272. "APEX": "Malicious"
  273.  
  274.  
  275. "Avast": "Win32:Trojan-gen"
  276.  
  277.  
  278. "Kaspersky": "Trojan-Spy.PowerShell.KeyLogger.c"
  279.  
  280.  
  281. "BitDefender": "Trojan.GenericKD.32294281"
  282.  
  283.  
  284. "NANO-Antivirus": "Trojan.Win32.PowerShell.fwhrtd"
  285.  
  286.  
  287. "Paloalto": "generic.ml"
  288.  
  289.  
  290. "AegisLab": "Trojan.PowerShell.KeyLogger.l!c"
  291.  
  292.  
  293. "Ad-Aware": "Trojan.GenericKD.32294281"
  294.  
  295.  
  296. "Emsisoft": "Trojan.GenericKD.32294281 (B)"
  297.  
  298.  
  299. "Comodo": "Malware@#2yjl3lbd7o9ej"
  300.  
  301.  
  302. "F-Secure": "Trojan.TR/Autoit.nncwn"
  303.  
  304.  
  305. "TrendMicro": "TROJ_GEN.R002C0PHM19"
  306.  
  307.  
  308. "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.bc"
  309.  
  310.  
  311. "Sophos": "Mal/Generic-S"
  312.  
  313.  
  314. "Ikarus": "Trojan.Win32.Autoit"
  315.  
  316.  
  317. "Avira": "TR/Autoit.nncwn"
  318.  
  319.  
  320. "Microsoft": "Trojan:Win32/Skeeyah.A!MTB"
  321.  
  322.  
  323. "ViRobot": "Trojan.Win32.Z.Nymeria.805888"
  324.  
  325.  
  326. "ZoneAlarm": "Trojan-Spy.PowerShell.KeyLogger.c"
  327.  
  328.  
  329. "GData": "Trojan.GenericKD.32294281"
  330.  
  331.  
  332. "AhnLab-V3": "Malware/Win32.RL_Generic.R264020"
  333.  
  334.  
  335. "Acronis": "suspicious"
  336.  
  337.  
  338. "VBA32": "Trojan.Autoit.F"
  339.  
  340.  
  341. "ALYac": "Trojan.GenericKD.32294281"
  342.  
  343.  
  344. "MAX": "malware (ai score=87)"
  345.  
  346.  
  347. "Cylance": "Unsafe"
  348.  
  349.  
  350. "ESET-NOD32": "a variant of Win32/Autoit.DB"
  351.  
  352.  
  353. "TrendMicro-HouseCall": "TROJ_GEN.R002C0PHM19"
  354.  
  355.  
  356. "Fortinet": "AutoIt/Agent.DB!tr"
  357.  
  358.  
  359. "AVG": "Win32:Trojan-gen"
  360.  
  361.  
  362. "Panda": "Trj/CI.A"
  363.  
  364.  
  365. "CrowdStrike": "win/malicious_confidence_90% (W)"
  366.  
  367.  
  368. "Qihoo-360": "Win32/Trojan.Spy.0cc"
  369.  
  370.  
  371.  
  372.  
  373. "Description": "Creates a copy of itself",
  374. "Details":
  375.  
  376. "copy": "C:\\Users\\user\\AppData\\Roaming\\Windata\\wintaskhost.exe"
  377.  
  378.  
  379.  
  380.  
  381.  
  382. * Started Service:
  383.  
  384. * Mutexes:
  385. "Local\\ZoneAttributeCacheCounterMutex",
  386. "Local\\ZonesCacheCounterMutex",
  387. "Local\\ZonesLockedCacheCounterMutex",
  388. "Global\\ADAP_WMI_ENTRY",
  389. "Global\\RefreshRA_Mutex",
  390. "Global\\RefreshRA_Mutex_Lib",
  391. "Global\\RefreshRA_Mutex_Flag"
  392.  
  393.  
  394. * Modified Files:
  395. "C:\\Users\\user\\AppData\\Roaming\\Windata\\wintaskhost.exe",
  396. "\\??\\PIPE\\srvsvc",
  397. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\GCWGGK.lnk",
  398. "C:\\Users\\user\\AppData\\Local\\Temp\\GCWGGK.vbs",
  399. "\\Device\\LanmanDatagramReceiver",
  400. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  401. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  402. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
  403.  
  404.  
  405. * Deleted Files:
  406. "C:\\Windows\\Tasks\\GCWGGK.exe.job",
  407. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
  408.  
  409.  
  410. * Modified Registry Keys:
  411. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GCWGGK",
  412. "HKEY_CURRENT_USER\\Software\\Win32",
  413. "HKEY_CURRENT_USER\\Software\\Win32\\GCWGGK",
  414. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage2\\ProgramsCache",
  415. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\S38OS404-1Q43-42S2-9305-67QR0O28SP23\\rkcybere.rkr",
  416. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
  417. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
  418. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting",
  419. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  420. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  421. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A71AA3D4-1416-49E7-950B-7E87D9A77745\\Path",
  422. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A71AA3D4-1416-49E7-950B-7E87D9A77745\\Hash",
  423. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\GCWGGK.exe\\Id",
  424. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\GCWGGK.exe\\Index",
  425. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A71AA3D4-1416-49E7-950B-7E87D9A77745\\Triggers",
  426. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A71AA3D4-1416-49E7-950B-7E87D9A77745\\DynamicInfo",
  427. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
  428. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\FEB62FD4-1C1D-45E8-946A-9AA5085B45BB",
  429. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
  430. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\C34C0583-B73E-4BF1-AA7F-CD741EFE824D",
  431. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
  432. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\996AA9D0-EAB8-491E-954D-9CD5AC2F08F6",
  433. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\CAB5771A-AB87-4C98-A6EF-CE7502A312F1",
  434. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\FEB62FD4-1C1D-45E8-946A-9AA5085B45BB\\data",
  435. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\C34C0583-B73E-4BF1-AA7F-CD741EFE824D\\data",
  436. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\996AA9D0-EAB8-491E-954D-9CD5AC2F08F6\\data",
  437. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\CAB5771A-AB87-4C98-A6EF-CE7502A312F1\\data"
  438.  
  439.  
  440. * Deleted Registry Keys:
  441. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
  442. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0\\CustomPropertyHwIdKey",
  443. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  444. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  445. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  446. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  447. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\GCWGGK.exe.job",
  448. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\GCWGGK.exe.job.fp"
  449.  
  450.  
  451. * DNS Communications:
  452.  
  453. "type": "A",
  454. "request": "plunder.nsupdate.info",
  455. "answers":
  456.  
  457. "data": "79.134.225.71",
  458. "type": "A"
  459.  
  460.  
  461.  
  462.  
  463.  
  464. * Domains:
  465.  
  466. "ip": "79.134.225.71",
  467. "domain": "plunder.nsupdate.info"
  468.  
  469.  
  470.  
  471. * Network Communication - ICMP:
  472.  
  473. * Network Communication - HTTP:
  474.  
  475. * Network Communication - SMTP:
  476.  
  477. * Network Communication - Hosts:
  478.  
  479. "country_name": "Switzerland",
  480. "ip": "79.134.225.71",
  481. "inaddrarpa": "",
  482. "hostname": "plunder.nsupdate.info"
  483.  
  484.  
  485.  
  486. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!