· 6 years ago · Oct 04, 2019, 03:06 PM
1
2* ID: 3972
3* MalFamily: "Pony"
4
5* MalScore: 10.0
6
7* File Name: "Pony_5696ed340881adf8a7b1065843743ff4.exe"
8* File Size: 114688
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "b626e400af5c8ebb99ce887366b945bdcd9ee8c7f2db2f383fbc7bd4a34e0a7d"
11* MD5: "5696ed340881adf8a7b1065843743ff4"
12* SHA1: "c697f9e18610068ec9a5fcd9a30f1c5bf6122087"
13* SHA512: "7b3fe8f491c6e65961e3f53160513ed894846a2689e178ed80349534ce26613a465560cbf4e00fe3f01d5a31e2b2f88a313b600ce6e95b2c0bfc3b6df26fd762"
14* CRC32: "96E4CFAF"
15* SSDEEP: "3072:sgoUi2oTUfaX5LGN/HwXfqIEPQGc2O+Trpk9:EcoYSJiwXyTO"
16
17* Process Execution:
18 "B8z0n7ZfyzLuH.exe",
19 "cmd.exe",
20 "cmd.exe",
21 "services.exe",
22 "lsass.exe"
23
24
25* Executed Commands:
26 "cmd /K",
27 "\"C:\\Users\\user\\AppData\\Local\\Temp\\19987859.bat\" \"C:\\Users\\user\\AppData\\Local\\Temp\\B8z0n7ZfyzLuH.exe\"",
28 "C:\\Users\\user\\AppData\\Local\\Temp\\19987859.bat \"C:\\Users\\user\\AppData\\Local\\Temp\\B8z0n7ZfyzLuH.exe\"",
29 "C:\\Windows\\system32\\lsass.exe"
30
31
32* Signatures Detected:
33
34 "Description": "Behavioural detection: Executable code extraction",
35 "Details":
36
37
38 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
39 "Details":
40
41
42 "Description": "Creates RWX memory",
43 "Details":
44
45
46 "Description": "Possible date expiration check, exits too soon after checking local time",
47 "Details":
48
49 "process": "B8z0n7ZfyzLuH.exe, PID 1428"
50
51
52
53
54 "Description": "A process created a hidden window",
55 "Details":
56
57 "Process": "B8z0n7ZfyzLuH.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\19987859.bat"
58
59
60
61
62 "Description": "Uses Windows utilities for basic functionality",
63 "Details":
64
65 "command": "cmd /K"
66
67
68 "command": "C:\\Users\\user\\AppData\\Local\\Temp\\19987859.bat \"C:\\Users\\user\\AppData\\Local\\Temp\\B8z0n7ZfyzLuH.exe\""
69
70
71
72
73 "Description": "Deletes its original binary from disk",
74 "Details":
75
76
77 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
78 "Details":
79
80 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 2433460 times"
81
82
83
84
85 "Description": "Steals private information from local Internet browsers",
86 "Details":
87
88 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal"
89
90
91 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
92
93
94 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal"
95
96
97 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
98
99
100
101
102 "Description": "Exhibits behavior characteristic of Pony malware",
103 "Details":
104
105 "C2": "http://colibrindit.com/mlu/forum.php"
106
107
108
109
110 "Description": "Collects information about installed applications",
111 "Details":
112
113 "Program": "Google Update Helper"
114
115
116 "Program": "Microsoft Excel MUI 2013"
117
118
119 "Program": "Adobe Acrobat Reader DC"
120
121
122
123
124 "Program": "Google Chrome"
125
126
127 "Program": "Adobe Flash Player 29 NPAPI"
128
129
130 "Program": "Adobe Flash Player 29 ActiveX"
131
132
133 "Program": "Microsoft DCF MUI 2013"
134
135
136 "Program": "Microsoft Access MUI 2013"
137
138
139 "Program": "Microsoft Office Proofing Tools 2013 - English"
140
141
142 "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
143
144
145 "Program": "Microsoft Publisher MUI 2013"
146
147
148 "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
149
150
151 "Program": "Microsoft Office Shared MUI 2013"
152
153
154 "Program": "Microsoft Office OSM MUI 2013"
155
156
157 "Program": "Microsoft InfoPath MUI 2013"
158
159
160 "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
161
162
163 "Program": "Microsoft Word MUI 2013"
164
165
166 "Program": "Microsoft Groove MUI 2013"
167
168
169
170
171 "Program": "Microsoft Access Setup Metadata MUI 2013"
172
173
174 "Program": "Microsoft Office OSM UX MUI 2013"
175
176
177 "Program": "Microsoft PowerPoint MUI 2013"
178
179
180 "Program": "Microsoft Office Professional Plus 2013"
181
182
183 "Program": "Adobe Refresh Manager"
184
185
186 "Program": "Microsoft Office Proofing 2013"
187
188
189 "Program": "Microsoft Lync MUI 2013"
190
191
192
193
194 "Program": "Microsoft OneNote MUI 2013"
195
196
197
198
199 "Description": "File has been identified by 42 Antiviruses on VirusTotal as malicious",
200 "Details":
201
202 "MicroWorld-eScan": "Trojan.GenericKD.41571713"
203
204
205 "FireEye": "Generic.mg.5696ed340881adf8"
206
207
208 "CAT-QuickHeal": "TrojanPWS.Fareit"
209
210
211 "McAfee": "RDN/Generic PWS.y"
212
213
214 "Cylance": "Unsafe"
215
216
217 "K7AntiVirus": "Password-Stealer ( 003bbfec1 )"
218
219
220 "Alibaba": "TrojanPSW:Win32/Fareit.3e6b0a6e"
221
222
223 "K7GW": "Password-Stealer ( 003bbfec1 )"
224
225
226 "Cybereason": "malicious.186100"
227
228
229 "Arcabit": "Trojan.Generic.D27A5581"
230
231
232 "TrendMicro": "TROJ_GEN.R002C0WHF19"
233
234
235 "Symantec": "ML.Attribute.HighConfidence"
236
237
238 "APEX": "Malicious"
239
240
241 "Avast": "Win32:Trojan-gen"
242
243
244 "Kaspersky": "Trojan-PSW.Win32.Fareit.fboj"
245
246
247 "BitDefender": "Trojan.GenericKD.41571713"
248
249
250 "Paloalto": "generic.ml"
251
252
253 "AegisLab": "Trojan.Win32.Fareit.i!c"
254
255
256 "Endgame": "malicious (high confidence)"
257
258
259 "Sophos": "Mal/Generic-S"
260
261
262 "Comodo": "Malware@#1b68gwy8cpp6h"
263
264
265 "VIPRE": "Win32.Malware!Drop"
266
267
268 "Invincea": "heuristic"
269
270
271 "McAfee-GW-Edition": "RDN/Generic PWS.y"
272
273
274 "Emsisoft": "Trojan.GenericKD.41571713 (B)"
275
276
277 "SentinelOne": "DFI - Suspicious PE"
278
279
280 "Cyren": "W32/Trojan.RUZI-0228"
281
282
283 "Antiy-AVL": "TrojanPSW/Win32.Fareit"
284
285
286 "Microsoft": "Trojan:Win32/Bluteal!rfn"
287
288
289 "ZoneAlarm": "Trojan-PSW.Win32.Fareit.fboj"
290
291
292 "GData": "Trojan.GenericKD.41571713"
293
294
295 "VBA32": "BScope.TrojanDownloader.Deyma"
296
297
298 "ALYac": "Trojan.GenericKD.41571713"
299
300
301 "Ad-Aware": "Trojan.GenericKD.41571713"
302
303
304 "ESET-NOD32": "Win32/PSW.Fareit.A"
305
306
307 "TrendMicro-HouseCall": "TROJ_GEN.R002C0WHF19"
308
309
310 "Rising": "Trojan.Generic@ML.93 (RDMK:U85iQi4dM9ATVwJsd3K+fg)"
311
312
313 "Fortinet": "W32/Fareit.A!tr.pws"
314
315
316 "AVG": "Win32:Trojan-gen"
317
318
319 "Panda": "Trj/GdSda.A"
320
321
322 "CrowdStrike": "win/malicious_confidence_90% (W)"
323
324
325 "Qihoo-360": "Win32/Trojan.PSW.9da"
326
327
328
329
330 "Description": "Harvests credentials from local FTP client softwares",
331 "Details":
332
333 "file": "C:\\Program Files (x86)\\CuteFTP\\sm.dat"
334
335
336 "file": "C:\\Users\\user\\AppData\\Local\\CuteFTP\\sm.dat"
337
338
339 "file": "C:\\Users\\user\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\sm.dat"
340
341
342 "file": "C:\\Users\\user\\AppData\\Roaming\\CuteFTP\\sm.dat"
343
344
345 "file": "C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\sm.dat"
346
347
348 "file": "C:\\ProgramData\\CuteFTP\\sm.dat"
349
350
351 "file": "C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\sm.dat"
352
353
354 "file": "C:\\Users\\user\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\sm.dat"
355
356
357 "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\4\\Sites.dat"
358
359
360 "file": "C:\\ProgramData\\FlashFXP\\3\\Sites.dat"
361
362
363 "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\3\\Sites.dat"
364
365
366 "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\4\\Sites.dat"
367
368
369 "file": "C:\\ProgramData\\FlashFXP\\4\\Sites.dat"
370
371
372 "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\3\\Sites.dat"
373
374
375 "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\3\\Quick.dat"
376
377
378 "file": "C:\\ProgramData\\FlashFXP\\4\\Quick.dat"
379
380
381 "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\4\\Quick.dat"
382
383
384 "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\4\\Quick.dat"
385
386
387 "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\3\\Quick.dat"
388
389
390 "file": "C:\\ProgramData\\FlashFXP\\3\\Quick.dat"
391
392
393 "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\sitemanager.xml"
394
395
396 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
397
398
399 "file": "C:\\ProgramData\\FileZilla\\sitemanager.xml"
400
401
402 "file": "C:\\ProgramData\\FileZilla\\recentservers.xml"
403
404
405 "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\recentservers.xml"
406
407
408 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
409
410
411 "file": "C:\\Users\\user\\AppData\\Local\\VanDyke\\Config\\Sessions\\*.*"
412
413
414 "file": "C:\\Users\\user\\AppData\\Roaming\\VanDyke\\Config\\Sessions\\*.*"
415
416
417 "file": "C:\\ProgramData\\VanDyke\\Config\\Sessions\\*.*"
418
419
420 "file": "C:\\Users\\user\\AppData\\Roaming\\SmartFTP\\*.*"
421
422
423 "file": "C:\\Users\\user\\AppData\\Local\\SmartFTP\\*.*"
424
425
426 "file": "C:\\ProgramData\\SmartFTP\\*.*"
427
428
429 "file": "C:\\Program Files (x86)\\Common Files\\Ipswitch\\WS_FTP\\*.*"
430
431
432 "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 7 Professional\\QCToolbar"
433
434
435 "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 9\\QCToolbar"
436
437
438 "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 8 Professional\\QCToolbar"
439
440
441 "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 8 Home\\QCToolbar"
442
443
444 "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 6 Professional\\QCToolbar"
445
446
447 "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 6 Home\\QCToolbar"
448
449
450 "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 7 Home\\QCToolbar"
451
452
453 "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Windows Commander"
454
455
456 "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Windows Commander"
457
458
459 "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
460
461
462 "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Total Commander"
463
464
465 "key": "HKEY_CURRENT_USER\\Software\\BPFTP\\Bullet Proof FTP\\Options"
466
467
468 "key": "HKEY_CURRENT_USER\\Software\\BPFTP\\Bullet Proof FTP\\Main"
469
470
471 "key": "HKEY_CURRENT_USER\\Software\\FileZilla"
472
473
474 "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla"
475
476
477 "key": "HKEY_CURRENT_USER\\Software\\FileZilla Client"
478
479
480 "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla Client"
481
482
483 "key": "HKEY_CURRENT_USER\\Software\\FTPWare\\COREFTP\\Sites"
484
485
486 "key": "HKEY_CURRENT_USER\\Software\\BulletProof Software\\BulletProof FTP Client\\Main"
487
488
489 "key": "HKEY_CURRENT_USER\\Software\\BulletProof Software\\BulletProof FTP Client\\Options"
490
491
492
493
494 "Description": "Harvests information related to installed mail clients",
495 "Details":
496
497 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
498
499
500 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Microsoft Outlook Internet Settings"
501
502
503 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Port"
504
505
506 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
507
508
509 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
510
511
512 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
513
514
515 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\NNTP User Name"
516
517
518 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password2"
519
520
521 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTPMail Server"
522
523
524 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Password"
525
526
527 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Port"
528
529
530 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTPMail Password2"
531
532
533 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Server URL"
534
535
536 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP User"
537
538
539 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
540
541
542 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\NNTP Password2"
543
544
545 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTPMail Password2"
546
547
548 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Password"
549
550
551 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
552
553
554 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Server"
555
556
557 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Email Address"
558
559
560 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
561
562
563 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Server"
564
565
566 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Port"
567
568
569 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Port"
570
571
572 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP User"
573
574
575 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password2"
576
577
578 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\NNTP Password"
579
580
581 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
582
583
584 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Port"
585
586
587 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
588
589
590 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
591
592
593 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
594
595
596 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTPMail User Name"
597
598
599 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
600
601
602 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
603
604
605 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Server"
606
607
608 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\NNTP Email Address"
609
610
611 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
612
613
614 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\NNTP User Name"
615
616
617 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP User Name"
618
619
620 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\NNTP Password"
621
622
623 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
624
625
626 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP User Name"
627
628
629 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP User"
630
631
632 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 User"
633
634
635 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
636
637
638 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP User"
639
640
641 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
642
643
644 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
645
646
647 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 User Name"
648
649
650 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\NNTP Server"
651
652
653 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
654
655
656 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP User"
657
658
659 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTPMail Server"
660
661
662 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Server"
663
664
665 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password2"
666
667
668 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password2"
669
670
671 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
672
673
674 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 User"
675
676
677 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password2"
678
679
680 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\NNTP Server"
681
682
683 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Server"
684
685
686 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\NNTP Email Address"
687
688
689 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\NNTP Password2"
690
691
692 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
693
694
695 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password2"
696
697
698 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Email Address"
699
700
701 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP User Name"
702
703
704 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 User Name"
705
706
707 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Server URL"
708
709
710 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
711
712
713 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTPMail User Name"
714
715
716 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
717
718
719 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Port"
720
721
722 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
723
724
725 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP User Name"
726
727
728 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
729
730
731 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
732
733
734 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
735
736
737 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Server"
738
739
740 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP User"
741
742
743 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
744
745
746 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts"
747
748
749 "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Internet Account Manager\\Accounts"
750
751
752
753
754
755* Started Service:
756 "VaultSvc"
757
758
759* Mutexes:
760 "DBWinMutex",
761 "Local\\mtxLogMeInIgnition.IgnitionMutex",
762 "Local\\_!MSFTHISTORY!_",
763 "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
764 "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
765 "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!"
766
767
768* Modified Files:
769 "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
770 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
771 "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
772 "\\??\\PIPE\\samr",
773 "C:\\Users\\user\\AppData\\Local\\Temp\\19987859.bat",
774 "C:\\Windows\\sysnative\\LogFiles\\Scm\\4a22d9e6-41c5-44a8-884c-bb44c9a6b4c2"
775
776
777* Deleted Files:
778 "C:\\Users\\user\\AppData\\Local\\Temp\\B8z0n7ZfyzLuH.exe",
779 "C:\\Users\\user\\AppData\\Local\\Temp\\19987859.bat"
780
781
782* Modified Registry Keys:
783 "HKEY_CURRENT_USER\\Software\\WinRAR",
784 "HKEY_CURRENT_USER\\Software\\WinRAR\\HWID"
785
786
787* Deleted Registry Keys:
788
789* DNS Communications:
790
791 "type": "A",
792 "request": "colibrindit.com",
793 "answers":
794
795
796
797* Domains:
798
799 "ip": "46.148.21.50",
800 "domain": "colibrindit.com"
801
802
803
804* Network Communication - ICMP:
805
806* Network Communication - HTTP:
807
808* Network Communication - SMTP:
809
810* Network Communication - Hosts:
811
812* Network Communication - IRC: