· 6 years ago · Sep 04, 2019, 12:56 AM
1
2* ID: 894
3* MalFamily: "Malicious"
4
5* MalScore: 10.0
6
7* File Name: "Exes_1381c4eafba0a330272c831d78f60dfa.exe"
8* File Size: 576000
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "ece090a78dd15d62d2135e97df60c4aadd91a47febfa871394155bf367fde6fd"
11* MD5: "1381c4eafba0a330272c831d78f60dfa"
12* SHA1: "763f07b2bbfe567cfeefabab39aca50a5e061ee4"
13* SHA512: "a4e07839d3cc27f3bcba3c1f1bba82a1a90984d752ee74930ad72ec148fd154dda29b5d328b9142a5b8790ccf1e506014d36df744d1625df9ed9cfbf065429cd"
14* CRC32: "1441EB5D"
15* SSDEEP: "6144:ijFLYna3ZqRK2CZDcdMOupj8RM6V/rBuZoE:ijFLYn0ecYdtIj8"
16
17* Process Execution:
18 "HrpgLQTnnBCWLXm.exe",
19 "powershell.exe",
20 "images.exe",
21 "powershell.exe",
22 "cmd.exe",
23 "explorer.exe",
24 "services.exe",
25 "svchost.exe",
26 "WmiPrvSE.exe",
27 "svchost.exe",
28 "taskeng.exe",
29 "taskeng.exe",
30 "msoia.exe",
31 "msoia.exe",
32 "WMIADAP.exe",
33 "taskeng.exe",
34 "taskeng.exe",
35 "lsass.exe",
36 "lsass.exe"
37
38
39* Executed Commands:
40 "powershell Add-MpPreference -ExclusionPath C:\\",
41 "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
42 "C:\\Windows\\system32\\DllHost.exe /Processid:AB8902B4-09CA-4BB6-B78D-A8F59079A8D5",
43 "taskeng.exe D1A85936-A218-4880-B98E-1C6343DC28B9 S-1-5-18:NT AUTHORITY\\System:Service:",
44 "taskeng.exe 38108F88-B76B-42EF-980A-DE405EE60CCA S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
45 "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
46 "taskeng.exe 73538847-DCD8-4533-A2DD-843A91504054 S-1-5-18:NT AUTHORITY\\System:Service:",
47 "taskeng.exe 532C5A80-7BBA-4032-81AB-A964888EF7EB S-1-5-18:NT AUTHORITY\\System:Service:",
48 "C:\\Windows\\system32\\lsass.exe",
49 "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
50 "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
51 "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
52
53
54* Signatures Detected:
55
56 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
57 "Details":
58
59
60 "Description": "Behavioural detection: Executable code extraction",
61 "Details":
62
63
64 "Description": "Anomalous file deletion behavior detected (10+)",
65 "Details":
66
67 "DeletedFile": "C:\\ProgramData\\images.exe:Zone.Identifier"
68
69
70 "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2800.6127875"
71
72
73 "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2800.6127875"
74
75
76 "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2800.6127875"
77
78
79 "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\ljfpHsg.tmp"
80
81
82 "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\xjqeeJ..tmp"
83
84
85 "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF4ff721.TMP"
86
87
88 "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.3716.5240781"
89
90
91 "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.3716.5240781"
92
93
94 "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.3716.5240781"
95
96
97 "DeletedFile": "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask"
98
99
100 "DeletedFile": "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan"
101
102
103 "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
104
105
106
107
108 "Description": "Guard pages use detected - possible anti-debugging.",
109 "Details":
110
111
112 "Description": "Reads data out of its own binary image",
113 "Details":
114
115 "self_read": "process: images.exe, pid: 3028, offset: 0x00000000, length: 0x0008ca00"
116
117
118
119
120 "Description": "A process created a hidden window",
121 "Details":
122
123 "Process": "images.exe -> C:\\Windows\\System32\\cmd.exe"
124
125
126 "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
127
128
129
130
131 "Description": "A scripting utility was executed",
132 "Details":
133
134 "command": "powershell Add-MpPreference -ExclusionPath C:\\"
135
136
137
138
139 "Description": "Uses Windows utilities for basic functionality",
140 "Details":
141
142 "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
143
144
145
146
147 "Description": "Attempts to remove evidence of file being downloaded from the Internet",
148 "Details":
149
150 "file": "C:\\ProgramData\\images.exe:Zone.Identifier"
151
152
153
154
155 "Description": "Code injection with CreateRemoteThread in a remote process",
156 "Details":
157
158 "Injection": "images.exe(3028) -> cmd.exe(4056)"
159
160
161
162
163 "Description": "Behavioural detection: Injection (inter-process)",
164 "Details":
165
166
167 "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
168 "Details":
169
170
171 "Description": "Behavioural detection: Transacted Hollowing",
172 "Details":
173
174
175 "Description": "A process attempted to delay the analysis task by a long amount of time.",
176 "Details":
177
178 "Process": "cmd.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
179
180
181 "Process": "HrpgLQTnnBCWLXm.exe tried to sleep 1000 seconds, actually delayed analysis time by 0 seconds"
182
183
184 "Process": "svchost.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
185
186
187 "Process": "images.exe tried to sleep 37181 seconds, actually delayed analysis time by 0 seconds"
188
189
190 "Process": "taskeng.exe tried to sleep 541 seconds, actually delayed analysis time by 0 seconds"
191
192
193 "Process": "WmiPrvSE.exe tried to sleep 420 seconds, actually delayed analysis time by 0 seconds"
194
195
196
197
198 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
199 "Details":
200
201 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 8347028 times"
202
203
204
205
206 "Description": "Steals private information from local Internet browsers",
207 "Details":
208
209 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
210
211
212
213
214 "Description": "Installs itself for autorun at Windows startup",
215 "Details":
216
217 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images"
218
219
220 "data": "C:\\ProgramData\\images.exe"
221
222
223
224
225 "Description": "Stack pivoting was detected when using a critical API",
226 "Details":
227
228 "process": "HrpgLQTnnBCWLXm.exe:1432"
229
230
231 "process": "taskeng.exe:880"
232
233
234 "process": "images.exe:3028"
235
236
237 "process": "svchost.exe:888"
238
239
240
241
242 "Description": "Creates a hidden or system file",
243 "Details":
244
245 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF4ff721.TMP"
246
247
248
249
250 "Description": "File has been identified by 22 Antiviruses on VirusTotal as malicious",
251 "Details":
252
253 "FireEye": "Generic.mg.1381c4eafba0a330"
254
255
256 "Cylance": "Unsafe"
257
258
259 "CrowdStrike": "win/malicious_confidence_90% (D)"
260
261
262 "K7GW": "Riskware ( 0040eff71 )"
263
264
265 "K7AntiVirus": "Riskware ( 0040eff71 )"
266
267
268 "APEX": "Malicious"
269
270
271 "Avast": "Win32:Trojan-gen"
272
273
274 "Kaspersky": "Trojan-Spy.Win32.AveMaria.bvf"
275
276
277 "Paloalto": "generic.ml"
278
279
280 "Endgame": "malicious (high confidence)"
281
282
283 "F-Secure": "Trojan.TR/AD.MortyStealer.yepni"
284
285
286 "DrWeb": "Trojan.PWS.Maria.3"
287
288
289 "SentinelOne": "DFI - Malicious PE"
290
291
292 "Avira": "TR/AD.MortyStealer.yepni"
293
294
295 "Antiy-AVL": "TrojanSpy/Win32.AveMaria"
296
297
298 "ZoneAlarm": "Trojan-Spy.Win32.AveMaria.bvf"
299
300
301 "Malwarebytes": "Backdoor.AveMaria"
302
303
304 "Fortinet": "W32/AveMaria.BVF!tr"
305
306
307 "AVG": "Win32:Trojan-gen"
308
309
310 "Cybereason": "malicious.2bbfe5"
311
312
313 "Panda": "Trj/GdSda.A"
314
315
316 "Qihoo-360": "HEUR/QVM20.1.A46F.Malware.Gen"
317
318
319
320
321 "Description": "Creates a copy of itself",
322 "Details":
323
324 "copy": "C:\\ProgramData\\images.exe"
325
326
327
328
329 "Description": "Drops a binary and executes it",
330 "Details":
331
332 "binary": "C:\\ProgramData\\images.exe"
333
334
335
336
337 "Description": "Harvests information related to installed mail clients",
338 "Details":
339
340 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676"
341
342
343 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
344
345
346 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Server"
347
348
349 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
350
351
352 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Account Name"
353
354
355 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Server"
356
357
358 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
359
360
361 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Password"
362
363
364 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
365
366
367 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Password"
368
369
370 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
371
372
373 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
374
375
376 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
377
378
379 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 User"
380
381
382 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Server"
383
384
385 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
386
387
388 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 User"
389
390
391 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Account Name"
392
393
394 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
395
396
397 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
398
399
400 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Server"
401
402
403 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
404
405
406 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
407
408
409
410
411 "Description": "Collects information to fingerprint the system",
412 "Details":
413
414
415
416* Started Service:
417 "VaultSvc"
418
419
420* Mutexes:
421 "Global\\CLR_PerfMon_WrapMutex",
422 "Global\\CLR_CASOFF_MUTEX",
423 "Global\\ADAP_WMI_ENTRY",
424 "Global\\RefreshRA_Mutex",
425 "Global\\RefreshRA_Mutex_Lib",
426 "Global\\RefreshRA_Mutex_Flag"
427
428
429* Modified Files:
430 "C:\\ProgramData\\images.exe",
431 "C:\\Users\\user\\AppData\\Local\\Temp\\%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows PowerShell\\Windows PowerShell.lnk",
432 "\\??\\PIPE\\srvsvc",
433 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ZPXQ6249RQCJ26AS9S77.temp",
434 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms",
435 "C:\\Users\\user\\AppData\\Local\\Microsoft Vision\\03-09-2019_18.30.48",
436 "C:\\Users\\user\\AppData\\Roaming\\ljfpHsg.tmp",
437 "C:\\Users\\user\\AppData\\Roaming\\xjqeeJ..tmp",
438 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\POX8OKPOITTXA23CIZCU.temp",
439 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF4ff721.TMP",
440 "\\Device\\LanmanDatagramReceiver",
441 "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
442 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
443 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
444
445
446* Deleted Files:
447 "C:\\ProgramData\\images.exe:Zone.Identifier",
448 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ZPXQ6249RQCJ26AS9S77.temp",
449 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2800.6127875",
450 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2800.6127875",
451 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2800.6127875",
452 "C:\\Users\\user\\AppData\\Roaming\\ljfpHsg.tmp",
453 "C:\\Users\\user\\AppData\\Roaming\\xjqeeJ..tmp",
454 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\d93f411851d7c929.customDestinations-ms~RF4ff721.TMP",
455 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.3716.5240781",
456 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.3716.5240781",
457 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.3716.5240781",
458 "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask",
459 "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
460 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
461
462
463* Modified Registry Keys:
464 "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\msvideo",
465 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPer1_0Server",
466 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MaxConnectionsPerServer",
467 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\XOT3FKWSJT",
468 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\XOT3FKWSJT\\inst",
469 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Images",
470 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.106\\CheckSetting",
471 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.101\\CheckSetting",
472 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.103\\CheckSetting",
473 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.100\\CheckSetting",
474 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.102\\CheckSetting",
475 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.104\\CheckSetting",
476 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
477 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
478 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting",
479 "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
480 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\55EB258D-A9EA-4DA4-A816-2937F5A950CE\\Path",
481 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\55EB258D-A9EA-4DA4-A816-2937F5A950CE\\Hash",
482 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Id",
483 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Index",
484 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\55EB258D-A9EA-4DA4-A816-2937F5A950CE\\Triggers",
485 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\55EB258D-A9EA-4DA4-A816-2937F5A950CE\\DynamicInfo",
486 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
487 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\D1A85936-A218-4880-B98E-1C6343DC28B9",
488 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
489 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\38108F88-B76B-42EF-980A-DE405EE60CCA",
490 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
491 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\73538847-DCD8-4533-A2DD-843A91504054",
492 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\532C5A80-7BBA-4032-81AB-A964888EF7EB",
493 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\VaultSvc\\Type",
494 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\D1A85936-A218-4880-B98E-1C6343DC28B9\\data",
495 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\38108F88-B76B-42EF-980A-DE405EE60CCA\\data",
496 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\73538847-DCD8-4533-A2DD-843A91504054\\data",
497 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\532C5A80-7BBA-4032-81AB-A964888EF7EB\\data"
498
499
500* Deleted Registry Keys:
501 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
502 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0\\CustomPropertyHwIdKey"
503
504
505* DNS Communications:
506
507 "type": "A",
508 "request": "warzo.duckdns.org",
509 "answers":
510
511 "data": "23.105.131.202",
512 "type": "A"
513
514
515
516
517
518* Domains:
519
520 "ip": "23.105.131.202",
521 "domain": "warzo.duckdns.org"
522
523
524
525* Network Communication - ICMP:
526
527* Network Communication - HTTP:
528
529* Network Communication - SMTP:
530
531* Network Communication - Hosts:
532
533 "country_name": "United States",
534 "ip": "23.105.131.202",
535 "inaddrarpa": "",
536 "hostname": "warzo.duckdns.org"
537
538
539
540* Network Communication - IRC: