· 6 years ago · Sep 03, 2019, 12:40 PM
1
2* ID: 806
3* MalFamily: "HawkEye"
4
5* MalScore: 10.0
6
7* File Name: "Exes_8b954ce0da006f197b80258bbf171052.exe"
8* File Size: 602112
9* File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
10* SHA256: "ff0f7302b97e383ef574903e61db502e75e8f14c05dd28d19a134b9cf9dec0fd"
11* MD5: "8b954ce0da006f197b80258bbf171052"
12* SHA1: "e7beaa0134bf6196f120a7bd796b3bd003bcd0f3"
13* SHA512: "02188e7874e6001bf77600c7670e7ccd2b9c2055204cefcaa48cfb19e7eab402042125167f00beb6088cd61bd1eb1adad77ae9b52737d5e6cf74a600f8f561fd"
14* CRC32: "3EAC6F45"
15* SSDEEP: "12288:TXyeBd8WvqOuO4SWpIwx6m4x2Hok9pi3SlbFYGcCXIwG44NgTnh:btrCG8Iy6m4x2x9pBlbaGnYp44Ngh"
16
17* Process Execution:
18 "rGTttvT.exe",
19 "rGTttvT.exe",
20 "vbc.exe",
21 "vbc.exe",
22 "vbc.exe",
23 "vbc.exe",
24 "vbc.exe",
25 "services.exe",
26 "svchost.exe",
27 "WmiPrvSE.exe",
28 "svchost.exe",
29 "taskeng.exe",
30 "taskeng.exe",
31 "msoia.exe",
32 "msoia.exe",
33 "WMIADAP.exe",
34 "taskeng.exe",
35 "taskeng.exe",
36 "lsass.exe",
37 "lsass.exe",
38 "lsass.exe"
39
40
41* Executed Commands:
42 "\"C:\\Users\\user\\AppData\\Local\\Temp\\rGTttvT.exe\"",
43 "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpC1AC.tmp\"",
44 "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpC5A0.tmp\"",
45 "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp3260.tmp\"",
46 "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp3CCC.tmp\"",
47 "\"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe\" /stext \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp55EE.tmp\"",
48 "taskeng.exe C0B665F2-20E8-42E2-8B1B-ECB1D1C4C575 S-1-5-18:NT AUTHORITY\\System:Service:",
49 "taskeng.exe 08F6CC8D-6201-40B8-8512-447E59E028EB S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
50 "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
51 "taskeng.exe D0C88679-27CA-4BB8-B25B-2B60DD96452C S-1-5-18:NT AUTHORITY\\System:Service:",
52 "taskeng.exe E00A9B06-217D-4D04-8C7D-3F4A42192494 S-1-5-18:NT AUTHORITY\\System:Service:",
53 "C:\\Windows\\system32\\lsass.exe",
54 "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
55 "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload",
56 "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880"
57
58
59* Signatures Detected:
60
61 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
62 "Details":
63
64
65 "Description": "Behavioural detection: Executable code extraction",
66 "Details":
67
68
69 "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
70 "Details":
71
72 "IP_ioc": "199.79.62.11:587 (United States)"
73
74
75
76
77 "Description": "Creates RWX memory",
78 "Details":
79
80
81 "Description": "Guard pages use detected - possible anti-debugging.",
82 "Details":
83
84
85 "Description": "A process created a hidden window",
86 "Details":
87
88 "Process": "rGTttvT.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\rGTttvT.exe"
89
90
91 "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
92
93
94
95
96 "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
97 "Details":
98
99 "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
100
101
102 "suspicious_request_iocs": "http://bot.whatismyipaddress.com/"
103
104
105
106
107 "Description": "Performs some HTTP requests",
108 "Details":
109
110 "url_iocs": "http://bot.whatismyipaddress.com/"
111
112
113
114
115 "Description": "The binary likely contains encrypted or compressed data.",
116 "Details":
117
118 "section": "name: .text, entropy: 7.93, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00092600, virtual_size: 0x00092494"
119
120
121
122
123 "Description": "Looks up the external IP address",
124 "Details":
125
126 "domain": "bot.whatismyipaddress.com"
127
128
129
130
131 "Description": "Uses Windows utilities for basic functionality",
132 "Details":
133
134 "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
135
136
137
138
139 "Description": "Attempts to remove evidence of file being downloaded from the Internet",
140 "Details":
141
142 "file": "C:\\Users\\user\\AppData\\Local\\Temp\\rGTttvT.exe:Zone.Identifier"
143
144
145
146
147 "Description": "Behavioural detection: Injection (Process Hollowing)",
148 "Details":
149
150 "Injection": "rGTttvT.exe(3676) -> rGTttvT.exe(4008)"
151
152
153
154
155 "Description": "Executed a process and injected code into it, probably while unpacking",
156 "Details":
157
158 "Injection": "rGTttvT.exe(3676) -> rGTttvT.exe(4008)"
159
160
161
162
163 "Description": "Sniffs keystrokes",
164 "Details":
165
166 "SetWindowsHookExA": "Process: rGTttvT.exe(4008)"
167
168
169
170
171 "Description": "Behavioural detection: Injection (inter-process)",
172 "Details":
173
174
175 "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
176 "Details":
177
178
179 "Description": "A process attempted to delay the analysis task by a long amount of time.",
180 "Details":
181
182 "Process": "rGTttvT.exe tried to sleep 4778 seconds, actually delayed analysis time by 0 seconds"
183
184
185 "Process": "svchost.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
186
187
188 "Process": "taskeng.exe tried to sleep 601 seconds, actually delayed analysis time by 0 seconds"
189
190
191
192
193 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
194 "Details":
195
196 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 6822735 times"
197
198
199
200
201 "Description": "Steals private information from local Internet browsers",
202 "Details":
203
204 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
205
206
207 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
208
209
210 "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat"
211
212
213
214
215 "Description": "Installs itself for autorun at Windows startup",
216 "Details":
217
218 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell"
219
220
221 "data": "\"C:\\Users\\user\\AppData\\Roaming\\NGq4Nyw3pTHF6Tlu\\y0evsRSxNz6B.exe\",explorer.exe"
222
223
224
225
226 "Description": "Creates a hidden or system file",
227 "Details":
228
229 "file": "C:\\Users\\user\\AppData\\Roaming\\NGq4Nyw3pTHF6Tlu"
230
231
232 "file": "C:\\Users\\user\\AppData\\Roaming\\NGq4Nyw3pTHF6Tlu\\y0evsRSxNz6B.exe"
233
234
235
236
237 "Description": "File has been identified by 20 Antiviruses on VirusTotal as malicious",
238 "Details":
239
240 "FireEye": "Generic.mg.8b954ce0da006f19"
241
242
243 "Cybereason": "malicious.134bf6"
244
245
246 "Invincea": "heuristic"
247
248
249 "Symantec": "ML.Attribute.HighConfidence"
250
251
252 "APEX": "Malicious"
253
254
255 "Kaspersky": "HEUR:Trojan.MSIL.Cryptos.gen"
256
257
258 "Paloalto": "generic.ml"
259
260
261 "F-Secure": "Heuristic.HEUR/AGEN.1035809"
262
263
264 "McAfee-GW-Edition": "BehavesLike.Win32.Generic.hc"
265
266
267 "SentinelOne": "DFI - Suspicious PE"
268
269
270 "Avira": "HEUR/AGEN.1035809"
271
272
273 "Endgame": "malicious (high confidence)"
274
275
276 "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
277
278
279 "Acronis": "suspicious"
280
281
282 "Cylance": "Unsafe"
283
284
285 "ESET-NOD32": "a variant of MSIL/Kryptik.QME"
286
287
288 "AVG": "FileRepMalware"
289
290
291 "Panda": "Trj/GdSda.A"
292
293
294 "CrowdStrike": "win/malicious_confidence_100% (D)"
295
296
297 "Qihoo-360": "HEUR/QVM03.0.A2A1.Malware.Gen"
298
299
300
301
302 "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
303 "Details":
304
305
306 "Description": "Creates a copy of itself",
307 "Details":
308
309 "copy": "C:\\Users\\user\\AppData\\Roaming\\NGq4Nyw3pTHF6Tlu\\y0evsRSxNz6B.exe"
310
311
312
313
314 "Description": "Harvests information related to installed instant messenger clients",
315 "Details":
316
317 "key": "HKEY_CURRENT_USER\\Software\\Google\\Google Talk\\Accounts"
318
319
320
321
322 "Description": "Harvests information related to installed mail clients",
323 "Details":
324
325 "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.oeaccount"
326
327
328 "file": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.*"
329
330
331 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles"
332
333
334 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
335
336
337 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
338
339
340 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP User"
341
342
343 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
344
345
346 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
347
348
349 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
350
351
352 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP User"
353
354
355 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
356
357
358 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
359
360
361 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
362
363
364 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
365
366
367 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
368
369
370 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP User"
371
372
373 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
374
375
376 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
377
378
379 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP User"
380
381
382 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
383
384
385 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP User"
386
387
388 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
389
390
391 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 User"
392
393
394 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 User"
395
396
397 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
398
399
400 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
401
402
403 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
404
405
406 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP User"
407
408
409 "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
410
411
412 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
413
414
415 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts"
416
417
418 "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Internet Account Manager\\Accounts"
419
420
421
422
423
424* Started Service:
425 "VaultSvc"
426
427
428* Mutexes:
429 "Global\\CLR_PerfMon_WrapMutex",
430 "Global\\CLR_CASOFF_MUTEX",
431 "1fcc3394-2014-4da4-bd91-eaed85514f50",
432 "Global\\.net clr networking",
433 "Global\\ADAP_WMI_ENTRY",
434 "Global\\RefreshRA_Mutex",
435 "Global\\RefreshRA_Mutex_Lib",
436 "Global\\RefreshRA_Mutex_Flag"
437
438
439* Modified Files:
440 "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
441 "C:\\Users\\user\\AppData\\Roaming\\NGq4Nyw3pTHF6Tlu\\y0evsRSxNz6B.exe",
442 "C:\\Users\\user\\AppData\\Local\\Temp\\b94934b7-e8fb-4c75-f919-f4cd31edb598",
443 "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
444 "\\Device\\LanmanDatagramReceiver",
445 "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
446 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
447 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
448 "\\??\\WMIDataDevice",
449 "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data",
450 "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data",
451 "C:\\Users\\user\\AppData\\Local\\Temp\\tmpC1AC.tmp",
452 "C:\\Users\\user\\AppData\\Local\\Temp\\tmpC5A0.tmp",
453 "C:\\Users\\user\\AppData\\Local\\Temp\\tmp3260.tmp",
454 "C:\\Users\\user\\AppData\\Local\\Temp\\tmp3CCC.tmp",
455 "C:\\Users\\user\\AppData\\Local\\Temp\\tmp55EE.tmp"
456
457
458* Deleted Files:
459 "C:\\Users\\user\\AppData\\Local\\Temp\\rGTttvT.exe:Zone.Identifier",
460 "C:\\Users\\user\\AppData\\Local\\Temp\\tmpC1AC.tmp",
461 "C:\\Users\\user\\AppData\\Local\\Temp\\tmpC5A0.tmp",
462 "C:\\Users\\user\\AppData\\Local\\Temp\\tmp3260.tmp",
463 "C:\\Users\\user\\AppData\\Local\\Temp\\tmp3CCC.tmp",
464 "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
465 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
466
467
468* Modified Registry Keys:
469 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
470 "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\rGTttvT_RASAPI32",
471 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rGTttvT_RASAPI32\\EnableFileTracing",
472 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rGTttvT_RASAPI32\\EnableConsoleTracing",
473 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rGTttvT_RASAPI32\\FileTracingMask",
474 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rGTttvT_RASAPI32\\ConsoleTracingMask",
475 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rGTttvT_RASAPI32\\MaxFileSize",
476 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rGTttvT_RASAPI32\\FileDirectory",
477 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\8BC105B2-AB66-48E7-8787-5F538231EA44\\Path",
478 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\8BC105B2-AB66-48E7-8787-5F538231EA44\\Hash",
479 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Id",
480 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Index",
481 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\8BC105B2-AB66-48E7-8787-5F538231EA44\\Triggers",
482 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\8BC105B2-AB66-48E7-8787-5F538231EA44\\DynamicInfo",
483 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
484 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\C0B665F2-20E8-42E2-8B1B-ECB1D1C4C575",
485 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
486 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\08F6CC8D-6201-40B8-8512-447E59E028EB",
487 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
488 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\D0C88679-27CA-4BB8-B25B-2B60DD96452C",
489 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\E00A9B06-217D-4D04-8C7D-3F4A42192494",
490 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\VaultSvc\\Type",
491 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\C0B665F2-20E8-42E2-8B1B-ECB1D1C4C575\\data",
492 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\08F6CC8D-6201-40B8-8512-447E59E028EB\\data",
493 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\D0C88679-27CA-4BB8-B25B-2B60DD96452C\\data",
494 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\E00A9B06-217D-4D04-8C7D-3F4A42192494\\data"
495
496
497* Deleted Registry Keys:
498
499* DNS Communications:
500
501 "type": "A",
502 "request": "bot.whatismyipaddress.com",
503 "answers":
504
505 "data": "66.171.248.178",
506 "type": "A"
507
508
509
510
511 "type": "A",
512 "request": "mail.abrancon.com",
513 "answers":
514
515 "data": "199.79.62.11",
516 "type": "A"
517
518
519 "data": "abrancon.com",
520 "type": "CNAME"
521
522
523
524
525
526* Domains:
527
528 "ip": "66.171.248.178",
529 "domain": "bot.whatismyipaddress.com"
530
531
532 "ip": "199.79.62.11",
533 "domain": "mail.abrancon.com"
534
535
536
537* Network Communication - ICMP:
538
539* Network Communication - HTTP:
540
541 "count": 1,
542 "body": "",
543 "uri": "http://bot.whatismyipaddress.com/",
544 "user-agent": "",
545 "method": "GET",
546 "host": "bot.whatismyipaddress.com",
547 "version": "1.1",
548 "path": "/",
549 "data": "GET / HTTP/1.1\r\nHost: bot.whatismyipaddress.com\r\nConnection: Keep-Alive\r\n\r\n",
550 "port": 80
551
552
553
554* Network Communication - SMTP:
555
556* Network Communication - Hosts:
557
558 "country_name": "United States",
559 "ip": "66.171.248.178",
560 "inaddrarpa": "",
561 "hostname": "bot.whatismyipaddress.com"
562
563
564 "country_name": "United States",
565 "ip": "199.79.62.11",
566 "inaddrarpa": "",
567 "hostname": "mail.abrancon.com"
568
569
570
571* Network Communication - IRC: