String found in binary or memory: erts.digic ert.com/Di giCertHigh AssuranceE VRootCA.cr t0 dllbinSoft ware\JavaS oft\Java D evelopment Kit\JavaH omeSoftwar e\JavaSoft \Java Runt ime Enviro nment\Flas hWindowExF lashWindow Kernel32.d llGetPacka gePathhttp ://p://ttp://in9999.tmp HEAD.part1 23charsetu tf-8POSTIS O-8859-1ut f-16Advanc edInstalle rUS-ASCIIL ocal Netwo rk ServerG ET*/*FTP S erverRange : bytes=%u - equals w ww.yahoo.c om (Yahoo) String found in binary or memory: IShell32.d llShlwapi. Source: C:\Users\u ser\AppDat a\Local\Te mp\DL2.tmp \additiona l.exeĬode function: 3_2_00406F F9 _EH_pr olog,FindF irstFileW, AreFileApi sANSI,Find FirstFileA ,Ĭode function: 7_2_002140 85 FindFir stFileW,Fi ndClose,Cl oseHandle, CloseHandl e,Ĭode function: 7_2_00214B 3A FindFir stFileW,Fi ndClose,Ĭode function: 7_2_001FA3 10 FindFir stFileW,Ge tLastError ,FindClose ,Ĭode function: 7_2_002083 C7 _EH_pr olog3_GS,F indFirstFi leW,FindCl ose,Ĭode function: 7_2_0021C5 A8 FindFir stFileW,Fi ndClose,įound strings which match to known social media urls Source: C:\Users\u ser\AppDat a\Local\Te mp\DL2.tmp \DL82DD.ex eĬontains functionality to enumerate / list files inside a directory ![]() Remotely Track Device Without Authorizationĭeobfuscate/Decode Files or Information 1Įxfiltration Over Command and Control ChannelĬhecks for available system drives (often done to infect USB drives) Report size getting too big, too many NtSetInformationFile calls found.Įavesdrop on Insecure Network Communication.Report size getting too big, too many NtQueryValueKey calls found.Report size getting too big, too many NtProtectVirtualMemory calls found.Report size getting too big, too many NtOpenKeyEx calls found.Report size getting too big, too many NtEnumerateValueKey calls found.Report size getting too big, too many NtCreateFile calls found.Report size getting too big, too many NtAllocateVirtualMemory calls found.Report size exceeded maximum capacity and may have missing disassembly code.Report size exceeded maximum capacity and may have missing behavior information.Execution Graph export aborted for target msiexec.exe, PID 5056 because there are no executed function.Execution Graph export aborted for target DL82DD.exe, PID 2768 because there are no executed function.Created / dropped Files have been reduced to 100.Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, WmiPrvSE.exe.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |