dcrat | a40626fbe1122175c403f8510e1f6ad41cee213a87ce8252305e32e5071a170a

Sharing

Copy URL

Twitter E-mail

General

Target

archive_46.zip
Size

65.7MB
Sample

250322-g1ee9atj13
MD5

03f590f0ac7b1e46a98213db8643e26e
SHA1

faf6a6eaeed17a09a95017bc3e6720a5c3310ffd
SHA256

a40626fbe1122175c403f8510e1f6ad41cee213a87ce8252305e32e5071a170a
SHA512

4fbf6129695bf3ce905e620e21f597c650561e4a88715e441960d2956d014798577e1f92d8c0233ce4d78b3e05d72b7dd43464136f5a11986378758387038db5
SSDEEP

1572864:6U00oDoL7wjQhtIsj1koTLwqd53qiN9q+I2wkyPUiTeQzn0:voD87wjQhtIsZvTLVd5jP5eaQzn0

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HACKED

mrtorrent32.ddns.net:1177

Mutex

12ce4e06a81e8d54fd01d9b762f1b1bb

Attributes

reg_key
12ce4e06a81e8d54fd01d9b762f1b1bb
splitter
|'|'|

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

127.0.0.1:6126

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
|Ghost|

Extracted

Family

growtopia

https://discordapp.com/api/webhooks/730377507630743563/CTrQfMGpsjTTGCS5L_vCDbiyLqcVjXDI2n7WnjcxEmhX5IuwdHJQwjkb9te1VA7QLViH

https://discordapp.com/api/webhooks/731971810739879986/OpZic7KuzzPIt0T_lIHObsqHtrAD0WY9AzKT1vHjAK_rPz_Tg7O0QUz_n2R-fFNBWIkM

Attributes

payload_url
https://cdn.discordapp.com/attachments/715259687049756713/724200009171468368/decoder.exe

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

thursday-bytes.gl.at.ply.gg:55648

Mutex

caa5ab06fdce65c809c563c98d39620a

Attributes

reg_key
caa5ab06fdce65c809c563c98d39620a
splitter
Y262SUCZ4UJJ

Extracted

Family

xworm

fact-standings.gl.at.ply.gg:5666

wrong-observations.gl.at.ply.gg:5996

Attributes

Install_directory
%AppData%
install_file
svhost.exe

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

Host

213.183.58.19:4000

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
read.dat
keylog_flag
false
keylog_folder
CastC
keylog_path
%AppData%
mouse_option
false
mutex
remcos_sccafsoidz
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Boy12345#

Targets

- Target
  
  bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
- Size
  
  561KB
- MD5
  
  009ad4da2328c0133ceddef2fd3687b4
- SHA1
  
  4b9ebbc512c4be235a29f3851afce645fba415b6
- SHA256
  
  bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445
- SHA512
  
  767b621b3295d71a511f26a2b8ee15a48f35eff75156e4947dd5ac1fdd13ce228fdac0042bdd44f3a411bd3927d5d8543e6864c0be672b52d8ed01d8d0d86311
- SSDEEP
  
  6144:QYodYSZydQTu2CFk0IkPyW//ne6VlWT8b9Qf+tbSaowwabqutYSUR8z:QYodYSZ+WcIpWXPVle8FPFt
Score

10^/10

discovery persistence privilege_escalation spyware stealer credential_access
- Modifies WinLogon for persistence
  persistence
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2
- Target
  
  bccb34575fb2db34d4a29075cb2f9aa39904b7d5412695545f2240c00fbb0472.exe
- Size
  
  818KB
- MD5
  
  b61eac1cef2c0332f94d76a58edc5170
- SHA1
  
  b88419a976125c0256a0d2484b086a4d32c8ca68
- SHA256
  
  bccb34575fb2db34d4a29075cb2f9aa39904b7d5412695545f2240c00fbb0472
- SHA512
  
  782ce4b277125356267ba4f5d726694b7a36b0446e534239956ada6e484d5c800d940c4707e754b90834f53021bb51636434329ab098a5dcb89a18f593c1c9bd
- SSDEEP
  
  6144:MtT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKK:Y6u7+487IFjvelQypyfy7cnKK
Score

10^/10

collection credential_access discovery persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  bcf1af9a5a93ae74ea1c79da9951c5be.exe
- Size
  
  29KB
- MD5
  
  bcf1af9a5a93ae74ea1c79da9951c5be
- SHA1
  
  6b0d2a1cea799118ad12980772242aba94011551
- SHA256
  
  9f99c298e78e35b51cb5dc56285be2a26c80b9388f179927d3d5ac90829bbafb
- SHA512
  
  7b2df96ccd09c5b3234019f23135a2f44651b89d88b7b6bf107d0710ee79466ceeda0f20f1bd4b1374a50018e2761d42e47b131a22836c990be06a96cedde025
- SSDEEP
  
  768:2Y7bXEI+Ge1gFaYqwzLeiBKh0p29SgRw1:l7bXh7RznKhG29jw1
Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral5 behavioral6
- Target
  
  bcf783e363557f5bdd4014c159ae2497.exe
- Size
  
  65KB
- MD5
  
  bcf783e363557f5bdd4014c159ae2497
- SHA1
  
  3e80d9ff00d3866486f765789f20b94a7c270bc2
- SHA256
  
  3f572151e9e2d4d2fb18eb77d53fbec0a0cf1d5eac7322fb21319a12fdcd1fa0
- SHA512
  
  ee767b2305fdd63feb503c60f9788fbe9a75862129f8f19b955b7c2049489f7821fc82f2bb64e14f1e1f13f5cdfec09d9d0d0ca937744c79572d94baaa1b17aa
- SSDEEP
  
  1536:lzOe7oN36tbQviFw1scvIBnvnifLteF3nLrB9z3nraF9bYS9vM:lzOe7oN36tbQviFCHABnqfWl9z7aF9b
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  bd515574dc1cb379674710f110e907d8cd72a5e4c5eb90d464fbee847b71718c.exe
- Size
  
  596KB
- MD5
  
  5ea4f8c51f94befe6bc2c902e46aa8c9
- SHA1
  
  19d71d34b5c1d4d286bb272d8a55613c2a62f050
- SHA256
  
  bd515574dc1cb379674710f110e907d8cd72a5e4c5eb90d464fbee847b71718c
- SHA512
  
  7230f0837ef38d12adf4db4e74a13e8c4797c2769c9d3ee96a4edca7b8aade0c586232cc5a6f84133a3ce8fe16b75a319476e5e243d8a7c269dd0c93c6712d00
- SSDEEP
  
  6144:5TKwX7FUOMlp3GhW3CjqEpra7zlVhe6VlWT8b9vwFniP+jEpVS+G9saQl4iLvhsu:RK9hUW8fAhPVle80wpVt8gJshYoKE
Score

1^/10
behavioral10 behavioral9
- Target
  
  bd68ca7605316450c87b9218d2dbe19d8c5694e07b93f320f3ca4a9ad902c139.exe
- Size
  
  1.7MB
- MD5
  
  dffcd11d476c58ec3faa380cc679d6cd
- SHA1
  
  809b2bdeb0485b409f0fef3cab124eec8331cc95
- SHA256
  
  bd68ca7605316450c87b9218d2dbe19d8c5694e07b93f320f3ca4a9ad902c139
- SHA512
  
  cf9219060cc1df30f0945fe77964855996d15a93efea373cbee03506335bad7bc02a0f12d82c630d0ec701089a6883bc0f63f9e396c7f53a27cfb5356a050bfd
- SSDEEP
  
  24576:0D39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjoIK:0p7E+QrFUBgq2dK
Score

10^/10

remcos host discovery persistence rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  bd707a0357b19ea6953d47900bb051e3.exe
- Size
  
  9.0MB
- MD5
  
  bd707a0357b19ea6953d47900bb051e3
- SHA1
  
  8beefca61bdb6d8086bd6f3e16d86eab575138a2
- SHA256
  
  979c2c3e2496830b8778123e349c9b00168ffef73fbc0f7e53ff110147f9be6c
- SHA512
  
  4e458c7b4e6ca8e77c783ea92ca511816fed9b7525c0805982b0350e7713210afcc11e6004005200192172ab65ab2eb115a5eba4f60e448bfea1d38cf9bbf718
- SSDEEP
  
  196608:jxSZrxSZExSZfU+2at3DS7sJav43YmOZdqUJ9quict4zvv0uP:jxSZrxSZExSZfU+2aJDSgJnmqukY4zHN
Score

9^/10

defense_evasion
- Looks for VirtualBox Guest Additions in registry
  defense_evasion
- Looks for VMWare Tools registry key
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral13 behavioral14
- Target
  
  bd7edfedebe8a680d801ffd5b2415cd3877e95c78edb8cfc44eaae3e0e9a1e0b.exe
- Size
  
  300KB
- MD5
  
  4bb553f72fc435ab9d6bc0cd2f5dcf27
- SHA1
  
  3a4623813ca0b3e8ce929bd7c555534c2e207e6c
- SHA256
  
  bd7edfedebe8a680d801ffd5b2415cd3877e95c78edb8cfc44eaae3e0e9a1e0b
- SHA512
  
  6c42ef68d52d473f7beb12109eadedb59eed09d5126b13330beccb793d2a2e717d94f9aa493e4190c5d6283518a2fc245dd6aa24b69f5d82649d5b6a07b5e8de
- SSDEEP
  
  6144:mevNyKnYli6n3hICfse6VlWT8b9PBLQBbmZSV:94K2WPVle8dS
Score

10^/10

persistence privilege_escalation
- Modifies WinLogon for persistence
  persistence
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral15 behavioral16
- Target
  
  bdad1ff46d46963cc687d5f6889c9ef2.exe
- Size
  
  78KB
- MD5
  
  bdad1ff46d46963cc687d5f6889c9ef2
- SHA1
  
  16329a972f772675d1c55304ed703fcf8649c720
- SHA256
  
  9f935f8e74743d350a12fa3f517b6ef5e57c54d850e83592e7da680aa95f37d0
- SHA512
  
  12b4d7d257aa55abdfdd213e3f105cad45207973b40d653cd29d6c20e58b3f867883422eeb0176f8f5fbea1b088df64ab5e28a32efab2133d4612140ab93f5fe
- SSDEEP
  
  1536:tCHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtRF9//166:tCHFo53Ln7N041QqhgRF9/P
Score

10^/10

metamorpherrat discovery persistence rat stealer trojan
- MetamorpherRAT
  Metamorpherrat is a hacking tool that has been around for a while since 2013.
  trojan rat stealer metamorpherrat
- Metamorpherrat family
  metamorpherrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral17 behavioral18
- Target
  
  bdae9ff15952ccdfec0be80562f1cbdf.exe
- Size
  
  719KB
- MD5
  
  bdae9ff15952ccdfec0be80562f1cbdf
- SHA1
  
  081b5649ad8548e9a88e9120cdd7e0dc8e4d059a
- SHA256
  
  99a630640091456c211b2610370824f5edef06233ef9d5dfe1e3817fe92e4c6a
- SHA512
  
  28dc6265286a25188f53370d923288ba790eccf533c7fba3b86a212fe8129059469f3a01e11c3c76c8aa66c400f00058d1e319a9ce01e37e45041aea3d0d703a
- SSDEEP
  
  12288:ymmO5pyJZghm45vQXy0kSHMgDZ+5zquHB2qCJtuyHF:ymj5pyIhm45v8y0DwHBOJcYF
Score

10^/10

discovery persistence
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral19 behavioral20
- Target
  
  be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
- Size
  
  1.9MB
- MD5
  
  60209ecdf6f883b16c0389e75e45f472
- SHA1
  
  ba05313040467c1d64f9dc323cbc899fed88b505
- SHA256
  
  be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c
- SHA512
  
  fb8342e9418e4b77a061491d58088c4a5176e76c6708c65731371d769a68ae579872c57eb92818852b88cd2194d0ef160f3a2f1842a58f911a593d899cbf0f34
- SSDEEP
  
  24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD
Score

10^/10

defense_evasion execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral21 behavioral22
- Target
  
  be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787.exe
- Size
  
  15KB
- MD5
  
  7e352292c05b5bc088e3c3ee5bccf1eb
- SHA1
  
  c903fb44d344b22f619967babb655c6241e16f51
- SHA256
  
  be077774c9e78bbe8c9388aa7d552de77e9ef40ec732ea193da049a0db2e5787
- SHA512
  
  d614817b8690cb6735fb4edd54c40742d385b649e0a0a13b3c4987aed529446bec477e4ba0ead7d8f670ab776ec75cae48f017fed5c106fd4f6ecbf8e73bebd8
- SSDEEP
  
  384:589lZJy0rw6AsjAvYTk5yBZ9KqyX+B7UN:29ltw6AucYqG9KqyJ
Score

10^/10

growtopia defense_evasion discovery persistence stealer trojan
- Growtopia
  Growtopa is an opensource modular stealer written in C#.
  stealer growtopia
- Growtopia family
  growtopia
- UAC bypass
  defense_evasion trojan
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral23 behavioral24
- Target
  
  be0a8aeb7e1655bee6255bac9c2947ecef511b5f00e29933dfd9c7f39965bf56.exe
- Size
  
  16.7MB
- MD5
  
  cba70d74b4c717ddb37ed0d0ecc7ccd1
- SHA1
  
  947edbb0faa4dd5920975702ddab4bcd94bf714e
- SHA256
  
  be0a8aeb7e1655bee6255bac9c2947ecef511b5f00e29933dfd9c7f39965bf56
- SHA512
  
  0953db7a8ee898018f52a0aba5942de40038b33436a10455e46f43f651703f4289d3d1779969e34d6836d47b33f9f6d373ddc94e47f0effae74d552f4c7e95d6
- SSDEEP
  
  196608:x2b1VOvS6QqOyjr2LF3Ye6YmnwqdU142UazXsyFqBD:gOq1cjSLFoBYmn5U1PBXsyFqB
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  be1643898cf51a24e38e4044d24ae1f5.exe
- Size
  
  1.8MB
- MD5
  
  be1643898cf51a24e38e4044d24ae1f5
- SHA1
  
  5b53f0997c5be65bd91489a11ee51517c0b1925b
- SHA256
  
  6c2eeaf52182de0791d8e04149fef6ba87cbeed544ec5337199506888b747d94
- SHA512
  
  c0451369d080d8a0ddfdea774f4c0a0c261ca9bebb5511355211a6557ff6d04e79fde17bffaec8ad1bdbfcf33aca9ca5e6604caa0be8ff6e97d2a4421550a44b
- SSDEEP
  
  49152:ifccx7xHddXQ5xobHeDyrso2FuE4QAE6v7O1dg:AdpQ5SzetjIQF
Score

10^/10

discovery
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  be183db6d4b77c092496c69c3f389b94.exe
- Size
  
  5.9MB
- MD5
  
  be183db6d4b77c092496c69c3f389b94
- SHA1
  
  fb3bfca351c3393d0a5d8cd9720b6427a2e496a3
- SHA256
  
  87c09708598a2d92970a4a4e7244fc31589a8e6e6a49240ec5c5862aff099c9a
- SHA512
  
  997eba720a5d7895cfce44aa1f67eba74312314a87190e2b5dd8229aaa63d3886224d7f34023d9888922a72fd976a214eedf2f9d746c923c6efbe9683e39173c
- SSDEEP
  
  98304:byeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4d:byeU11Rvqmu8TWKnF6N/1ww
Score

10^/10

dcrat defense_evasion execution infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral29 behavioral30
- Target
  
  be2375e810af4d76a0fc392d8acf2d1218cd2c21a6b8160be7f1f30ef7cf4694.exe
- Size
  
  192KB
- MD5
  
  e5f8f6cd43f153b1223a9175fc19e235
- SHA1
  
  c5ce77bf08255c036602902b622b895ae90f369d
- SHA256
  
  be2375e810af4d76a0fc392d8acf2d1218cd2c21a6b8160be7f1f30ef7cf4694
- SHA512
  
  fecacd2cced113bf3749bfd86570fa10e2f42f7f4dceb18d9a2a90fc367476eb5f61d4cb7b3f320eccbffd96a7bc2d81cae81fabf5e74da507f88388690d481a
- SSDEEP
  
  3072:qN9AvTqSWPVKBGr8rQmRLjjsskVZK9kCk3mb3Eg2mogLfOsea1YuNPzLHWA9b80l:yhEKolQZKaCm6VXogLf3/bNHjbzl
Score

10^/10

collection discovery persistence privilege_escalation spyware stealer
- Modifies WinLogon for persistence
  persistence
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral31 behavioral32