Foudre attack cyber security

هدف قرار دادن ادمین‌ کانالهای تلگرام مخالف رژیم ایران با ویروس بروز شده “Foudre”

اخیرا یکی از ادمین‌های کانالهای مخالف جمهوری اسلامی فایلی که برای او ارسال شده بود را جهت بررسی برای تیم تکافند ارسال کرد. ما این فایل را بررسی کرده و متوجه شدیم که این فایل سند بروز شده بدافزار خطرناک  “Foudre” (به فرانسه: رعد و برق) می باشد.

“Foudre” نسخه تغییر یافته بدافزار Infy می‌باشد و در فوریه ۲۰۱۷ شناسایی شد. “Foudre” کارش سرقت اطلاعات کاربران می‌باشد. شامل یک کی لاگر که متن تایپ شده با کیبرد و محتوای کپی شده در کلیپ برد را برای سرور خود ارسال می‌کند. این بدافزار اطلاعات سیستم دستگاه را با هم مقایسه می کند از جمله لیست پروسس‌های اجرا شده در کامپیوتر، آنتی ویروس‌های نصب شده، کوکی‌ها، و سایر اطلاعات مربوط به مرورگر. این بدافزار همچنین وصل بودن اینترنت را چک کرده و چنانچه نسخه جدید تری از خودش وجود داشته باشد، خود را بروز می کند. این بدافزار به سرور فرمان و کنترل (C&C server) خود وصل میشود و چنانچه کدی که از سرور میگیرد با کدی که در کامپیوتر ذخیره شده باشد همخوانی داشته باشد، اطلاعات سرقت شده را به سرور ارسال می‌کند.

کاربری با یوزرنیم تلگرام pejman175 و با آی دی 405260575 در تلگرام اقدام به ارسال یک ویروس خطرناک به مدیران کانالهای مخالف حکومت ایران در تلگرام می کند. این کاربر فایلی به نام www[.]payvand[.]com را برای آنها ارسال می کند.

01
شکل ۱ کاربری که ویروس را برای کاربران تلگرام ارسال می کند
02
شکل ۲- پیام و ویوروس ارسال شده برای کاربران تلگرام

به محض اینکه قربانی این ویروس را دانلود کرده و روی آن کلیک می کند، ویروس اقدام به بازکردن مرورگر روی کامپیوتر کرده و به سایت www[.]payvand[.]com وصل می شود تا کاربر اینطور تصور کند که فایلی که دانلود کرده برای وصل شدن به آن سایت بوده‌است.

www.payvand.com.png
شکل ۳  سایتی که بدافزار در مرورگر کاربر باز می کند

این بدافزار سپس سندی به آدرس c:documents~1\allusers\application data\nc.ink تولید می کند. این سند یک میانبر به فایل n.c   در همان پوشه می‌باشد. این سند بیش از ۴۳ مگابایت حجم دارد و هربار که ویروس فعال میشود این سند با نام جدید تولید می شود. فرمت نام سند تولید شده [یک حرف] [ نقطه ] [ یک حرف] می باشد. بطور مثال وقتی ما عملکرد بدافزار را برای بار دوم بررسی کردیم، این سند با نام j.g تولید شد. تصور ما اینست که علت اینکه سند هربار با نام جدید تولید میشود، سخت کردن شناسایی ویروس توسط آنتی ویروس می‌باشد.

03.png
شکل ۴ – اسنادی که ویروس تولید می کند.

ویروس همچنین فایل DOCUME~1\ALLUSE~1\APPLIC~1\p1.key را تولید می کند که حاوی یک کلید ۷۰۹ بایتی می‌باشد که احتمالا برای کدگذاری اطلاعات رد و بدل شده با سرورش می باشد.
بدافزار کلید زیر را به ریجیستری ویندوز اضافه می کند.

\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run: “C:\DOCUME~1\ALLUSE~1\APPLIC~1\nc.lnk”

بنظر می رسد که این کلید سند nc.ink  که در مرحله قبل تولید شده بود را در هنگام راه اندازی ویندوز اجرا می کند.ویروس سپس برخی از تنظیمات شبکه را در ریجستری تغییر میدهد.

  1. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  2. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  3. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  4. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

بدافزار همچنین کلیدهای زیر را در ریجستری تغییر میدهد.

  1. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
  2. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

بدافزار همچنین کلیدهای متعددی را در ریجستری تغییر میدهد که از آن جمله یکسری از کلیدهای مربوط به مرورگر می باشد.این بدافزار در آدرس C:\Documents and Settings\\Local Settings\Temp\temp4894 یک پوشه موقت جهت نگهداری فایل‌هایش درست می‌کند.

04
شکل ۵ پوشه temp4894 را ویروس تولید می کند

این پوشه حاوی سه سند i6104.dll ,d411, r.bmp می‌باشد.

05.png
شکل ۶  محتویات پوشه temp4894

بنظر می‌رسد که فایل اصلی ویروس سند i6104.dll می باشد که با استفاده از run32.dll که یک پروسس ویندوز می باشد که سندهای dll را اجرا می کند، بعنوان یک برنامه راه اندازی می‌شود. پروسسی که با کلیک روی سند dll راه اندازی شده بود با شروع پروسس‌های جدید www. payvand.com متوقف می‌شود. بنظرم می‌رسد علت توقف پروسس اولیه و شروع پروسس جدید برای ادامه کار ویروس جهت گم کردن رد این بدافزار برای آنتی ویروس می باشد.

تجزیه و تحلیل:

بنظر می‌رسد که سند p1.key یک کلید جهت رمزگذاری و بازگشایی رمز پیامهایی می باشد که بین ویروس و سرور فرمان و کنترل (C&C server) آن تبادل می‌شود.فایل دیگری که با نام سندی به فرمت  [کارکتر][نقطه][کارکتر] در کنار آن سند حاوی کلید تولید میشود، برنامه‌ای است که توسط پروسس اولیه ویروس، راه اندازی می‌شود. در بررسی متونی که در این فایل وجود دارد به نکاتی رسیدیم که توجه ما را بخود جلب کرد. از جمله این متون کلمه  “Foudre” است که نام یک بدافزار بسیار معروف می‌باشد. بنظر می رسد که این ویروس نسخه جدید بدافزار  “Foudre” می باشد که چندی پیش در شبکه اجتماعی ایرانی بطور گسترده منتشر شده بود.

متن دیگری که در این فایل توجه ما را به خود جلب کرد عبارت زیر بود.

We have the tape. I don’t want to hear the tape. No reason for me to hear the tape; Trump said in an interview with Fox news Sunday.

این عبارت به صحبت ترامپ در مورد نوار قتل خاشوقچی اشاره دارد که گفته بود نمی‌خواهد به آن نوار گوش کند. این نشان می دهد که این ویروس جدیدا جهت اعمال خرابکارانه بعد از مرگ خاشوقچی درست شده است.بررسی متون ثبت شده در اسناد این بدافزار یکسری گذرواژه و رمزگذاریها را نشان میدهد که جهت ارتباط با سرور و رمزگذاری پیام‌ها استفاده می‌شود.

انتشار بدافزار “Foudre” در شبکه اجتماعی ایرانی چیز جدیدی نیست. چندی پیش نسخه قدیمی این بدافزار کلیپی را روی دستگاه قربانی به نمایش می‌گذاشت که فراخوان به اعتراضات مدنی در ایران میداد و برای هدف قرار دادن فعالان سیاسی ایرانی طراحی شده‌بود. بنظر می رسد که این بدافزار توسط هکرهای وابسته به رژیم ایران به منظور هک کردن دستگاههای ناراضیان ایرانی طراحی شده است. این بدافزار بطور خاص برای مدیران کانالهای مخالف رژیم ایران ارسال شده تا کنترل دستگاههای آنها را در اختیار گرفته و با کسب اطلاعات از آنها اقدام به دستگیری آنان کند.

ضمائم
فعالیتهای انجام شده توسط ویروس

“28/11/2018 19:40:4.205″,”process”,”created”,”C:\WINDOWS\explorer.exe”,”C:\Documents and Settings\foren\Desktop\www.payvand.com””28/11/2018 19:40:4.502″,”file”,”Delete”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\__tmp_rar_sfx_access_check_37185031″

“28/11/2018 19:40:4.549″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\p1.key”

“28/11/2018 19:40:4.564″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.564″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.580″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.596″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.596″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.596″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.596″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.627″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.627″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.627″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.627″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.627″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.643″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\i6104.dll”

“28/11/2018 19:40:4.658″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.674″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.674″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.674″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.674″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.674″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.674″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.674″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.674″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.674″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.674″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.674″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.674″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.674″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.689″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.736″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.736″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.736″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.783″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.783″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.783″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.830″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.830″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.830″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.877″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.877″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.877″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.924″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.924″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.924″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.971″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.971″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:4.971″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.18″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.18″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.18″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.64″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.64″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.64″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.111″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.127″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.127″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.174″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.174″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.174″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.205″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.205″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.205″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.205″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\d411″

“28/11/2018 19:40:5.221″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.221″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.221″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.221″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.221″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.221″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.221″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.221″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.221″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.221″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.221″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.236″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.236″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.236″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.236″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.236″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.236″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.236″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.236″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.236″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.236″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.252″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.252″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.252″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.252″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.252″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.252″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.252″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.252″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.252″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.252″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.252″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.252″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.268″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.268″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.268″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.268″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.268″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.268″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.268″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.268″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.268″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.268″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.268″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.283″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.283″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.283″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.283″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.283″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.283″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.283″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.283″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.283″,”file”,”Write”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\Documents and Settings\foren\Local Settings\Temp\tmp4894\r.bmp”

“28/11/2018 19:40:5.393″,”registry”,”DeleteValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:5.393″,”registry”,”DeleteValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:5.393″,”registry”,”DeleteValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:5.393″,”registry”,”DeleteValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:5.393″,”registry”,”SetValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet”

“28/11/2018 19:40:5.393″,”registry”,”SetValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect”

“28/11/2018 19:40:5.393″,”registry”,”DeleteValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:5.393″,”registry”,”DeleteValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:5.393″,”registry”,”DeleteValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:5.393″,”registry”,”DeleteValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:5.393″,”registry”,”SetValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet”

“28/11/2018 19:40:5.393″,”registry”,”SetValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect”

“28/11/2018 19:40:5.393″,”registry”,”SetValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache”

“28/11/2018 19:40:5.393″,”registry”,”SetValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies”

“28/11/2018 19:40:5.424″,”registry”,”SetValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6d51c670-9c94-11e8-b758-806d6172696f}\BaseClass”

“28/11/2018 19:40:5.424″,”registry”,”SetValueKey”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6d51c66e-9c94-11e8-b758-806d6172696f}\BaseClass”

“28/11/2018 19:40:5.471″,”process”,”created”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\WINDOWS\system32\rundll32.exe”

“28/11/2018 19:40:5.705″,”process”,”terminated”,”C:\WINDOWS\explorer.exe”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”

“28/11/2018 19:40:6.158″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags”

“28/11/2018 19:40:6.158″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:6.158″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:6.158″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:6.158″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:6.158″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:6.158″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:6.346″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\Recovery\Active\{05D15B66-F33D-11E8-942F-000C298EBEFB}”

“28/11/2018 19:40:6.346″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\temp\ran2″

“28/11/2018 19:40:6.377″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\Enable”

“28/11/2018 19:40:6.408″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version”

“28/11/2018 19:40:6.439″,”registry”,”DeleteValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:6.439″,”registry”,”DeleteValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:6.439″,”registry”,”DeleteValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:6.439″,”registry”,”DeleteValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:6.439″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet”

“28/11/2018 19:40:6.439″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect”

“28/11/2018 19:40:6.439″,”registry”,”DeleteValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:6.439″,”registry”,”DeleteValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:6.439″,”registry”,”DeleteValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:6.439″,”registry”,”DeleteValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:6.439″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet”

“28/11/2018 19:40:6.439″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect”

“28/11/2018 19:40:6.439″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache”

“28/11/2018 19:40:6.439″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies”

“28/11/2018 19:40:6.455″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6d51c670-9c94-11e8-b758-806d6172696f}\BaseClass”

“28/11/2018 19:40:6.455″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6d51c66e-9c94-11e8-b758-806d6172696f}\BaseClass”

“28/11/2018 19:40:6.502″,”process”,”created”,”C:\WINDOWS\system32\rundll32.exe”,”C:\WINDOWS\system32\cmd.exe”

“28/11/2018 19:40:6.518″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop”

“28/11/2018 19:40:6.533″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Start Menu”

“28/11/2018 19:40:6.533″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Start Menu”

“28/11/2018 19:40:6.549″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop”

“28/11/2018 19:40:6.549″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData”

“28/11/2018 19:40:6.549″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData”

“28/11/2018 19:40:6.564″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Pictures”

“28/11/2018 19:40:6.596″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal”

“28/11/2018 19:40:6.627″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonPictures”

“28/11/2018 19:40:6.674″,”process”,”created”,”C:\WINDOWS\system32\cmd.exe”,”C:\WINDOWS\system32\reg.exe”

“28/11/2018 19:40:6.627″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents”

“28/11/2018 19:40:6.643″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonMusic”

“28/11/2018 19:40:6.658″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\rundll32.exe”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonVideo”

“28/11/2018 19:40:6.705″,”process”,”terminated”,”C:\Documents and Settings\foren\Desktop\www.payvand.com”,”C:\WINDOWS\system32\rundll32.exe”

“28/11/2018 19:40:6.658″,”file”,”Write”,”C:\WINDOWS\system32\rundll32.exe”,”C:\Documents and Settings\All Users\Application Data\jg.lnk”

“28/11/2018 19:40:6.830″,”process”,”terminated”,”C:\WINDOWS\system32\cmd.exe”,”C:\WINDOWS\system32\reg.exe”

“28/11/2018 19:40:6.830″,”process”,”terminated”,”C:\WINDOWS\system32\rundll32.exe”,”C:\WINDOWS\system32\cmd.exe”

“28/11/2018 19:40:6.814″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version”

“28/11/2018 19:40:6.830″,”registry”,”SetValueKey”,”C:\WINDOWS\system32\reg.exe”,”HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run”

“28/11/2018 19:40:7.64″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:7.64″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:7.64″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:7.64″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:7.80″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass”

“28/11/2018 19:40:7.80″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName”

“28/11/2018 19:40:10.49″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\Main\IE8RunOnceLastShown”

“28/11/2018 19:40:10.49″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\Main\IE8RunOnceLastShown_TIMESTAMP”

“28/11/2018 19:40:15.486″,”file”,”Write”,”System”,”C:\Documents and Settings\All Users\Application Data\jg.lnk”

“28/11/2018 19:40:16.627″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Path”

“28/11/2018 19:40:16.627″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Handler”

“28/11/2018 19:40:16.627″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\FeedUrl”

“28/11/2018 19:40:16.627″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayName”

“28/11/2018 19:40:16.627″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Expiration”

“28/11/2018 19:40:16.627″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\ErrorState”

“28/11/2018 19:40:16.627″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayMask”

“28/11/2018 19:40:16.627″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Path”

“28/11/2018 19:40:16.627″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Handler”

“28/11/2018 19:40:16.627″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\FeedUrl”

“28/11/2018 19:40:16.627″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\DisplayName”

“28/11/2018 19:40:16.627″,”registry”,”DeleteValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Expiration”

“28/11/2018 19:40:16.627″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\ErrorState”

“28/11/2018 19:40:16.627″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\DisplayMask”

“28/11/2018 19:40:16.674″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayName”

“28/11/2018 19:40:16.674″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\DisplayMask”

“28/11/2018 19:40:16.674″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\ErrorState”

“28/11/2018 19:40:16.674″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Expiration”

“28/11/2018 19:40:16.705″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\DisplayName”

“28/11/2018 19:40:16.705″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\DisplayMask”

“28/11/2018 19:40:16.705″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\ErrorState”

“28/11/2018 19:40:16.705″,”registry”,”SetValueKey”,”C:\Program Files\Internet Explorer\IEXPLORE.EXE”,”HKCU\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Expiration”


متون استخراج شده از سند www[.]payvand[.]com

jjjjjj

???

SeRestorePrivilege

SeSecurityPrivilege

r%.*s(%d)%s

rtmp%d

?*|”

%c:\

rar

sfx

exe

.rar

*messages***

%08x

LTR

RTL

Crypt32.dll

RarSFX

%s %s

%s %s %s

REPLACEFILEDLG

RENAMEDLG

GETPASSWORD1

ASKNEXTVOL

Software\WinRAR SFX

STATIC

.exe

Install

.inf

.lnk

%s%s%d

ProgramFilesDir

Software\Microsoft\Windows\CurrentVersion

%s.%d.tmp

Delete

Text

Title

Path

Silent

Overwrite

Setup

TempMode

License

Presetup

Shortcut

SavePath

Update

SetupCode

LICENSEDLG

“%s”

runas

winrarsfxmappingfile.tmp

-el -s2 “-d%s” “-p%s” “-sp%s”

__tmp_rar_sfx_access_check_%u

STARTDLG

sfxname

sfxcmd

kernel32

A

utf-8″>

 

One thought on “ادمین‌ کانالهای تلگرام مخالف رژیم ایران هدف حملات سایبری ویروس “Foudre””

پاسخی بگذارید