· 6 years ago · Sep 08, 2019, 02:34 PM
1
2* ID: 1310
3* MalFamily: "Nanocore"
4
5* MalScore: 10.0
6
7* File Name: "Exes_3a3d8f2ab075fc4f6f4459b990122893.exe"
8* File Size: 1418533
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "2d24a45f5f85c0bfc188f4ccdd3fe76fe01a5380206eac7f2aff58bee2461aab"
11* MD5: "3a3d8f2ab075fc4f6f4459b990122893"
12* SHA1: "c90e5ba80f7094d0d7fc26de275d37e2b1595793"
13* SHA512: "9c915b840c32b405df9bbd3c3d237ed7477676f631e2ba047ffd5ad3ca4eca3dcb2a7f319de8c803f87c72c0edcba3dd913c8481e5080d9e424f6b858797662e"
14* CRC32: "22419E4F"
15* SSDEEP: "24576:8NA3R5drXgJ2tpFEhaxEeD8+N79kpOw/hu0n7ybw1ju1h6LId7nT1RMwaMm3CfBH:95E2vX1HN79k0Ou0QQS1h6LIdzTXM76x"
16
17* Process Execution:
18 "38p47io7S3g3K7P.exe",
19 "wscript.exe",
20 "ihb.exe",
21 "RegSvcs.exe"
22
23
24* Executed Commands:
25 "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cmw.vbs\"",
26 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cmw.vbs ",
27 "\"C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ihb.exe\" glb=cwb",
28 "ihb.exe glb=cwb"
29
30
31* Signatures Detected:
32
33 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
34 "Details":
35
36
37 "Description": "Behavioural detection: Executable code extraction",
38 "Details":
39
40
41 "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
42 "Details":
43
44 "IP_ioc": "41.189.44.89:2016 (Cote D'Ivoire)"
45
46
47
48
49 "Description": "Guard pages use detected - possible anti-debugging.",
50 "Details":
51
52
53 "Description": "Detected script timer window indicative of sleep style evasion",
54 "Details":
55
56 "Window": "WSH-Timer"
57
58
59
60
61 "Description": "A process attempted to delay the analysis task.",
62 "Details":
63
64 "Process": "RegSvcs.exe tried to sleep 814 seconds, actually delayed analysis time by 0 seconds"
65
66
67
68
69 "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
70 "Details":
71
72 "ioc": "v2.0.50727"
73
74
75
76
77 "Description": "Reads data out of its own binary image",
78 "Details":
79
80 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00000000, length: 0x00000007"
81
82
83 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00000000, length: 0x00002000"
84
85
86 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00000007, length: 0x0015a51e"
87
88
89 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00001ff0, length: 0x00002000"
90
91
92 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00003fe0, length: 0x00002000"
93
94
95 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00005fd0, length: 0x00002000"
96
97
98 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00007fc0, length: 0x00002000"
99
100
101 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00009fb0, length: 0x00002000"
102
103
104 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0000bfa0, length: 0x00002000"
105
106
107 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0000df90, length: 0x00002000"
108
109
110 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0000ff80, length: 0x00002000"
111
112
113 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00011f70, length: 0x00002000"
114
115
116 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00013f60, length: 0x00002000"
117
118
119 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00015f50, length: 0x00002000"
120
121
122 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00017f40, length: 0x00002000"
123
124
125 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00019f30, length: 0x00002000"
126
127
128 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0001bf20, length: 0x00002000"
129
130
131 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0001df10, length: 0x00002000"
132
133
134 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0001ff00, length: 0x00002000"
135
136
137 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00021ef0, length: 0x00002000"
138
139
140 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00023ee0, length: 0x00002000"
141
142
143 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00025ed0, length: 0x00002000"
144
145
146 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00027ec0, length: 0x00002000"
147
148
149 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00029eb0, length: 0x00002000"
150
151
152 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0002bea0, length: 0x00002000"
153
154
155 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0002de90, length: 0x00002000"
156
157
158 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0002fe80, length: 0x00002000"
159
160
161 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00031e70, length: 0x00002000"
162
163
164 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00033e60, length: 0x00002000"
165
166
167 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00035e50, length: 0x00002000"
168
169
170 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00037e40, length: 0x00002000"
171
172
173 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00039e30, length: 0x00002000"
174
175
176 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0003be20, length: 0x00002000"
177
178
179 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0003de10, length: 0x00002000"
180
181
182 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0003fe00, length: 0x00002000"
183
184
185 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00041df0, length: 0x00002000"
186
187
188 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00043de0, length: 0x00002000"
189
190
191 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00045600, length: 0x0010e97e"
192
193
194 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154134, length: 0x00000028"
195
196
197 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015433f, length: 0x00000028"
198
199
200 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154548, length: 0x00000028"
201
202
203 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154725, length: 0x00000028"
204
205
206 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154919, length: 0x00000028"
207
208
209 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154b1c, length: 0x00000028"
210
211
212 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154d0e, length: 0x00000028"
213
214
215 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00154ee9, length: 0x00000028"
216
217
218 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001550e4, length: 0x00000028"
219
220
221 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001552c2, length: 0x00000028"
222
223
224 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001554ed, length: 0x00000028"
225
226
227 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001556c1, length: 0x00000029"
228
229
230 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001558b8, length: 0x00000028"
231
232
233 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00155ab9, length: 0x00000028"
234
235
236 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00155c82, length: 0x00000028"
237
238
239 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00155e5d, length: 0x00000028"
240
241
242 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015604c, length: 0x00000028"
243
244
245 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015624d, length: 0x00000028"
246
247
248 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00156424, length: 0x00000028"
249
250
251 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00156647, length: 0x00000029"
252
253
254 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015686e, length: 0x00000028"
255
256
257 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00156a5d, length: 0x00000028"
258
259
260 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00156c55, length: 0x00000028"
261
262
263 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00156e4a, length: 0x00000028"
264
265
266 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00157065, length: 0x00000028"
267
268
269 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015727f, length: 0x00000028"
270
271
272 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00157450, length: 0x00000028"
273
274
275 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00157626, length: 0x00000028"
276
277
278 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001577fc, length: 0x00000028"
279
280
281 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001579d1, length: 0x00000027"
282
283
284 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00157bad, length: 0x00000028"
285
286
287 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00157da0, length: 0x00000028"
288
289
290 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00157fa3, length: 0x00000028"
291
292
293 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015817c, length: 0x00000028"
294
295
296 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00158361, length: 0x00000028"
297
298
299 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015854a, length: 0x00000028"
300
301
302 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00158730, length: 0x00000028"
303
304
305 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00158919, length: 0x00000028"
306
307
308 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00158b21, length: 0x00000028"
309
310
311 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00158cf4, length: 0x00000028"
312
313
314 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00158ef1, length: 0x00000028"
315
316
317 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001590df, length: 0x00000028"
318
319
320 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001592cc, length: 0x00000028"
321
322
323 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x001594a3, length: 0x00000028"
324
325
326 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00159679, length: 0x00000028"
327
328
329 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015986c, length: 0x00000028"
330
331
332 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00159a4e, length: 0x00000028"
333
334
335 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00159c49, length: 0x00000028"
336
337
338 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x00159e5a, length: 0x00000028"
339
340
341 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015a028, length: 0x00000028"
342
343
344 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015a22b, length: 0x00000028"
345
346
347 "self_read": "process: 38p47io7S3g3K7P.exe, pid: 2540, offset: 0x0015a434, length: 0x0000001b"
348
349
350 "self_read": "process: wscript.exe, pid: 1504, offset: 0x00000000, length: 0x00000040"
351
352
353 "self_read": "process: wscript.exe, pid: 1504, offset: 0x000000f0, length: 0x00000018"
354
355
356 "self_read": "process: wscript.exe, pid: 1504, offset: 0x000001e8, length: 0x00000078"
357
358
359 "self_read": "process: wscript.exe, pid: 1504, offset: 0x00018000, length: 0x00000020"
360
361
362 "self_read": "process: wscript.exe, pid: 1504, offset: 0x00018058, length: 0x00000018"
363
364
365 "self_read": "process: wscript.exe, pid: 1504, offset: 0x000181a8, length: 0x00000018"
366
367
368 "self_read": "process: wscript.exe, pid: 1504, offset: 0x00018470, length: 0x00000010"
369
370
371 "self_read": "process: wscript.exe, pid: 1504, offset: 0x00018640, length: 0x00000012"
372
373
374 "self_read": "process: RegSvcs.exe, pid: 3036, offset: 0x00000000, length: 0x00001000"
375
376
377 "self_read": "process: RegSvcs.exe, pid: 3036, offset: 0x00000080, length: 0x00000200"
378
379
380 "self_read": "process: RegSvcs.exe, pid: 3036, offset: 0x00000178, length: 0x00000200"
381
382
383 "self_read": "process: RegSvcs.exe, pid: 3036, offset: 0x00005b20, length: 0x00000200"
384
385
386 "self_read": "process: RegSvcs.exe, pid: 3036, offset: 0x00005b3c, length: 0x00000200"
387
388
389
390
391 "Description": "A scripting utility was executed",
392 "Details":
393
394 "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cmw.vbs\""
395
396
397
398
399 "Description": "Behavioural detection: Injection (Process Hollowing)",
400 "Details":
401
402 "Injection": "ihb.exe(2796) -> RegSvcs.exe(3036)"
403
404
405
406
407 "Description": "Executed a process and injected code into it, probably while unpacking",
408 "Details":
409
410 "Injection": "ihb.exe(2796) -> RegSvcs.exe(3036)"
411
412
413
414
415 "Description": "Behavioural detection: Injection (inter-process)",
416 "Details":
417
418
419 "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
420 "Details":
421
422
423 "Description": "Installs itself for autorun at Windows startup",
424 "Details":
425
426 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windowsxxxxxxcccd"
427
428
429 "data": "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ihb.exe C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\GLB_CW~1"
430
431
432
433
434 "Description": "Exhibits behavior characteristic of Nanocore RAT",
435 "Details":
436
437
438 "Description": "Stack pivoting was detected when using a critical API",
439 "Details":
440
441 "process": "38p47io7S3g3K7P.exe:2540"
442
443
444
445
446 "Description": "Creates a hidden or system file",
447 "Details":
448
449 "file": "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ihb.exe"
450
451
452 "file": "C:\\Users\\user\\AppData\\Local\\Temp\\00881883"
453
454
455 "file": "C:\\Users\\user\\temp"
456
457
458
459
460 "Description": "File has been identified by 25 Antiviruses on VirusTotal as malicious",
461 "Details":
462
463 "K7AntiVirus": "Riskware ( 0040eff71 )"
464
465
466 "K7GW": "Riskware ( 0040eff71 )"
467
468
469 "Cybereason": "malicious.80f709"
470
471
472 "APEX": "Malicious"
473
474
475 "ClamAV": "Win.Malware.Mycop-6983471-0"
476
477
478 "Kaspersky": "HEUR:Trojan-Dropper.Win32.Generic"
479
480
481 "Invincea": "heuristic"
482
483
484 "McAfee-GW-Edition": "BehavesLike.Win32.Backdoor.tc"
485
486
487 "Trapmine": "suspicious.low.ml.score"
488
489
490 "FireEye": "Generic.mg.3a3d8f2ab075fc4f"
491
492
493 "Cyren": "W32/AutoIt.EN.gen!Eldorado"
494
495
496 "Avira": "DR/AutoIt.Gen"
497
498
499 "Antiy-AVL": "TrojanArcBomb/Win32.Agent"
500
501
502 "Microsoft": "Trojan:Win32/AutoitInject.BI!MTB"
503
504
505 "AegisLab": "Trojan.BAT.Crypter.tqa8"
506
507
508 "ZoneAlarm": "HEUR:Trojan-Dropper.Win32.Generic"
509
510
511 "AhnLab-V3": "Malware/Win32.RL_Generic.R286428"
512
513
514 "Malwarebytes": "Trojan.MalPack.AISFX"
515
516
517 "Zoner": "Probably RARAutorun"
518
519
520 "ESET-NOD32": "VBS/Runner.NHZ"
521
522
523 "Rising": "Trojan.Pack-RAR!1.BB61 (CLASSIC)"
524
525
526 "Yandex": "Trojan.Agent!nS7qVYN4VgU"
527
528
529 "Fortinet": "W32/Generic.AC.45A0E1!tr"
530
531
532 "CrowdStrike": "win/malicious_confidence_80% (D)"
533
534
535 "Qihoo-360": "HEUR/QVM10.1.BB1B.Malware.Gen"
536
537
538
539
540 "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
541 "Details":
542
543 "target": "clamav:Win.Malware.Mycop-6983471-0, sha256:2d24a45f5f85c0bfc188f4ccdd3fe76fe01a5380206eac7f2aff58bee2461aab, type:PE32 executable (GUI) Intel 80386, for MS Windows"
544
545
546 "dropped": "clamav:Win.Trojan.Autoit-6922942-0, sha256:fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b , guest_paths:C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ihb.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
547
548
549
550
551 "Description": "Drops a binary and executes it",
552 "Details":
553
554 "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ihb.exe"
555
556
557
558
559 "Description": "Collects information to fingerprint the system",
560 "Details":
561
562
563
564* Started Service:
565
566* Mutexes:
567 "DefaultTabtip-MainUI",
568 "Local\\ZoneAttributeCacheCounterMutex",
569 "Local\\ZonesCacheCounterMutex",
570 "Local\\ZonesLockedCacheCounterMutex",
571 "Global\\CLR_PerfMon_WrapMutex",
572 "Global\\CLR_CASOFF_MUTEX",
573 "Global\\c54fcd61-c763-48a4-a02b-9edc721c5ec9",
574 "Global\\.net clr networking"
575
576
577* Modified Files:
578 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\__tmp_rar_sfx_access_check_26294765",
579 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cqe.mp3",
580 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\glb=cwb",
581 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cmw.vbs",
582 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ihb.exe",
583 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\gtb.dll",
584 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\krh.exe",
585 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cim.xl",
586 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\vcu.ini",
587 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\bak.dat",
588 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\qgu.jpg",
589 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\csk.ppt",
590 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\qox.ico",
591 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\jwe.icm",
592 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\kes.ini",
593 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\hdk.docx",
594 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\dfo.exe",
595 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\nhe.pdf",
596 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ntv.jpg",
597 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\jho.mp3",
598 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\gol.dll",
599 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cak.mp3",
600 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\pob.mp3",
601 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\gme.dat",
602 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\wpg.dat",
603 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\gfu.txt",
604 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\bem.ppt",
605 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\oxn.txt",
606 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\dxo.jpg",
607 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\dde.xml",
608 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\uja.ico",
609 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\gpl.xml",
610 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\jct.mp3",
611 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\rdi.docx",
612 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\jho.ico",
613 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\uqc.cpl",
614 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\vjj.bmp",
615 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\mwl.msc",
616 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\kvo.bin",
617 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\wvi.icm",
618 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\dex.icm",
619 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ntr.docx",
620 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\qdb.exe",
621 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\aat.pdf",
622 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\mvl.xls",
623 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\evw.dll",
624 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\lhv.mp3",
625 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\fxr.icm",
626 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cwh.bin",
627 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\trg.bmp",
628 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\dof.ini",
629 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\mcp.xl",
630 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\tpi.icm",
631 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\rpa.jpg",
632 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\cdw.msc",
633 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\tkg.mp3",
634 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\awg.icm",
635 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\omt.msc",
636 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\brv.txt",
637 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\fgk.dll",
638 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\njk.xls",
639 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\dnk.xls",
640 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\rvl.xml",
641 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ktl.txt",
642 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\pfm.log",
643 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\oqx.msc",
644 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\xnj.xls",
645 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\rwf.msc",
646 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ssh.log",
647 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\jfh.mp3",
648 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\nqm.cpl",
649 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\xap.bin",
650 "C:\\Users\\user\\AppData\\Local\\Temp\\00881883\\ecn.log",
651 "C:\\Users\\user\\temp\\cqe.mp3",
652 "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat"
653
654
655* Deleted Files:
656
657* Modified Registry Keys:
658 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
659 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
660 "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
661 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Windowsxxxxxxcccd"
662
663
664* Deleted Registry Keys:
665 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
666 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
667 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
668 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
669
670
671* DNS Communications:
672
673 "type": "A",
674 "request": "bloc2020.ddns.net",
675 "answers":
676
677 "data": "41.189.44.89",
678 "type": "A"
679
680
681
682
683
684* Domains:
685
686 "ip": "41.189.44.89",
687 "domain": "bloc2020.ddns.net"
688
689
690
691* Network Communication - ICMP:
692
693* Network Communication - HTTP:
694
695* Network Communication - SMTP:
696
697* Network Communication - Hosts:
698
699 "country_name": "Cote D'Ivoire",
700 "ip": "41.189.44.89",
701 "inaddrarpa": "",
702 "hostname": "bloc2020.ddns.net"
703
704
705
706* Network Communication - IRC: