· 6 years ago · Oct 07, 2019, 12:46 PM
1
2* ID: 4221
3* MalFamily: "Nanocore"
4
5* MalScore: 10.0
6
7* File Name: "NanoCore_6282458b94ca8bc08801d124c4224ff1.exe"
8* File Size: 1443838
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "de01b6a27d4eba814fe3ce5084cfc23fdeeb47d50f8bec5a973578e66b768a48"
11* MD5: "6282458b94ca8bc08801d124c4224ff1"
12* SHA1: "ec13b6b38599fbacc42f6cd11a94d3dc52cf3305"
13* SHA512: "1895487421339bce9b85b6c994490d3dea45bd7ed5d9ea442eb0492519ed15b2cd9c71ac45e332a0fd8d91b6076059e3760b2036a2275d8c6259da3ce15c29fd"
14* CRC32: "FC5FE2BA"
15* SSDEEP: "24576:bNA3R5drXUEC2ZAMXfgdjNAadRaShUkBnL111MD5rThQZhf6Ipp8QgHz+Cu1h6Lb:G5UECKAMXfgpAI5BnL3eD5/hQZB6DQgV"
16
17* Process Execution:
18 "DdbXcVwyg.exe",
19 "wscript.exe",
20 "xrfq.exe",
21 "RegSvcs.exe",
22 "schtasks.exe",
23 "svchost.exe"
24
25
26* Executed Commands:
27 "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\csweath.vbs\"",
28 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\csweath.vbs ",
29 "\"C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\xrfq.exe\" smqujemen.bcs",
30 "xrfq.exe smqujemen.bcs",
31 "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp2529.tmp\""
32
33
34* Signatures Detected:
35
36 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
37 "Details":
38
39
40 "Description": "Behavioural detection: Executable code extraction",
41 "Details":
42
43
44 "Description": "Guard pages use detected - possible anti-debugging.",
45 "Details":
46
47
48 "Description": "Detected script timer window indicative of sleep style evasion",
49 "Details":
50
51 "Window": "WSH-Timer"
52
53
54
55
56 "Description": "A process attempted to delay the analysis task.",
57 "Details":
58
59 "Process": "RegSvcs.exe tried to sleep 1018 seconds, actually delayed analysis time by 0 seconds"
60
61
62
63
64 "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
65 "Details":
66
67 "ioc": "v2.0.50727"
68
69
70
71
72 "Description": "Reads data out of its own binary image",
73 "Details":
74
75 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00000000, length: 0x00000007"
76
77
78 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00000000, length: 0x00002000"
79
80
81 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00000007, length: 0x001607f7"
82
83
84 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00001ff0, length: 0x00002000"
85
86
87 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00003fe0, length: 0x00002000"
88
89
90 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00005fd0, length: 0x00002000"
91
92
93 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00007fc0, length: 0x00002000"
94
95
96 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00009fb0, length: 0x00002000"
97
98
99 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0000bfa0, length: 0x00002000"
100
101
102 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0000df90, length: 0x00002000"
103
104
105 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0000ff80, length: 0x00002000"
106
107
108 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00011f70, length: 0x00002000"
109
110
111 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00013f60, length: 0x00002000"
112
113
114 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00015f50, length: 0x00002000"
115
116
117 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00017f40, length: 0x00002000"
118
119
120 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00019f30, length: 0x00002000"
121
122
123 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0001bf20, length: 0x00002000"
124
125
126 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0001df10, length: 0x00002000"
127
128
129 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0001ff00, length: 0x00002000"
130
131
132 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00021ef0, length: 0x00002000"
133
134
135 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00023ee0, length: 0x00002000"
136
137
138 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00025ed0, length: 0x00002000"
139
140
141 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00027ec0, length: 0x00002000"
142
143
144 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00029eb0, length: 0x00002000"
145
146
147 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0002bea0, length: 0x00002000"
148
149
150 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0002de90, length: 0x00002000"
151
152
153 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0002fe80, length: 0x00002000"
154
155
156 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00031e70, length: 0x00002000"
157
158
159 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00033e60, length: 0x00002000"
160
161
162 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00035e50, length: 0x00002000"
163
164
165 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00037e40, length: 0x00002000"
166
167
168 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00039e30, length: 0x00002000"
169
170
171 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0003be20, length: 0x00002000"
172
173
174 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0003de10, length: 0x00002000"
175
176
177 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0003fe00, length: 0x00002000"
178
179
180 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00041df0, length: 0x00002000"
181
182
183 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00043de0, length: 0x00002000"
184
185
186 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00045dd0, length: 0x00002000"
187
188
189 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00047dc0, length: 0x00002000"
190
191
192 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00049db0, length: 0x00002000"
193
194
195 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0004bda0, length: 0x00002000"
196
197
198 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0004dd90, length: 0x00002000"
199
200
201 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0004fd80, length: 0x00002000"
202
203
204 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00050a00, length: 0x00109e04"
205
206
207 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015a9b4, length: 0x0000002d"
208
209
210 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015ab8f, length: 0x0000002b"
211
212
213 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015ad7b, length: 0x0000002f"
214
215
216 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015af59, length: 0x0000002f"
217
218
219 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015b133, length: 0x0000002a"
220
221
222 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015b334, length: 0x0000002f"
223
224
225 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015b51b, length: 0x0000002b"
226
227
228 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015b6f5, length: 0x0000002a"
229
230
231 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015b8db, length: 0x0000002f"
232
233
234 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015bad2, length: 0x0000002d"
235
236
237 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015bcdb, length: 0x00000029"
238
239
240 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015beda, length: 0x0000002a"
241
242
243 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015c120, length: 0x0000002d"
244
245
246 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015c309, length: 0x0000002e"
247
248
249 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015c4f3, length: 0x00000029"
250
251
252 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015c6d7, length: 0x0000002d"
253
254
255 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015c8e9, length: 0x0000002e"
256
257
258 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015cb13, length: 0x0000002a"
259
260
261 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015cce4, length: 0x0000002c"
262
263
264 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015cf0b, length: 0x0000002c"
265
266
267 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015d12a, length: 0x0000002e"
268
269
270 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015d334, length: 0x0000002a"
271
272
273 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015d523, length: 0x00000029"
274
275
276 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015d6f6, length: 0x00000029"
277
278
279 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015d8c6, length: 0x0000002c"
280
281
282 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015dad3, length: 0x0000002f"
283
284
285 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015dcb2, length: 0x0000002b"
286
287
288 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015deaa, length: 0x0000002f"
289
290
291 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015e09a, length: 0x0000002a"
292
293
294 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015e27d, length: 0x0000002d"
295
296
297 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015e454, length: 0x0000002a"
298
299
300 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015e62b, length: 0x0000002b"
301
302
303 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015e7ff, length: 0x0000002d"
304
305
306 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015ea03, length: 0x0000002b"
307
308
309 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015ebe2, length: 0x0000002a"
310
311
312 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015eddd, length: 0x0000002e"
313
314
315 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015effd, length: 0x0000002f"
316
317
318 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015f1f6, length: 0x0000002d"
319
320
321 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015f3e0, length: 0x0000002e"
322
323
324 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015f5b3, length: 0x0000002c"
325
326
327 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015f7a1, length: 0x0000002a"
328
329
330 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015f9b0, length: 0x0000002c"
331
332
333 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015fbb2, length: 0x0000002e"
334
335
336 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015fd94, length: 0x0000002f"
337
338
339 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x0015ff77, length: 0x0000002e"
340
341
342 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00160149, length: 0x0000002f"
343
344
345 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00160353, length: 0x0000002c"
346
347
348 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x00160531, length: 0x0000002e"
349
350
351 "self_read": "process: DdbXcVwyg.exe, pid: 3068, offset: 0x001606fd, length: 0x0000001b"
352
353
354 "self_read": "process: wscript.exe, pid: 2312, offset: 0x00000000, length: 0x00000040"
355
356
357 "self_read": "process: wscript.exe, pid: 2312, offset: 0x000000f0, length: 0x00000018"
358
359
360 "self_read": "process: wscript.exe, pid: 2312, offset: 0x000001e8, length: 0x00000078"
361
362
363 "self_read": "process: wscript.exe, pid: 2312, offset: 0x00018000, length: 0x00000020"
364
365
366 "self_read": "process: wscript.exe, pid: 2312, offset: 0x00018058, length: 0x00000018"
367
368
369 "self_read": "process: wscript.exe, pid: 2312, offset: 0x000181a8, length: 0x00000018"
370
371
372 "self_read": "process: wscript.exe, pid: 2312, offset: 0x00018470, length: 0x00000010"
373
374
375 "self_read": "process: wscript.exe, pid: 2312, offset: 0x00018640, length: 0x00000012"
376
377
378 "self_read": "process: RegSvcs.exe, pid: 2508, offset: 0x00000000, length: 0x00001000"
379
380
381 "self_read": "process: RegSvcs.exe, pid: 2508, offset: 0x00000080, length: 0x00000200"
382
383
384 "self_read": "process: RegSvcs.exe, pid: 2508, offset: 0x00000178, length: 0x00000200"
385
386
387 "self_read": "process: RegSvcs.exe, pid: 2508, offset: 0x00005b20, length: 0x00000200"
388
389
390 "self_read": "process: RegSvcs.exe, pid: 2508, offset: 0x00005b3c, length: 0x00000200"
391
392
393
394
395 "Description": "A process created a hidden window",
396 "Details":
397
398 "Process": "RegSvcs.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp2529.tmp\""
399
400
401
402
403 "Description": "A scripting utility was executed",
404 "Details":
405
406 "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\csweath.vbs\""
407
408
409
410
411 "Description": "Uses Windows utilities for basic functionality",
412 "Details":
413
414 "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp2529.tmp\""
415
416
417
418
419 "Description": "Behavioural detection: Injection (Process Hollowing)",
420 "Details":
421
422 "Injection": "xrfq.exe(2296) -> RegSvcs.exe(2508)"
423
424
425
426
427 "Description": "Executed a process and injected code into it, probably while unpacking",
428 "Details":
429
430 "Injection": "xrfq.exe(2296) -> RegSvcs.exe(2508)"
431
432
433
434
435 "Description": "Attempts to remove evidence of file being downloaded from the Internet",
436 "Details":
437
438 "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe:Zone.Identifier"
439
440
441
442
443 "Description": "Behavioural detection: Injection (inter-process)",
444 "Details":
445
446
447 "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
448 "Details":
449
450
451 "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
452 "Details":
453
454 "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
455
456
457
458
459 "Description": "Installs itself for autorun at Windows startup",
460 "Details":
461
462 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\dfghjklkjhrtyu.exe"
463
464
465 "data": "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\xrfq.exe C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\smqujemen.bcs"
466
467
468
469
470 "Description": "Exhibits behavior characteristic of Nanocore RAT",
471 "Details":
472
473
474 "Description": "Stack pivoting was detected when using a critical API",
475 "Details":
476
477 "process": "svchost.exe:904"
478
479
480
481
482 "Description": "Creates a hidden or system file",
483 "Details":
484
485 "file": "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\xrfq.exe"
486
487
488 "file": "C:\\Users\\user\\AppData\\Local\\Temp\\23757645"
489
490
491 "file": "C:\\Users\\user\\temp"
492
493
494
495
496 "Description": "File has been identified by 32 Antiviruses on VirusTotal as malicious",
497 "Details":
498
499 "McAfee": "Artemis!6282458B94CA"
500
501
502 "CrowdStrike": "win/malicious_confidence_80% (W)"
503
504
505 "Alibaba": "Trojan:Win32/Starter.ali2000005"
506
507
508 "K7GW": "Riskware ( 0040eff71 )"
509
510
511 "K7AntiVirus": "Riskware ( 0040eff71 )"
512
513
514 "Cyren": "W32/Trojan.MQTJ-5716"
515
516
517 "Symantec": "Trojan.Gen.MBT"
518
519
520 "APEX": "Malicious"
521
522
523 "Paloalto": "generic.ml"
524
525
526 "ClamAV": "Win.Malware.Mycop-6983471-0"
527
528
529 "Kaspersky": "HEUR:Trojan-Dropper.Win32.Generic"
530
531
532 "Avast": "FileRepMalware"
533
534
535 "Rising": "Trojan.Pack-RAR!1.BB61 (CLASSIC)"
536
537
538 "F-Secure": "Dropper.DR/AutoIt.Gen"
539
540
541 "Invincea": "heuristic"
542
543
544 "McAfee-GW-Edition": "BehavesLike.Win32.Backdoor.tc"
545
546
547 "FireEye": "Generic.mg.6282458b94ca8bc0"
548
549
550 "Avira": "DR/AutoIt.Gen"
551
552
553 "Antiy-AVL": "TrojanArcBomb/Win32.Agent"
554
555
556 "Microsoft": "Trojan:Win32/Wacatac.B!ml"
557
558
559 "Endgame": "malicious (high confidence)"
560
561
562 "AegisLab": "Trojan.Win32.Generic.b!c"
563
564
565 "ZoneAlarm": "HEUR:Trojan-Dropper.Win32.Generic"
566
567
568 "AhnLab-V3": "Trojan/Win32.Agent.R292886"
569
570
571 "Acronis": "suspicious"
572
573
574 "Zoner": "Probably RARAutorun"
575
576
577 "Tencent": "Win32.Trojan-dropper.Generic.Wnmg"
578
579
580 "Ikarus": "Trojan.VBS.Runner"
581
582
583 "Fortinet": "W32/Generic.AC.45A0E1!tr"
584
585
586 "AVG": "FileRepMalware"
587
588
589 "Cybereason": "malicious.38599f"
590
591
592 "Qihoo-360": "HEUR/QVM10.1.5895.Malware.Gen"
593
594
595
596
597 "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
598 "Details":
599
600 "target": "clamav:Win.Malware.Mycop-6983471-0, sha256:de01b6a27d4eba814fe3ce5084cfc23fdeeb47d50f8bec5a973578e66b768a48, type:PE32 executable (GUI) Intel 80386, for MS Windows"
601
602
603 "dropped": "clamav:Win.Trojan.Autoit-6922942-0, sha256:fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b , guest_paths:C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\xrfq.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
604
605
606
607
608 "Description": "Drops a binary and executes it",
609 "Details":
610
611 "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\xrfq.exe"
612
613
614
615
616 "Description": "Collects information to fingerprint the system",
617 "Details":
618
619
620
621* Started Service:
622
623* Mutexes:
624 "DefaultTabtip-MainUI",
625 "Local\\ZoneAttributeCacheCounterMutex",
626 "Local\\ZonesCacheCounterMutex",
627 "Local\\ZonesLockedCacheCounterMutex",
628 "Global\\CLR_PerfMon_WrapMutex",
629 "Global\\CLR_CASOFF_MUTEX",
630 "Global\\91c5edaa-1adb-44e7-b5fb-9744c1bc0912",
631 "Global\\.net clr networking"
632
633
634* Modified Files:
635 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\__tmp_rar_sfx_access_check_20291250",
636 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\gfujvaac.txt",
637 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\smqujemen.bcs",
638 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\csweath.vbs",
639 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\xrfq.exe",
640 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\haataumm.log",
641 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\rfqqrknn.dat",
642 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\taeu.bmp",
643 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\dsnrkaossm.mp3",
644 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\efblo.exe",
645 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\bttbv.docx",
646 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\eftibwaru.docx",
647 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\hwuh.txt",
648 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\kpkdkniw.msc",
649 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\flrjkn.msc",
650 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\pjifbicfgm.dat",
651 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\tsujfxf.mp3",
652 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\wicjvfi.bin",
653 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\vblfnev.bin",
654 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\hhkji.jpg",
655 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\ejpxdo.pdf",
656 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\gexlm.pdf",
657 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\ahamuctc.pdf",
658 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\nnmrlw.ini",
659 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\gabmsubwme.dat",
660 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\gobaetdsxm.jpg",
661 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\sbodg.xml",
662 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\beriuitmsh.dat",
663 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\ghegsk.cpl",
664 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\vcmr.docx",
665 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\utfkxgnhrw.ini",
666 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\perbdvbs.bmp",
667 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\qdwtr.xl",
668 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\bcevt.ini",
669 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\pdkpvjca.dat",
670 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\uiehsrtwrt.xl",
671 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\pirbl.xl",
672 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\dlkxpvhm.dat",
673 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\vbjsjgnagl.xl",
674 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\qmkho.dat",
675 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\nrjiclx.dll",
676 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\mwjnnxh.exe",
677 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\dtjlgfgos.msc",
678 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\mioh.docx",
679 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\ldoe.ppt",
680 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\dths.pdf",
681 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\ihfoen.docx",
682 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\gwnlrembdm.ppt",
683 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\dhjwmi.bin",
684 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\cwsprbgwbv.ini",
685 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\fjoch.icm",
686 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\mepiglsb.mp3",
687 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\dvlcx.pdf",
688 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\skeidc.xml",
689 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\ttowcnes.msc",
690 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\swhdin.ppt",
691 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\rnqnx.ini",
692 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\xljcdpgch.cpl",
693 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\uqxbothosl.ppt",
694 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\mtmnjuqf.ppt",
695 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\fqupurapv.bin",
696 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\bejvaih.cpl",
697 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\frncp.ico",
698 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\dlijojn.pdf",
699 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\tsqasabre.log",
700 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\jkwbsplaha.dll",
701 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\queksdulu.msc",
702 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\kdjpvveqpn.bmp",
703 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\podlnnh.bmp",
704 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\mkbtkfpwb.dll",
705 "C:\\Users\\user\\temp\\gfujvaac.txt",
706 "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat",
707 "C:\\Users\\user\\AppData\\Local\\Temp\\tmp2529.tmp",
708 "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\task.dat",
709 "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
710 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk"
711
712
713* Deleted Files:
714 "C:\\Users\\user\\AppData\\Local\\Temp\\23757645\\smqujemen.bcs",
715 "C:\\Users\\user\\AppData\\Local\\Temp\\tmp2529.tmp",
716 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe:Zone.Identifier",
717 "C:\\Windows\\Tasks\\DSL Subsystem.job",
718 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
719
720
721* Modified Registry Keys:
722 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
723 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
724 "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
725 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\dfghjklkjhrtyu.exe",
726 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Path",
727 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Hash",
728 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Id",
729 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Index",
730 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Triggers"
731
732
733* Deleted Registry Keys:
734 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
735 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
736 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
737 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
738 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job",
739 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job.fp"
740
741
742* DNS Communications:
743
744 "type": "A",
745 "request": "kartelicemoney.duckdns.org",
746 "answers":
747
748
749
750* Domains:
751
752 "ip": "38.132.99.202",
753 "domain": "kartelicemoney.duckdns.org"
754
755
756
757* Network Communication - ICMP:
758
759* Network Communication - HTTP:
760
761* Network Communication - SMTP:
762
763* Network Communication - Hosts:
764
765* Network Communication - IRC: