API tools faq
paste
Advertisement
paladin316

1514NanoCore_6efc03ae042064ae311eee1cd9ba5a65_exe_2019-09-11_10_30.txt

paladin316
Sep 11th, 2019
1,566
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 25.24 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 1514
  3. * MalFamily: "Nanocore"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "NanoCore_6efc03ae042064ae311eee1cd9ba5a65.exe"
  8. * File Size: 1370908
  9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  10. * SHA256: "862bef9f39e5ad960be979bce8ce94f411af38cae2853d093ef957c96a5d50b8"
  11. * MD5: "6efc03ae042064ae311eee1cd9ba5a65"
  12. * SHA1: "206668484d3d96ac9c47b3f925b058a002a93774"
  13. * SHA512: "10b11a39bafffc8ddfbaf905fde10c044f4e14a1fac5c87d0329a0e4e57dea1ea75c4c487e8bbe53d15d719308395a838d0fed115e59013b45571867b614fe32"
  14. * CRC32: "C6035098"
  15. * SSDEEP: "24576:8NA3R5drXgJOr2/1CeWn1GXHEwpgz6l6u1h6LId7nf1RMMaReV5BHFA8C:95EOK1CeWn1ApJ1h6LIdzfXMf25Bl8"
  16.  
  17. * Process Execution:
  18. "waCoVInV.exe",
  19. "wscript.exe",
  20. "fhl.exe",
  21. "RegSvcs.exe"
  22.  
  23.  
  24. * Executed Commands:
  25. "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fsa.vbs\"",
  26. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fsa.vbs ",
  27. "\"C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fhl.exe\" klp=jib",
  28. "fhl.exe klp=jib"
  29.  
  30.  
  31. * Signatures Detected:
  32.  
  33. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  34. "Details":
  35.  
  36.  
  37. "Description": "Behavioural detection: Executable code extraction",
  38. "Details":
  39.  
  40.  
  41. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
  42. "Details":
  43.  
  44. "IP_ioc": "185.11.146.171:3999 (Netherlands)"
  45.  
  46.  
  47.  
  48.  
  49. "Description": "Creates RWX memory",
  50. "Details":
  51.  
  52.  
  53. "Description": "Guard pages use detected - possible anti-debugging.",
  54. "Details":
  55.  
  56.  
  57. "Description": "Detected script timer window indicative of sleep style evasion",
  58. "Details":
  59.  
  60. "Window": "WSH-Timer"
  61.  
  62.  
  63.  
  64.  
  65. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
  66. "Details":
  67.  
  68. "ioc": "v2.0.50727"
  69.  
  70.  
  71.  
  72.  
  73. "Description": "Expresses interest in specific running processes",
  74. "Details":
  75.  
  76. "process": "RegSvcs.exe"
  77.  
  78.  
  79. "process": "taskhost.exe"
  80.  
  81.  
  82.  
  83.  
  84. "Description": "Reads data out of its own binary image",
  85. "Details":
  86.  
  87. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00000000, length: 0x00000007"
  88.  
  89.  
  90. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00000000, length: 0x00002000"
  91.  
  92.  
  93. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00000007, length: 0x0014eb15"
  94.  
  95.  
  96. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00001ff0, length: 0x00002000"
  97.  
  98.  
  99. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00003fe0, length: 0x00002000"
  100.  
  101.  
  102. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00005fd0, length: 0x00002000"
  103.  
  104.  
  105. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00007fc0, length: 0x00002000"
  106.  
  107.  
  108. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00009fb0, length: 0x00002000"
  109.  
  110.  
  111. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0000bfa0, length: 0x00002000"
  112.  
  113.  
  114. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0000df90, length: 0x00002000"
  115.  
  116.  
  117. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0000ff80, length: 0x00002000"
  118.  
  119.  
  120. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00011f70, length: 0x00002000"
  121.  
  122.  
  123. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00013f60, length: 0x00002000"
  124.  
  125.  
  126. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00015f50, length: 0x00002000"
  127.  
  128.  
  129. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00017f40, length: 0x00002000"
  130.  
  131.  
  132. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00019f30, length: 0x00002000"
  133.  
  134.  
  135. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0001bf20, length: 0x00002000"
  136.  
  137.  
  138. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0001df10, length: 0x00002000"
  139.  
  140.  
  141. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0001ff00, length: 0x00002000"
  142.  
  143.  
  144. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00021ef0, length: 0x00002000"
  145.  
  146.  
  147. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00023ee0, length: 0x00002000"
  148.  
  149.  
  150. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00025ed0, length: 0x00002000"
  151.  
  152.  
  153. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00027ec0, length: 0x00002000"
  154.  
  155.  
  156. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00029eb0, length: 0x00002000"
  157.  
  158.  
  159. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0002bea0, length: 0x00002000"
  160.  
  161.  
  162. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0002de90, length: 0x00002000"
  163.  
  164.  
  165. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0002fe80, length: 0x00002000"
  166.  
  167.  
  168. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00031e70, length: 0x00002000"
  169.  
  170.  
  171. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00033e60, length: 0x00002000"
  172.  
  173.  
  174. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00035e50, length: 0x00002000"
  175.  
  176.  
  177. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00037e40, length: 0x00002000"
  178.  
  179.  
  180. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00039e30, length: 0x00002000"
  181.  
  182.  
  183. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0003be20, length: 0x00002000"
  184.  
  185.  
  186. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0003de10, length: 0x00002000"
  187.  
  188.  
  189. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0003fe00, length: 0x00002000"
  190.  
  191.  
  192. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00041df0, length: 0x00002000"
  193.  
  194.  
  195. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00043de0, length: 0x00002000"
  196.  
  197.  
  198. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00045600, length: 0x00103f95"
  199.  
  200.  
  201. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014974b, length: 0x00000028"
  202.  
  203.  
  204. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00149957, length: 0x00000028"
  205.  
  206.  
  207. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00149b30, length: 0x00000028"
  208.  
  209.  
  210. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00149d1b, length: 0x00000028"
  211.  
  212.  
  213. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x00149ee5, length: 0x00000028"
  214.  
  215.  
  216. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014a0d0, length: 0x00000028"
  217.  
  218.  
  219. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014a2bb, length: 0x00000028"
  220.  
  221.  
  222. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014a48a, length: 0x00000028"
  223.  
  224.  
  225. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014a678, length: 0x00000028"
  226.  
  227.  
  228. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014a859, length: 0x00000028"
  229.  
  230.  
  231. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014aa77, length: 0x00000028"
  232.  
  233.  
  234. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014ac56, length: 0x00000028"
  235.  
  236.  
  237. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014ae39, length: 0x00000028"
  238.  
  239.  
  240. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014b03c, length: 0x00000028"
  241.  
  242.  
  243. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014b21f, length: 0x00000028"
  244.  
  245.  
  246. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014b40e, length: 0x00000028"
  247.  
  248.  
  249. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014b603, length: 0x00000029"
  250.  
  251.  
  252. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014b7f2, length: 0x00000028"
  253.  
  254.  
  255. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014b9c4, length: 0x00000028"
  256.  
  257.  
  258. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014bb99, length: 0x00000028"
  259.  
  260.  
  261. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014bd87, length: 0x00000028"
  262.  
  263.  
  264. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014bf8b, length: 0x00000028"
  265.  
  266.  
  267. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014c185, length: 0x00000027"
  268.  
  269.  
  270. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014c380, length: 0x00000029"
  271.  
  272.  
  273. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014c551, length: 0x00000028"
  274.  
  275.  
  276. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014c74b, length: 0x00000028"
  277.  
  278.  
  279. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014c965, length: 0x00000028"
  280.  
  281.  
  282. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014cb42, length: 0x00000028"
  283.  
  284.  
  285. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014cd2b, length: 0x00000028"
  286.  
  287.  
  288. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014cef8, length: 0x00000028"
  289.  
  290.  
  291. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014d11b, length: 0x00000027"
  292.  
  293.  
  294. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014d302, length: 0x00000028"
  295.  
  296.  
  297. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014d4ef, length: 0x00000028"
  298.  
  299.  
  300. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014d6fc, length: 0x00000028"
  301.  
  302.  
  303. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014d8e2, length: 0x00000027"
  304.  
  305.  
  306. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014dae1, length: 0x00000028"
  307.  
  308.  
  309. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014dce9, length: 0x00000028"
  310.  
  311.  
  312. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014decf, length: 0x00000028"
  313.  
  314.  
  315. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014e0da, length: 0x00000028"
  316.  
  317.  
  318. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014e2a9, length: 0x00000028"
  319.  
  320.  
  321. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014e485, length: 0x00000028"
  322.  
  323.  
  324. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014e6a9, length: 0x00000028"
  325.  
  326.  
  327. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014e889, length: 0x00000029"
  328.  
  329.  
  330. "self_read": "process: waCoVInV.exe, pid: 2432, offset: 0x0014ea61, length: 0x0000001b"
  331.  
  332.  
  333. "self_read": "process: wscript.exe, pid: 2140, offset: 0x00000000, length: 0x00000040"
  334.  
  335.  
  336. "self_read": "process: wscript.exe, pid: 2140, offset: 0x000000f0, length: 0x00000018"
  337.  
  338.  
  339. "self_read": "process: wscript.exe, pid: 2140, offset: 0x000001e8, length: 0x00000078"
  340.  
  341.  
  342. "self_read": "process: wscript.exe, pid: 2140, offset: 0x00018000, length: 0x00000020"
  343.  
  344.  
  345. "self_read": "process: wscript.exe, pid: 2140, offset: 0x00018058, length: 0x00000018"
  346.  
  347.  
  348. "self_read": "process: wscript.exe, pid: 2140, offset: 0x000181a8, length: 0x00000018"
  349.  
  350.  
  351. "self_read": "process: wscript.exe, pid: 2140, offset: 0x00018470, length: 0x00000010"
  352.  
  353.  
  354. "self_read": "process: wscript.exe, pid: 2140, offset: 0x00018640, length: 0x00000012"
  355.  
  356.  
  357. "self_read": "process: RegSvcs.exe, pid: 1632, offset: 0x00000000, length: 0x00001000"
  358.  
  359.  
  360. "self_read": "process: RegSvcs.exe, pid: 1632, offset: 0x00000080, length: 0x00000200"
  361.  
  362.  
  363. "self_read": "process: RegSvcs.exe, pid: 1632, offset: 0x00000178, length: 0x00000200"
  364.  
  365.  
  366. "self_read": "process: RegSvcs.exe, pid: 1632, offset: 0x00005b20, length: 0x00000200"
  367.  
  368.  
  369. "self_read": "process: RegSvcs.exe, pid: 1632, offset: 0x00005b3c, length: 0x00000200"
  370.  
  371.  
  372.  
  373.  
  374. "Description": "Drops a binary and executes it",
  375. "Details":
  376.  
  377. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fhl.exe"
  378.  
  379.  
  380.  
  381.  
  382. "Description": "A scripting utility was executed",
  383. "Details":
  384.  
  385. "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fsa.vbs\""
  386.  
  387.  
  388.  
  389.  
  390. "Description": "Behavioural detection: Injection (Process Hollowing)",
  391. "Details":
  392.  
  393. "Injection": "fhl.exe(1896) -> RegSvcs.exe(1632)"
  394.  
  395.  
  396.  
  397.  
  398. "Description": "Executed a process and injected code into it, probably while unpacking",
  399. "Details":
  400.  
  401. "Injection": "fhl.exe(1896) -> RegSvcs.exe(1632)"
  402.  
  403.  
  404.  
  405.  
  406. "Description": "Attempts to remove evidence of file being downloaded from the Internet",
  407. "Details":
  408.  
  409. "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe:Zone.Identifier"
  410.  
  411.  
  412.  
  413.  
  414. "Description": "Behavioural detection: Injection (inter-process)",
  415. "Details":
  416.  
  417.  
  418. "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
  419. "Details":
  420.  
  421.  
  422. "Description": "Installs itself for autorun at Windows startup",
  423. "Details":
  424.  
  425. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\desktop"
  426.  
  427.  
  428. "data": "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fhl.exe C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\KLP_JI~1"
  429.  
  430.  
  431.  
  432.  
  433. "Description": "Exhibits behavior characteristic of Nanocore RAT",
  434. "Details":
  435.  
  436.  
  437. "Description": "Creates a hidden or system file",
  438. "Details":
  439.  
  440. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fhl.exe"
  441.  
  442.  
  443. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\92572591"
  444.  
  445.  
  446. "file": "C:\\Users\\user\\temp"
  447.  
  448.  
  449.  
  450.  
  451. "Description": "File has been identified by 26 Antiviruses on VirusTotal as malicious",
  452. "Details":
  453.  
  454. "FireEye": "Generic.mg.6efc03ae042064ae"
  455.  
  456.  
  457. "K7AntiVirus": "Riskware ( 0040eff71 )"
  458.  
  459.  
  460. "K7GW": "Riskware ( 0040eff71 )"
  461.  
  462.  
  463. "CrowdStrike": "win/malicious_confidence_80% (D)"
  464.  
  465.  
  466. "APEX": "Malicious"
  467.  
  468.  
  469. "Kaspersky": "Trojan.Win32.Autoit.foa"
  470.  
  471.  
  472. "AegisLab": "Trojan.BAT.Crypter.tqa8"
  473.  
  474.  
  475. "F-Secure": "Dropper.DR/AutoIt.Gen"
  476.  
  477.  
  478. "Invincea": "heuristic"
  479.  
  480.  
  481. "McAfee-GW-Edition": "BehavesLike.Win32.Backdoor.tc"
  482.  
  483.  
  484. "Trapmine": "suspicious.low.ml.score"
  485.  
  486.  
  487. "Paloalto": "generic.ml"
  488.  
  489.  
  490. "Cyren": "W32/AutoIt.EN.gen!Eldorado"
  491.  
  492.  
  493. "Avira": "VBS/Runner.hzdd"
  494.  
  495.  
  496. "Antiy-AVL": "TrojanArcBomb/Win32.Agent"
  497.  
  498.  
  499. "Microsoft": "Trojan:Win32/AutoitInject.BI!MTB"
  500.  
  501.  
  502. "ZoneAlarm": "Trojan.Win32.Autoit.foa"
  503.  
  504.  
  505. "AhnLab-V3": "Malware/Win32.RL_Generic.R286428"
  506.  
  507.  
  508. "Malwarebytes": "Trojan.MalPack.AISFX"
  509.  
  510.  
  511. "Zoner": "Probably RARAutorun"
  512.  
  513.  
  514. "ESET-NOD32": "VBS/Runner.NHZ"
  515.  
  516.  
  517. "Rising": "Trojan.Pack-RAR!1.BB61 (CLASSIC)"
  518.  
  519.  
  520. "Yandex": "Trojan.Agent!nS7qVYN4VgU"
  521.  
  522.  
  523. "Fortinet": "W32/Generic.AC.45A0E1!tr"
  524.  
  525.  
  526. "Cybereason": "malicious.84d3d9"
  527.  
  528.  
  529. "Qihoo-360": "HEUR/QVM10.1.C881.Malware.Gen"
  530.  
  531.  
  532.  
  533.  
  534. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  535. "Details":
  536.  
  537. "dropped": "clamav:Win.Trojan.Autoit-6922942-0, sha256:fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b , guest_paths:C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fhl.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  538.  
  539.  
  540.  
  541.  
  542. "Description": "Collects information to fingerprint the system",
  543. "Details":
  544.  
  545.  
  546.  
  547. * Started Service:
  548.  
  549. * Mutexes:
  550. "DefaultTabtip-MainUI",
  551. "Local\\ZoneAttributeCacheCounterMutex",
  552. "Local\\ZonesCacheCounterMutex",
  553. "Local\\ZonesLockedCacheCounterMutex",
  554. "Global\\CLR_PerfMon_WrapMutex",
  555. "Global\\CLR_CASOFF_MUTEX",
  556. "Global\\ac45ed91-6e1d-4915-abef-33900ef60335",
  557. "Global\\.net clr networking"
  558.  
  559.  
  560. * Modified Files:
  561. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\__tmp_rar_sfx_access_check_11298218",
  562. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\gjd.log",
  563. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\klp=jib",
  564. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fsa.vbs",
  565. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fhl.exe",
  566. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\duh.log",
  567. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\dxv.xml",
  568. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\mbn.xls",
  569. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\qux.pdf",
  570. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\gic.xml",
  571. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\hdp.dat",
  572. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\urh.xls",
  573. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\hjx.pdf",
  574. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\nkt.docx",
  575. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\ieg.ini",
  576. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\apo.xl",
  577. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\aqu.exe",
  578. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\ppm.bmp",
  579. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fjb.xl",
  580. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\mau.xl",
  581. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\uat.docx",
  582. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\emk.xml",
  583. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\lpv.ico",
  584. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\gkx.pdf",
  585. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\upf.mp3",
  586. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\iix.cpl",
  587. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\ura.cpl",
  588. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\dtd.xls",
  589. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\lkw.dll",
  590. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\vlo.log",
  591. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\bom.cpl",
  592. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\xjl.msc",
  593. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\osk.jpg",
  594. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\bik.xls",
  595. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\hqs.msc",
  596. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\vdo.pdf",
  597. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\wvr.xls",
  598. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\qpl.dll",
  599. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\pia.docx",
  600. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\acn.xls",
  601. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\mba.pdf",
  602. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\qig.exe",
  603. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\aka.bin",
  604. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\hcw.ini",
  605. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\wkw.xl",
  606. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\loe.docx",
  607. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\mss.ppt",
  608. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\rje.cpl",
  609. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\kvu.bmp",
  610. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\tnj.log",
  611. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\rja.ini",
  612. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\xgg.bmp",
  613. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\mhx.xl",
  614. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fvu.bmp",
  615. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\hfw.bin",
  616. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\gbp.msc",
  617. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\fqj.xl",
  618. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\ldc.xml",
  619. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\pea.dll",
  620. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\rbx.pdf",
  621. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\rwa.xls",
  622. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\cuc.pdf",
  623. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\qtm.xls",
  624. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\saj.ppt",
  625. "C:\\Users\\user\\AppData\\Local\\Temp\\92572591\\jgu.docx",
  626. "C:\\Users\\user\\temp\\gjd.log",
  627. "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat"
  628.  
  629.  
  630. * Deleted Files:
  631. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe:Zone.Identifier"
  632.  
  633.  
  634. * Modified Registry Keys:
  635. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  636. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  637. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  638. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\desktop"
  639.  
  640.  
  641. * Deleted Registry Keys:
  642. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  643. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  644. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  645. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
  646.  
  647.  
  648. * DNS Communications:
  649.  
  650. * Domains:
  651.  
  652. * Network Communication - ICMP:
  653.  
  654. * Network Communication - HTTP:
  655.  
  656. * Network Communication - SMTP:
  657.  
  658. * Network Communication - Hosts:
  659.  
  660. "country_name": "Netherlands",
  661. "ip": "185.11.146.171",
  662. "inaddrarpa": "",
  663. "hostname": ""
  664.  
  665.  
  666.  
  667. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!