Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1511
- * MalFamily: "Nanocore"
- * MalScore: 10.0
- * File Name: "SWIFTMT202_105RD119002425.exe"
- * File Size: 1360938
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "d9dcdef4fea2521509bb3eeae3dab75392ac903891f0f3161a3a30ff6f26010f"
- * MD5: "acef3abfbde27400e0737fb780f6a3cc"
- * SHA1: "fcacf624debeb0bdd9d81525961e877e881c7dff"
- * SHA512: "c19768846138a4c9cfba180980c5369285cacd879542acb845ef287a6a6200f968e3accc623b62cc5f1d0fa4c16f9972ea8758efb32eccc716bffc082f21fcad"
- * CRC32: "FEBC8CB0"
- * SSDEEP: "24576:6NA3R5drXvdiVhlFfZ4TyDEPzXNNHp1bO30+3X67LDu1h6LId7nT1RMwaMm3CfBP:z5F+hnfOWEzHQ0+3KPy1h6LIdzTXM76d"
- * Process Execution:
- "SWIFTMT202_105RD119002425.exe",
- "wscript.exe",
- "xbb.exe",
- "RegSvcs.exe",
- "schtasks.exe",
- "svchost.exe"
- * Executed Commands:
- "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vhe.vbe\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vhe.vbe ",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xbb.exe\" pnn=gbo",
- "xbb.exe pnn=gbo",
- "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpF741.tmp\""
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP_ioc": "79.134.225.110:54985 (Switzerland)"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "Detected script timer window indicative of sleep style evasion",
- "Details":
- "Window": "WSH-Timer"
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "RegSvcs.exe tried to sleep 1192 seconds, actually delayed analysis time by 0 seconds"
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details":
- "ioc": "v2.0.50727"
- "Description": "Expresses interest in specific running processes",
- "Details":
- "process": "RegSvcs.exe"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00000000, length: 0x00000007"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00000000, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00000007, length: 0x0014c423"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00001ff0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00003fe0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00005fd0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00007fc0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00009fb0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0000bfa0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0000df90, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0000ff80, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00011f70, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00013f60, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00015f50, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00017f40, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00019f30, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0001bf20, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0001df10, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0001ff00, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00021ef0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00023ee0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00025ed0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00027ec0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00029eb0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0002bea0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0002de90, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0002fe80, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00031e70, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00033e60, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00035e50, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00037e40, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00039e30, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0003be20, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0003de10, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0003fe00, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00041df0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00043de0, length: 0x00002000"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00044400, length: 0x001011d6"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001457d5, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001459ac, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00145b8e, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00145d62, length: 0x00000027"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00145f77, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00146153, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014632b, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001464fd, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001466cd, length: 0x00000029"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00146895, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00146a5d, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00146c66, length: 0x00000027"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00146e63, length: 0x00000027"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014707a, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014724b, length: 0x00000029"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00147435, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00147636, length: 0x00000029"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00147824, length: 0x00000027"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001479f1, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00147be1, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00147dc9, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00147fa0, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014817a, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014837d, length: 0x00000027"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001485a3, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00148784, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014896a, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00148b43, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00148d4a, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00148f15, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001490e1, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001492f3, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x001494c5, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00149694, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014988b, length: 0x00000027"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00149a84, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00149c53, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00149e2d, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x00149ffa, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014a1fd, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014a40c, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014a5ed, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014a7c3, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014a998, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014aba4, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014adb4, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014af9d, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014b16f, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014b376, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014b541, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014b762, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014b947, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014bb46, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014bd53, length: 0x00000027"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014bf3f, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014c15a, length: 0x00000028"
- "self_read": "process: SWIFTMT202_105RD119002425.exe, pid: 2944, offset: 0x0014c339, length: 0x0000001b"
- "self_read": "process: wscript.exe, pid: 2092, offset: 0x00000000, length: 0x00000040"
- "self_read": "process: wscript.exe, pid: 2092, offset: 0x000000f0, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 2092, offset: 0x000001e8, length: 0x00000078"
- "self_read": "process: wscript.exe, pid: 2092, offset: 0x00018000, length: 0x00000020"
- "self_read": "process: wscript.exe, pid: 2092, offset: 0x00018058, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 2092, offset: 0x000181a8, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 2092, offset: 0x00018470, length: 0x00000010"
- "self_read": "process: wscript.exe, pid: 2092, offset: 0x00018640, length: 0x00000012"
- "self_read": "process: RegSvcs.exe, pid: 1664, offset: 0x00000000, length: 0x00001000"
- "self_read": "process: RegSvcs.exe, pid: 1664, offset: 0x00000080, length: 0x00000200"
- "self_read": "process: RegSvcs.exe, pid: 1664, offset: 0x00000178, length: 0x00000200"
- "self_read": "process: RegSvcs.exe, pid: 1664, offset: 0x00005b20, length: 0x00000200"
- "self_read": "process: RegSvcs.exe, pid: 1664, offset: 0x00005b3c, length: 0x00000200"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "RegSvcs.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpF741.tmp\""
- "Description": "A scripting utility was executed",
- "Details":
- "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vhe.vbe\""
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpF741.tmp\""
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "xbb.exe(2792) -> RegSvcs.exe(1664)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "xbb.exe(2792) -> RegSvcs.exe(1664)"
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe:Zone.Identifier"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
- "Details":
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details":
- "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate"
- "data": "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xbb.exe C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\PNN_GB~1"
- "Description": "Exhibits behavior characteristic of Nanocore RAT",
- "Details":
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "svchost.exe:884"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xbb.exe"
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\95444044"
- "file": "C:\\Users\\user\\temp"
- "Description": "File has been identified by 23 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.acef3abfbde27400"
- "Cybereason": "malicious.4debeb"
- "APEX": "Malicious"
- "ClamAV": "Win.Malware.Mycop-6983471-0"
- "Kaspersky": "HEUR:Trojan-Dropper.Win32.Generic"
- "AegisLab": "Trojan.BAT.Crypter.tqa8"
- "Rising": "Trojan.Pack-RAR!1.BB61 (CLASSIC)"
- "F-Secure": "Dropper.DR/AutoIt.Gen"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Backdoor.tc"
- "Cyren": "W32/AutoIt.EN.gen!Eldorado"
- "Avira": "DR/AutoIt.Gen"
- "Antiy-AVL": "TrojanArcBomb/Win32.Agent"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "ZoneAlarm": "HEUR:Trojan-Dropper.Win32.Generic"
- "Cylance": "Unsafe"
- "Zoner": "Probably RARAutorun"
- "Yandex": "Trojan.Agent!nS7qVYN4VgU"
- "Ikarus": "Win32.Outbreak"
- "Fortinet": "W32/Generic.AC.45A0E1!tr"
- "AVG": "FileRepMalware"
- "CrowdStrike": "win/malicious_confidence_80% (W)"
- "Qihoo-360": "HEUR/QVM10.1.CF17.Malware.Gen"
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Malware.Mycop-6983471-0, sha256:d9dcdef4fea2521509bb3eeae3dab75392ac903891f0f3161a3a30ff6f26010f, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Trojan.Autoit-6922942-0, sha256:fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b , guest_paths:C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xbb.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xbb.exe"
- "Description": "Collects information to fingerprint the system",
- "Details":
- * Started Service:
- * Mutexes:
- "DefaultTabtip-MainUI",
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\25104a4c-f498-4fa3-b06f-7cb02eff6741",
- "Global\\.net clr networking"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\__tmp_rar_sfx_access_check_11654343",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\cjr.ppt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\pnn=gbo",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vhe.vbe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xbb.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\lca.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\cgb.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\axt.msc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\rqu.icm",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\plh.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\hcm.icm",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\uow.icm",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\kma.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\mus.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\bjg.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\ksb.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\est.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\eaj.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\npf.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\itf.xml",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\jaw.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\jcs.msc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vxo.jpg",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\gpr.bin",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vnu.ppt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\jkl.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xkn.jpg",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\coc.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\lse.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vrr.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\oak.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\deu.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\wco.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\oxs.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\gqa.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\bcn.msc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\opw.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\ptk.xls",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\smw.docx",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xxu.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\noo.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vxn.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\wsf.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\gjn.ppt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\vlb.bin",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\bas.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\dpn.ini",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\mdn.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\sdi.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\hfj.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\jlg.msc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\jcx.icm",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\ivm.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\qgx.ico",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\iko.pdf",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\cph.log",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\glt.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\dnh.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\ath.ini",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\ovq.bin",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\gvg.msc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xjh.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\aqx.ppt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\lal.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\qua.cpl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\lde.dll",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\rrd.cpl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\uju.icm",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\crj.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\abe.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\odn.ini",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\oog.log",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\edp.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\iqs.icm",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\lrm.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\xjg.xl",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\ewr.mp3",
- "C:\\Users\\user\\AppData\\Local\\Temp\\95444044\\apr.log",
- "C:\\Users\\user\\temp\\cjr.ppt",
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmpF741.tmp",
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\task.dat",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmpF741.tmp",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe:Zone.Identifier",
- "C:\\Windows\\Tasks\\DSL Subsystem.job",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\51DBD72A-CC84-4922-8645-8823E24A7109\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\51DBD72A-CC84-4922-8645-8823E24A7109\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\51DBD72A-CC84-4922-8645-8823E24A7109\\Triggers"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job.fp"
- * DNS Communications:
- "type": "A",
- "request": "1gstemos.duckdns.org",
- "answers":
- "data": "79.134.225.110",
- "type": "A"
- "type": "A",
- "request": "jaden222.kozow.com",
- "answers":
- * Domains:
- "ip": "79.134.225.110",
- "domain": "1gstemos.duckdns.org"
- "ip": "79.134.225.110",
- "domain": "jaden222.kozow.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Switzerland",
- "ip": "79.134.225.110",
- "inaddrarpa": "",
- "hostname": "1gstemos.duckdns.org"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement