Malware Analysis Report

2025-08-10 19:46

Sample ID 221114-xnkz9shd9w
Target 7431d21c3dbfee2fad9bd22acfa20487-sample.zip
SHA256 734365abc09bb10e32a1834cdcc5de3f0a496581dfc100ee67f145679fe5a61b
Tags
nanocore evasion keylogger persistence spyware stealer trojan agenttesla collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

734365abc09bb10e32a1834cdcc5de3f0a496581dfc100ee67f145679fe5a61b

Threat Level: Known bad

The file 7431d21c3dbfee2fad9bd22acfa20487-sample.zip was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan agenttesla collection

AgentTesla

NanoCore

Executes dropped EXE

Drops startup file

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-14 19:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-14 18:59

Reported

2022-11-14 19:02

Platform

win7-20220812-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\1_36 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1_36\\start.vbs" C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1_36\\hege.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\1_36\\mnqlt.wgc" C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 912 set thread context of 1628 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe
PID 1280 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe
PID 1280 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe
PID 1280 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe
PID 1280 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Windows\SysWOW64\WScript.exe
PID 1280 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Windows\SysWOW64\WScript.exe
PID 1280 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Windows\SysWOW64\WScript.exe
PID 1280 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Windows\SysWOW64\WScript.exe
PID 272 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe C:\Windows\SysWOW64\WScript.exe
PID 272 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe C:\Windows\SysWOW64\WScript.exe
PID 272 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe C:\Windows\SysWOW64\WScript.exe
PID 272 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe C:\Windows\SysWOW64\WScript.exe
PID 1756 wrote to memory of 1204 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe
PID 1756 wrote to memory of 1204 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe
PID 1756 wrote to memory of 1204 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe
PID 1756 wrote to memory of 1204 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe
PID 1644 wrote to memory of 912 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe
PID 1644 wrote to memory of 912 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe
PID 1644 wrote to memory of 912 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe
PID 1644 wrote to memory of 912 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe
PID 912 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 912 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 912 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 912 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 912 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 912 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 912 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 912 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 912 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1204 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1204 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1204 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1204 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1204 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1204 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1204 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1204 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe

"C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe"

C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe

"C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\1_36\ufmf.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\8_51\jdwqn.vbe"

C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe

"C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe" fucfmk.qxw

C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe

"C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe" mnqlt.wgc

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp
N/A 8.8.8.8:53 rze6.sytes.net udp

Files

memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

\Users\Admin\AppData\Local\Temp\1_36\dsfg.exe

MD5 c8e5ca487ff6781d2ec035c761b19b76
SHA1 c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256 dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA512 2de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea

\Users\Admin\AppData\Local\Temp\1_36\dsfg.exe

MD5 c8e5ca487ff6781d2ec035c761b19b76
SHA1 c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256 dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA512 2de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea

\Users\Admin\AppData\Local\Temp\1_36\dsfg.exe

MD5 c8e5ca487ff6781d2ec035c761b19b76
SHA1 c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256 dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA512 2de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea

C:\Users\Admin\AppData\Local\Temp\1_36\dsfg.exe

MD5 c8e5ca487ff6781d2ec035c761b19b76
SHA1 c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256 dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA512 2de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea

memory/272-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe

MD5 c8e5ca487ff6781d2ec035c761b19b76
SHA1 c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256 dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA512 2de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea

memory/1756-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\1_36\ufmf.vbe

MD5 268e04d7485e8be575fe6746a64801ab
SHA1 eeee374259d4d185cbe8dff17c72fed35dfcbf2e
SHA256 698780161fbd70fc2e5522f14bd173382852ae7f1b7ddb640d0528136d23d695
SHA512 1ad27bb53eb1d53fbb19b5cf2b7838874d3b1e25ec63ea1bf13588098cbdc69467e79fbe60f8b47a763e03bc6998a72fdc7e0d2496dfb2072bd8ed79236fd788

memory/1644-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\8_51\jdwqn.vbe

MD5 2b68f8d475481dd68bebaa0536b1eb7b
SHA1 d32e444134f3826bc705b1bbda6f3662901d876a
SHA256 1d0a8c3f9adeb45ee84311d1da67a378cf9a2d8c0ada2788fe12111741523376
SHA512 047ef190579e5edd5ce8c53af15cbd599e8b4ca2daa5e41f7e60b0c5bde312e06f158a71cd09f83f4df9897dc1b701264ca7f411d04777808303a4bf73fb9cc1

\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe

MD5 2eacb18ce33c4c5a9070233449518081
SHA1 55820bec82c368a425f31019ea90844bb33ef200
SHA256 db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568
SHA512 c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264

\Users\Admin\AppData\Local\Temp\1_36\hege.exe

MD5 44feac1004f49cb51e6f1bd87c1cb84e
SHA1 fac794576fe8136cbd4e11a75b567d32bb7c70ec
SHA256 666927280f6e1e15276a471722f6cd6c2da204fb0c399e80d8d3a617fdf4c8fc
SHA512 432f180ef8c864c70d9acefc796a9d05f576f5d5f4ddb31dcd633441c276d99e6bfe95191f210fca59ea9fd5c0336aa4d6f78a6a7f3e6675435544ee4ba586f2

C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe

MD5 44feac1004f49cb51e6f1bd87c1cb84e
SHA1 fac794576fe8136cbd4e11a75b567d32bb7c70ec
SHA256 666927280f6e1e15276a471722f6cd6c2da204fb0c399e80d8d3a617fdf4c8fc
SHA512 432f180ef8c864c70d9acefc796a9d05f576f5d5f4ddb31dcd633441c276d99e6bfe95191f210fca59ea9fd5c0336aa4d6f78a6a7f3e6675435544ee4ba586f2

C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe

MD5 2eacb18ce33c4c5a9070233449518081
SHA1 55820bec82c368a425f31019ea90844bb33ef200
SHA256 db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568
SHA512 c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264

memory/912-73-0x0000000000000000-mapping.dmp

memory/1204-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe

MD5 44feac1004f49cb51e6f1bd87c1cb84e
SHA1 fac794576fe8136cbd4e11a75b567d32bb7c70ec
SHA256 666927280f6e1e15276a471722f6cd6c2da204fb0c399e80d8d3a617fdf4c8fc
SHA512 432f180ef8c864c70d9acefc796a9d05f576f5d5f4ddb31dcd633441c276d99e6bfe95191f210fca59ea9fd5c0336aa4d6f78a6a7f3e6675435544ee4ba586f2

C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe

MD5 2eacb18ce33c4c5a9070233449518081
SHA1 55820bec82c368a425f31019ea90844bb33ef200
SHA256 db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568
SHA512 c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264

C:\Users\Admin\AppData\Local\Temp\8_51\fucfmk.qxw

MD5 d067a5c5a84af23f9380a2b59c8c8006
SHA1 4ba393ded67d3b5784244a0d2d033797696e8cc5
SHA256 c63f38a89c95cab7a0d8a8432ce60c57a3ec64031da4e9f0f0d5d096bd901568
SHA512 6ffff543660117af9acf7cbe3a6ff317badc53c9fa9dfb31d98820ac5b6b53494d87853bdb6b9359aa03513e7ac4a9a6eae0ecf48e10df43460d58bd21dfff34

C:\Users\Admin\AppData\Local\Temp\1_36\mnqlt.wgc

MD5 898af92a3eeeae416191d38caa837a46
SHA1 63d1b35d2d39530a60bf975be479878ba0f2b2a9
SHA256 52f6d5aa3bb72c018b49d3cdc7b451e337b420cf684444dc8c510ce92fa5482a
SHA512 03e923aa1ca0ed7c0f6eaa46cc29cdf1d9cb82993265a4919585bb8b494c61721b37abe5bfe3e6fa05d6649b9ca04d3debc0e94099c2528030118f25f7147aa2

C:\Users\Admin\AppData\Local\Temp\8_51\evjwxossb.dat

MD5 e8904ec1444f4527fb8faf41e4f0cfbd
SHA1 6da7aceeeae8659f8eab1ef2f2660fa130cbfb7b
SHA256 98599b441a53b35e4992625a53fa22db0337579de0ba06157d6c0326d8b816a0
SHA512 7b118b32cce927eb311c5226c6deb4500df19b5f210651df6c9341248ecea5e93c8bb5169e1c6be6cdbc3704bbfcd45287ccf96683c2d623fd619f462f512470

C:\Users\Admin\AppData\Local\Temp\1_36\qjwomcanl.txt

MD5 569a476fd4914959b107f46ff369fa5b
SHA1 3bd88989da2d75d13823def81d57deb65d1a3be3
SHA256 af9ba53689747783e7de72fbf649a04fdbe1015f66c75156c389824a8c13cf85
SHA512 86d6ca086734aa961024eea47c9b321705767dba9fe90b1f82fd0b514f0dc7ace168da68bcf7d4e756c5693a6bc760eb44f02f295a1b1c1fb517bdf2c6742bf3

C:\Users\Admin\AppData\Local\Temp\8_51\gsbplmvv.dtk

MD5 c748255ddb2d951339a6bbceea40eb78
SHA1 80c026ffa166f786b795f3926c1ed2420fc61e6c
SHA256 96151c55ca3b38e413efa9c8c15522db9e8c3769c5445711a9e1c3b1a689febb
SHA512 11380298aaa369b1211bb29ad1d29224ae137865058123f52be88a3ade9fec7c6ecc3e823b839e57ff5ae8b3b92d49facc4cf0099a89bc8079e885fa83e62032

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1628-84-0x0000000000300000-0x0000000000A0F000-memory.dmp

memory/1628-86-0x0000000000300000-0x0000000000A0F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1628-87-0x000000000031E792-mapping.dmp

memory/1628-90-0x0000000000300000-0x0000000000A0F000-memory.dmp

memory/1628-92-0x0000000000300000-0x0000000000A0F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1628-94-0x0000000000300000-0x0000000000338000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1_36\kwhuxmxxfi.mna

MD5 9e4a8690483334efebb30c429d6fc40b
SHA1 9614746bbf68eb7f7bd33a66a3303df6f41c07a9
SHA256 a2828b554e7b93d1df47d3edc54446f018dac886ae7536a9bc3a486af1e4ee0f
SHA512 6e62f212bd523bbd7836ca17960c440a2503564b10d74c82827c11aec5f91fc144d3506051e2f4001eb4293eb21136f649ef7915a72e80e0ea0c22b6fd9f02cd

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1276-97-0x0000000000300000-0x00000000008B8000-memory.dmp

memory/1628-100-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

memory/1628-101-0x0000000000CC0000-0x0000000000CDE000-memory.dmp

memory/1628-102-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-14 18:59

Reported

2022-11-14 19:02

Platform

win10v2004-20220901-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1_36\\hege.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\1_36\\mnqlt.wgc" C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\1_36 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1_36\\start.vbs" C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 940 set thread context of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1748 set thread context of 2204 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4904 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe
PID 4904 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe
PID 4904 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe
PID 4904 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Windows\SysWOW64\WScript.exe
PID 4904 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Windows\SysWOW64\WScript.exe
PID 4904 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe C:\Windows\SysWOW64\WScript.exe
PID 4796 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe C:\Windows\SysWOW64\WScript.exe
PID 4796 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe C:\Windows\SysWOW64\WScript.exe
PID 4796 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe C:\Windows\SysWOW64\WScript.exe
PID 620 wrote to memory of 1748 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe
PID 620 wrote to memory of 1748 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe
PID 620 wrote to memory of 1748 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe
PID 2704 wrote to memory of 940 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe
PID 2704 wrote to memory of 940 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe
PID 2704 wrote to memory of 940 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe
PID 940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 940 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1748 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1748 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1748 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1748 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1748 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe

"C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe"

C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe

"C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\1_36\ufmf.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\8_51\jdwqn.vbe"

C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe

"C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe" mnqlt.wgc

C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe

"C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe" fucfmk.qxw

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

Network

Country Destination Domain Proto
N/A 195.178.120.72:80 195.178.120.72 tcp
N/A 8.238.110.126:80 tcp
N/A 13.89.179.10:443 tcp
N/A 8.238.110.126:80 tcp
N/A 8.238.110.126:80 tcp
N/A 8.238.110.126:80 tcp

Files

memory/4796-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1_36\dsfg.exe

MD5 c8e5ca487ff6781d2ec035c761b19b76
SHA1 c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256 dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA512 2de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea

C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe

MD5 c8e5ca487ff6781d2ec035c761b19b76
SHA1 c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256 dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA512 2de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea

memory/620-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\1_36\ufmf.vbe

MD5 268e04d7485e8be575fe6746a64801ab
SHA1 eeee374259d4d185cbe8dff17c72fed35dfcbf2e
SHA256 698780161fbd70fc2e5522f14bd173382852ae7f1b7ddb640d0528136d23d695
SHA512 1ad27bb53eb1d53fbb19b5cf2b7838874d3b1e25ec63ea1bf13588098cbdc69467e79fbe60f8b47a763e03bc6998a72fdc7e0d2496dfb2072bd8ed79236fd788

C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe

MD5 44feac1004f49cb51e6f1bd87c1cb84e
SHA1 fac794576fe8136cbd4e11a75b567d32bb7c70ec
SHA256 666927280f6e1e15276a471722f6cd6c2da204fb0c399e80d8d3a617fdf4c8fc
SHA512 432f180ef8c864c70d9acefc796a9d05f576f5d5f4ddb31dcd633441c276d99e6bfe95191f210fca59ea9fd5c0336aa4d6f78a6a7f3e6675435544ee4ba586f2

memory/2704-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\8_51\jdwqn.vbe

MD5 2b68f8d475481dd68bebaa0536b1eb7b
SHA1 d32e444134f3826bc705b1bbda6f3662901d876a
SHA256 1d0a8c3f9adeb45ee84311d1da67a378cf9a2d8c0ada2788fe12111741523376
SHA512 047ef190579e5edd5ce8c53af15cbd599e8b4ca2daa5e41f7e60b0c5bde312e06f158a71cd09f83f4df9897dc1b701264ca7f411d04777808303a4bf73fb9cc1

C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe

MD5 2eacb18ce33c4c5a9070233449518081
SHA1 55820bec82c368a425f31019ea90844bb33ef200
SHA256 db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568
SHA512 c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264

memory/1748-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe

MD5 44feac1004f49cb51e6f1bd87c1cb84e
SHA1 fac794576fe8136cbd4e11a75b567d32bb7c70ec
SHA256 666927280f6e1e15276a471722f6cd6c2da204fb0c399e80d8d3a617fdf4c8fc
SHA512 432f180ef8c864c70d9acefc796a9d05f576f5d5f4ddb31dcd633441c276d99e6bfe95191f210fca59ea9fd5c0336aa4d6f78a6a7f3e6675435544ee4ba586f2

C:\Users\Admin\AppData\Local\Temp\1_36\mnqlt.wgc

MD5 898af92a3eeeae416191d38caa837a46
SHA1 63d1b35d2d39530a60bf975be479878ba0f2b2a9
SHA256 52f6d5aa3bb72c018b49d3cdc7b451e337b420cf684444dc8c510ce92fa5482a
SHA512 03e923aa1ca0ed7c0f6eaa46cc29cdf1d9cb82993265a4919585bb8b494c61721b37abe5bfe3e6fa05d6649b9ca04d3debc0e94099c2528030118f25f7147aa2

memory/940-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe

MD5 2eacb18ce33c4c5a9070233449518081
SHA1 55820bec82c368a425f31019ea90844bb33ef200
SHA256 db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568
SHA512 c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264

C:\Users\Admin\AppData\Local\Temp\8_51\fucfmk.qxw

MD5 d067a5c5a84af23f9380a2b59c8c8006
SHA1 4ba393ded67d3b5784244a0d2d033797696e8cc5
SHA256 c63f38a89c95cab7a0d8a8432ce60c57a3ec64031da4e9f0f0d5d096bd901568
SHA512 6ffff543660117af9acf7cbe3a6ff317badc53c9fa9dfb31d98820ac5b6b53494d87853bdb6b9359aa03513e7ac4a9a6eae0ecf48e10df43460d58bd21dfff34

C:\Users\Admin\AppData\Local\Temp\1_36\qjwomcanl.txt

MD5 569a476fd4914959b107f46ff369fa5b
SHA1 3bd88989da2d75d13823def81d57deb65d1a3be3
SHA256 af9ba53689747783e7de72fbf649a04fdbe1015f66c75156c389824a8c13cf85
SHA512 86d6ca086734aa961024eea47c9b321705767dba9fe90b1f82fd0b514f0dc7ace168da68bcf7d4e756c5693a6bc760eb44f02f295a1b1c1fb517bdf2c6742bf3

C:\Users\Admin\AppData\Local\Temp\8_51\evjwxossb.dat

MD5 e8904ec1444f4527fb8faf41e4f0cfbd
SHA1 6da7aceeeae8659f8eab1ef2f2660fa130cbfb7b
SHA256 98599b441a53b35e4992625a53fa22db0337579de0ba06157d6c0326d8b816a0
SHA512 7b118b32cce927eb311c5226c6deb4500df19b5f210651df6c9341248ecea5e93c8bb5169e1c6be6cdbc3704bbfcd45287ccf96683c2d623fd619f462f512470

C:\Users\Admin\AppData\Local\Temp\8_51\gsbplmvv.dtk

MD5 c748255ddb2d951339a6bbceea40eb78
SHA1 80c026ffa166f786b795f3926c1ed2420fc61e6c
SHA256 96151c55ca3b38e413efa9c8c15522db9e8c3769c5445711a9e1c3b1a689febb
SHA512 11380298aaa369b1211bb29ad1d29224ae137865058123f52be88a3ade9fec7c6ecc3e823b839e57ff5ae8b3b92d49facc4cf0099a89bc8079e885fa83e62032

memory/2320-151-0x0000000000FAE792-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/2320-150-0x0000000000F90000-0x0000000001541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/2320-154-0x0000000000F90000-0x0000000000FC8000-memory.dmp

memory/2320-155-0x00000000062B0000-0x0000000006854000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1_36\kwhuxmxxfi.mna

MD5 9e4a8690483334efebb30c429d6fc40b
SHA1 9614746bbf68eb7f7bd33a66a3303df6f41c07a9
SHA256 a2828b554e7b93d1df47d3edc54446f018dac886ae7536a9bc3a486af1e4ee0f
SHA512 6e62f212bd523bbd7836ca17960c440a2503564b10d74c82827c11aec5f91fc144d3506051e2f4001eb4293eb21136f649ef7915a72e80e0ea0c22b6fd9f02cd

memory/2320-157-0x0000000005D00000-0x0000000005D92000-memory.dmp

memory/2204-158-0x0000000000800000-0x0000000000DAD000-memory.dmp

memory/2204-159-0x00000000008359CE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/2320-161-0x0000000005DA0000-0x0000000005E3C000-memory.dmp

memory/2204-162-0x0000000000800000-0x000000000083A000-memory.dmp

memory/2204-163-0x0000000005FE0000-0x0000000006046000-memory.dmp

memory/2204-164-0x0000000006630000-0x0000000006680000-memory.dmp

memory/2204-165-0x0000000006900000-0x000000000690A000-memory.dmp