Malware Analysis Report

2025-08-05 14:33

Sample ID 221126-3rkfssdf25
Target 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26
SHA256 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26

Threat Level: Known bad

The file 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

NanoCore

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

NTFS ADS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-26 23:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-26 23:44

Reported

2022-11-27 17:15

Platform

win7-20220812-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1392 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Windows\SysWOW64\schtasks.exe
PID 1392 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Windows\SysWOW64\schtasks.exe
PID 1392 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Windows\SysWOW64\schtasks.exe
PID 1392 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Windows\SysWOW64\schtasks.exe
PID 1392 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe
PID 1392 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe
PID 1392 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe
PID 1392 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe
PID 1392 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe
PID 1392 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe
PID 1392 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe
PID 1392 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe
PID 1392 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe
PID 1392 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Users\Admin\AppData\Local\Temp\sql_support.exe
PID 1392 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Users\Admin\AppData\Local\Temp\sql_support.exe
PID 1392 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Users\Admin\AppData\Local\Temp\sql_support.exe
PID 1392 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Users\Admin\AppData\Local\Temp\sql_support.exe
PID 1392 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\sql_support.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe

"C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Google Update" /XML "C:\Users\Admin\AppData\Local\Temp\aBBBBB.xml"

C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe

"C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe"

C:\Users\Admin\AppData\Local\Temp\sql_support.exe

"C:\Users\Admin\AppData\Local\Temp\sql_support.exe" -woohoo 1488 C:\Users\Admin\AppData\Local\Temp\chrome.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 0 > C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe:Zone.Identifier & exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Google Update" /XML "C:\Users\Admin\AppData\Local\Temp\aUUUUU.xml"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 intelligentminds14.mooo.com udp
N/A 8.8.4.4:53 intelligentminds14.mooo.com udp
N/A 8.8.8.8:53 intelligentminds14.mooo.com udp
N/A 8.8.8.8:53 intelligentminds14.mooo.com udp
N/A 8.8.4.4:53 intelligentminds14.mooo.com udp
N/A 8.8.8.8:53 intelligentminds14.mooo.com udp
N/A 8.8.4.4:53 intelligentminds14.mooo.com udp
N/A 127.0.0.1:53896 tcp
N/A 127.0.0.1:53896 tcp
N/A 127.0.0.1:53896 tcp
N/A 8.8.8.8:53 intelligentminds14.mooo.com udp
N/A 8.8.4.4:53 intelligentminds14.mooo.com udp
N/A 8.8.8.8:53 intelligentminds14.mooo.com udp
N/A 8.8.4.4:53 intelligentminds14.mooo.com udp
N/A 8.8.8.8:53 intelligentminds14.mooo.com udp
N/A 8.8.4.4:53 intelligentminds14.mooo.com udp
N/A 127.0.0.1:53896 tcp
N/A 127.0.0.1:53896 tcp
N/A 127.0.0.1:53896 tcp
N/A 8.8.8.8:53 intelligentminds14.mooo.com udp
N/A 8.8.4.4:53 intelligentminds14.mooo.com udp
N/A 8.8.8.8:53 intelligentminds14.mooo.com udp
N/A 8.8.4.4:53 intelligentminds14.mooo.com udp
N/A 8.8.8.8:53 intelligentminds14.mooo.com udp
N/A 8.8.4.4:53 intelligentminds14.mooo.com udp
N/A 127.0.0.1:53896 tcp
N/A 127.0.0.1:53896 tcp
N/A 127.0.0.1:53896 tcp
N/A 8.8.8.8:53 intelligentminds14.mooo.com udp
N/A 8.8.4.4:53 intelligentminds14.mooo.com udp
N/A 8.8.8.8:53 intelligentminds14.mooo.com udp
N/A 8.8.4.4:53 intelligentminds14.mooo.com udp
N/A 8.8.8.8:53 intelligentminds14.mooo.com udp
N/A 8.8.4.4:53 intelligentminds14.mooo.com udp
N/A 127.0.0.1:53896 tcp

Files

memory/1392-54-0x0000000075521000-0x0000000075523000-memory.dmp

memory/1392-55-0x00000000745A0000-0x0000000074B4B000-memory.dmp

memory/1524-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aBBBBB.xml

MD5 2c2b3ac9bdef149809bb454149b7e8df
SHA1 3d3fec0a80e3f0ca0e76b9fcff664819341be809
SHA256 43a197a9ffa44eccd7b95bf5f06adb7dfa4432396585984fabb65ba0fe5c31ba
SHA512 4a94125391b50d83050b15918d84ba704638d6a372ae676d28f62672aa7449a4d69c7113da653ebe7776948c604f11686f57c2c654829e291ccb563abb98e3cc

memory/1392-58-0x00000000745A0000-0x0000000074B4B000-memory.dmp

memory/1488-60-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1488-59-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1488-62-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1488-64-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1488-67-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1488-69-0x000000000041E792-mapping.dmp

memory/1488-71-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1488-73-0x0000000000400000-0x0000000000438000-memory.dmp

\Users\Admin\AppData\Local\Temp\sql_support.exe

MD5 6a37314fe92378a49c260a32e766c4da
SHA1 e809f3fa0769e264a549be8e7ea543fd7f96b34e
SHA256 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26
SHA512 f6fc69d6435705a41235b41dbdf0f7525a3284655a2d8080d84dc1428177fcbe006d29290f5ce21b9f6ec53148f9401e02aadb5be2356a16d3dd5ed38da413f5

\Users\Admin\AppData\Local\Temp\sql_support.exe

MD5 6a37314fe92378a49c260a32e766c4da
SHA1 e809f3fa0769e264a549be8e7ea543fd7f96b34e
SHA256 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26
SHA512 f6fc69d6435705a41235b41dbdf0f7525a3284655a2d8080d84dc1428177fcbe006d29290f5ce21b9f6ec53148f9401e02aadb5be2356a16d3dd5ed38da413f5

C:\Users\Admin\AppData\Local\Temp\sql_support.exe

MD5 6a37314fe92378a49c260a32e766c4da
SHA1 e809f3fa0769e264a549be8e7ea543fd7f96b34e
SHA256 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26
SHA512 f6fc69d6435705a41235b41dbdf0f7525a3284655a2d8080d84dc1428177fcbe006d29290f5ce21b9f6ec53148f9401e02aadb5be2356a16d3dd5ed38da413f5

memory/1488-81-0x00000000745A0000-0x0000000074B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sql_support.exe

MD5 6a37314fe92378a49c260a32e766c4da
SHA1 e809f3fa0769e264a549be8e7ea543fd7f96b34e
SHA256 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26
SHA512 f6fc69d6435705a41235b41dbdf0f7525a3284655a2d8080d84dc1428177fcbe006d29290f5ce21b9f6ec53148f9401e02aadb5be2356a16d3dd5ed38da413f5

memory/820-77-0x0000000000000000-mapping.dmp

memory/1628-82-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe

MD5 6a37314fe92378a49c260a32e766c4da
SHA1 e809f3fa0769e264a549be8e7ea543fd7f96b34e
SHA256 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26
SHA512 f6fc69d6435705a41235b41dbdf0f7525a3284655a2d8080d84dc1428177fcbe006d29290f5ce21b9f6ec53148f9401e02aadb5be2356a16d3dd5ed38da413f5

memory/820-84-0x00000000745A0000-0x0000000074B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome.exe

MD5 6a37314fe92378a49c260a32e766c4da
SHA1 e809f3fa0769e264a549be8e7ea543fd7f96b34e
SHA256 798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26
SHA512 f6fc69d6435705a41235b41dbdf0f7525a3284655a2d8080d84dc1428177fcbe006d29290f5ce21b9f6ec53148f9401e02aadb5be2356a16d3dd5ed38da413f5

memory/268-86-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aUUUUU.xml

MD5 2c2b3ac9bdef149809bb454149b7e8df
SHA1 3d3fec0a80e3f0ca0e76b9fcff664819341be809
SHA256 43a197a9ffa44eccd7b95bf5f06adb7dfa4432396585984fabb65ba0fe5c31ba
SHA512 4a94125391b50d83050b15918d84ba704638d6a372ae676d28f62672aa7449a4d69c7113da653ebe7776948c604f11686f57c2c654829e291ccb563abb98e3cc

memory/1488-88-0x00000000745A0000-0x0000000074B4B000-memory.dmp

memory/820-89-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-26 23:44

Reported

2022-11-27 17:20

Platform

win10v2004-20221111-en

Max time kernel

330s

Max time network

402s

Command Line

"C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe

"C:\Users\Admin\AppData\Local\Temp\798fbe760dd7a5ae98e1749292f5d545042d546e1702213d0c9f74b749be1f26.exe"

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 20.42.65.89:443 tcp
N/A 20.189.173.10:443 tcp
N/A 104.80.225.205:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp

Files

memory/4188-132-0x0000000074AB0000-0x0000000075061000-memory.dmp

memory/4188-133-0x0000000074AB0000-0x0000000075061000-memory.dmp