Malware Analysis Report

2025-08-05 14:34

Sample ID 221127-ac6fhaee96
Target 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24

Threat Level: Known bad

The file 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

NanoCore

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-27 00:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-27 00:05

Reported

2022-11-27 17:43

Platform

win7-20220901-en

Max time kernel

152s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\MicrosoftServices\ C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
File created C:\Windows\SysWOW64\MicrosoftServices\MicrosoftServices\csrss.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
File created C:\Windows\SysWOW64\MicrosoftServices\MicrosoftServices\csrss.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe:ZONE.identifier C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe:ZONE.identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 992 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 992 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 992 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 992 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 992 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 992 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 992 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 992 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 992 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 436 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 436 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 436 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 436 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 436 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 436 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 436 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 436 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 436 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1912 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1912 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1912 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1912 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1912 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1912 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1912 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1912 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1912 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1912 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1912 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1912 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1912 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 2016 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

"C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe":ZONE.identifier & exit

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

"C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe":ZONE.identifier & exit

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

"C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe"

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

"C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe"

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

"C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5A61.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp

Files

memory/992-54-0x0000000076561000-0x0000000076563000-memory.dmp

memory/992-55-0x0000000074AA0000-0x000000007504B000-memory.dmp

memory/524-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

memory/436-59-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/436-60-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/436-62-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/436-64-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/436-65-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

memory/436-66-0x000000000048FDDE-mapping.dmp

memory/992-68-0x00000000022C6000-0x00000000022D7000-memory.dmp

memory/436-70-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/436-72-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/992-74-0x0000000074AA0000-0x000000007504B000-memory.dmp

memory/992-75-0x00000000022C6000-0x00000000022D7000-memory.dmp

memory/1952-76-0x0000000000000000-mapping.dmp

memory/1912-79-0x0000000000400000-0x00000000004AA000-memory.dmp

\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

memory/1912-80-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

memory/1912-82-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/1912-85-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

memory/1912-86-0x000000000047EDEE-mapping.dmp

memory/1912-89-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/1912-84-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/436-92-0x00000000021B6000-0x00000000021C7000-memory.dmp

memory/1912-91-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/436-94-0x0000000074AA0000-0x000000007504B000-memory.dmp

memory/1912-95-0x0000000074AA0000-0x000000007504B000-memory.dmp

\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

memory/2016-99-0x0000000000400000-0x000000000047C000-memory.dmp

\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

memory/2016-100-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2016-102-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2016-103-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2016-105-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2016-106-0x000000000041EDAE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

memory/2016-109-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2016-111-0x0000000000400000-0x000000000047C000-memory.dmp

memory/1912-112-0x0000000074AA0000-0x000000007504B000-memory.dmp

memory/628-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5A61.tmp

MD5 2823457b564244a92005e8871de0d5f4
SHA1 60eab43588812664b00b9eb0027b98c23e1c9d82
SHA256 8349670705974436cf7ef4e32215154b5344ae533972e0d5fc84e21b76a665cf
SHA512 4f13f920ae00330a28a574694028eab73d5fa4cf5d5162c1514a96507ee71e7a539324d749db92aa4b1cac088ee4cf786fc7a90c03e75a9eddbb0745fd2e7b60

memory/2016-116-0x0000000074A30000-0x0000000074FDB000-memory.dmp

memory/2016-117-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-27 00:05

Reported

2022-11-27 17:43

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MicrosoftServices\MicrosoftServices\csrss.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
File opened for modification C:\Windows\SysWOW64\MicrosoftServices\ C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
File created C:\Windows\SysWOW64\MicrosoftServices\MicrosoftServices\csrss.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe:ZONE.identifier C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe:ZONE.identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1400 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1400 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1400 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1400 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1400 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1400 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 1400 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 444 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 444 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 444 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 444 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 444 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 444 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 444 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 444 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 4628 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 4628 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 4628 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 4628 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 4628 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 4628 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 4628 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 4628 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe
PID 2528 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

"C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe":ZONE.identifier & exit

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

"C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe":ZONE.identifier & exit

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

"C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe"

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

"C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp47A8.tmp"

Network

Country Destination Domain Proto
N/A 20.44.10.122:443 tcp
N/A 8.238.21.126:80 tcp
N/A 8.238.21.126:80 tcp
N/A 8.238.21.126:80 tcp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp
N/A 8.8.8.8:53 swagkhalifa.ddns.net udp

Files

memory/1400-132-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/1400-133-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/4008-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

memory/444-136-0x0000000000000000-mapping.dmp

memory/444-137-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

memory/444-139-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/1400-140-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/4728-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

memory/4628-143-0x0000000000000000-mapping.dmp

memory/4628-144-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe.log

MD5 025b651197a4e2e1582d1b06958c1b91
SHA1 824504eaa5092ab3834a2feba7fdfd1492c3e28a
SHA256 1210ce1260f4f2db72186e5a5a7a094e3512876ca4b60263864250a0aebde2e7
SHA512 29908a50ce65051eefe631a4938bc08c0967d3117c99120a9b0ffef35801bfef124165906b767e357a2656a7f584e85fb82c7e3f8b8084ff9756fd621c73a024

memory/444-147-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/4628-148-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/2528-149-0x0000000000000000-mapping.dmp

memory/2528-150-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24.exe

MD5 e41259bdd0aea7906328664ee832eee4
SHA1 d91c83b3ed2cc305306ad91ab6ea63c71484eb42
SHA256 5c3957967de7ecb76bde5018c70bd7e31dd6ac74c1ef8e6a6f1bec57fbda4c24
SHA512 8c6748831a6308d839ae44556e9b51936d67833473aa9ee0b4a5f351e0ab3e95d6257bb5bdf3ec4bbc6234315c26837d04a9d9c19674ddc96828e3755a8c87f7

memory/4628-152-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/2528-153-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/4088-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp47A8.tmp

MD5 2823457b564244a92005e8871de0d5f4
SHA1 60eab43588812664b00b9eb0027b98c23e1c9d82
SHA256 8349670705974436cf7ef4e32215154b5344ae533972e0d5fc84e21b76a665cf
SHA512 4f13f920ae00330a28a574694028eab73d5fa4cf5d5162c1514a96507ee71e7a539324d749db92aa4b1cac088ee4cf786fc7a90c03e75a9eddbb0745fd2e7b60

memory/2528-156-0x0000000074F40000-0x00000000754F1000-memory.dmp