nanocore | a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f

Analysis

max time kernel
47s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe
Size

1.2MB
MD5

f8161e8a13a21dabae65527a56657f16
SHA1

cf815c466843d425fb21001fbb6964552451f6ba
SHA256

a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f
SHA512

189f10c0565ae6a2d08569bfd3cc806f096389d7c06dfee68d36b56fce4acd94d0d8b36c8a336ea256f89e0c5a458b66705f94585a1cdacd9a9597801c26b074
SSDEEP

24576:WS1bBcWjWkK/ZTp/TNy+CmekoQeyzlO4MwVd4LrXKsljGF:W4ikuZTp/5y+VenBsObgEXX

Score

10^/10

nanocore pony collection discovery keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

pony

http://alibaba007.comoj.com/html/gate.php

Extracted

Family

nanocore

Version

1.2.1.1

businessdb00.no-ip.biz:1999

businessdb01.no-ip.biz:1999

Mutex

cfd529a1-d587-4775-9e78-6628c527f1a1

Attributes

activate_away_mode
true
backup_connection_host
businessdb01.no-ip.biz
backup_dns_server
buffer_size
65535
build_time
2014-09-21T04:11:02.597494336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1999
default_group
Alibaba
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
cfd529a1-d587-4775-9e78-6628c527f1a1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
businessdb00.no-ip.biz
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.1.1
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 3 IoCs

Processes:

File.exenotepad .exemicrosoft .exe

pid process

2020 File.exe
1868 notepad .exe
2004 microsoft .exe

pid	process
2020	File.exe
1868	notepad .exe
2004	microsoft .exe

Drops startup file 3 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	cmd.exe

Loads dropped DLL 4 IoCs

Processes:

a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exeFile.exe

pid	process
2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe
2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe
2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe
2020	File.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

notepad .exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	notepad .exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

notepad .exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	notepad .exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

File.exea53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe

description	pid	process	target process
PID 2020 set thread context of 1868	2020	File.exe	notepad .exe
PID 2032 set thread context of 2004	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	microsoft .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1656 timeout.exe

pid	process
1656	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exeFile.exe

pid	process
2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe
2020	File.exe
2020	File.exe
2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exeFile.exenotepad .exe

description	pid	process
Token: SeDebugPrivilege	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe
Token: 33	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe
Token: SeIncBasePriorityPrivilege	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe
Token: SeDebugPrivilege	2020	File.exe
Token: 33	2020	File.exe
Token: SeIncBasePriorityPrivilege	2020	File.exe
Token: SeImpersonatePrivilege	1868	notepad .exe
Token: SeTcbPrivilege	1868	notepad .exe
Token: SeChangeNotifyPrivilege	1868	notepad .exe
Token: SeCreateTokenPrivilege	1868	notepad .exe
Token: SeBackupPrivilege	1868	notepad .exe
Token: SeRestorePrivilege	1868	notepad .exe
Token: SeIncreaseQuotaPrivilege	1868	notepad .exe
Token: SeAssignPrimaryTokenPrivilege	1868	notepad .exe
Token: SeImpersonatePrivilege	1868	notepad .exe
Token: SeTcbPrivilege	1868	notepad .exe
Token: SeChangeNotifyPrivilege	1868	notepad .exe
Token: SeCreateTokenPrivilege	1868	notepad .exe
Token: SeBackupPrivilege	1868	notepad .exe
Token: SeRestorePrivilege	1868	notepad .exe
Token: SeIncreaseQuotaPrivilege	1868	notepad .exe
Token: SeAssignPrimaryTokenPrivilege	1868	notepad .exe
Token: SeImpersonatePrivilege	1868	notepad .exe
Token: SeTcbPrivilege	1868	notepad .exe
Token: SeChangeNotifyPrivilege	1868	notepad .exe
Token: SeCreateTokenPrivilege	1868	notepad .exe
Token: SeBackupPrivilege	1868	notepad .exe
Token: SeRestorePrivilege	1868	notepad .exe
Token: SeIncreaseQuotaPrivilege	1868	notepad .exe
Token: SeAssignPrimaryTokenPrivilege	1868	notepad .exe
Token: SeImpersonatePrivilege	1868	notepad .exe
Token: SeTcbPrivilege	1868	notepad .exe
Token: SeChangeNotifyPrivilege	1868	notepad .exe
Token: SeCreateTokenPrivilege	1868	notepad .exe
Token: SeBackupPrivilege	1868	notepad .exe
Token: SeRestorePrivilege	1868	notepad .exe
Token: SeIncreaseQuotaPrivilege	1868	notepad .exe
Token: SeAssignPrimaryTokenPrivilege	1868	notepad .exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exeFile.execmd.execmd.exewscript.exewscript.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 2020	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	File.exe
PID 2032 wrote to memory of 2020	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	File.exe
PID 2032 wrote to memory of 2020	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	File.exe
PID 2032 wrote to memory of 2020	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	File.exe
PID 2032 wrote to memory of 1628	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	cmd.exe
PID 2032 wrote to memory of 1628	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	cmd.exe
PID 2032 wrote to memory of 1628	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	cmd.exe
PID 2032 wrote to memory of 1628	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	cmd.exe
PID 2020 wrote to memory of 1732	2020	File.exe	cmd.exe
PID 2020 wrote to memory of 1732	2020	File.exe	cmd.exe
PID 2020 wrote to memory of 1732	2020	File.exe	cmd.exe
PID 2020 wrote to memory of 1732	2020	File.exe	cmd.exe
PID 2032 wrote to memory of 2004	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	microsoft .exe
PID 2032 wrote to memory of 2004	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	microsoft .exe
PID 2032 wrote to memory of 2004	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	microsoft .exe
PID 2032 wrote to memory of 2004	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	microsoft .exe
PID 2020 wrote to memory of 1868	2020	File.exe	notepad .exe
PID 2020 wrote to memory of 1868	2020	File.exe	notepad .exe
PID 2020 wrote to memory of 1868	2020	File.exe	notepad .exe
PID 2020 wrote to memory of 1868	2020	File.exe	notepad .exe
PID 1628 wrote to memory of 1720	1628	cmd.exe	wscript.exe
PID 1628 wrote to memory of 1720	1628	cmd.exe	wscript.exe
PID 1628 wrote to memory of 1720	1628	cmd.exe	wscript.exe
PID 1628 wrote to memory of 1720	1628	cmd.exe	wscript.exe
PID 2032 wrote to memory of 2004	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	microsoft .exe
PID 2020 wrote to memory of 1868	2020	File.exe	notepad .exe
PID 2020 wrote to memory of 1868	2020	File.exe	notepad .exe
PID 2020 wrote to memory of 1868	2020	File.exe	notepad .exe
PID 2020 wrote to memory of 1868	2020	File.exe	notepad .exe
PID 2020 wrote to memory of 1868	2020	File.exe	notepad .exe
PID 2032 wrote to memory of 2004	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	microsoft .exe
PID 2032 wrote to memory of 2004	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	microsoft .exe
PID 1732 wrote to memory of 540	1732	cmd.exe	wscript.exe
PID 1732 wrote to memory of 540	1732	cmd.exe	wscript.exe
PID 1732 wrote to memory of 540	1732	cmd.exe	wscript.exe
PID 1732 wrote to memory of 540	1732	cmd.exe	wscript.exe
PID 2032 wrote to memory of 2004	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	microsoft .exe
PID 2032 wrote to memory of 2004	2032	a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe	microsoft .exe
PID 540 wrote to memory of 1948	540	wscript.exe	cmd.exe
PID 540 wrote to memory of 1948	540	wscript.exe	cmd.exe
PID 540 wrote to memory of 1948	540	wscript.exe	cmd.exe
PID 540 wrote to memory of 1948	540	wscript.exe	cmd.exe
PID 1720 wrote to memory of 1944	1720	wscript.exe	cmd.exe
PID 1720 wrote to memory of 1944	1720	wscript.exe	cmd.exe
PID 1720 wrote to memory of 1944	1720	wscript.exe	cmd.exe
PID 1720 wrote to memory of 1944	1720	wscript.exe	cmd.exe
PID 2020 wrote to memory of 1188	2020	File.exe	cmd.exe
PID 2020 wrote to memory of 1188	2020	File.exe	cmd.exe
PID 2020 wrote to memory of 1188	2020	File.exe	cmd.exe
PID 2020 wrote to memory of 1188	2020	File.exe	cmd.exe
PID 1188 wrote to memory of 1656	1188	cmd.exe	timeout.exe
PID 1188 wrote to memory of 1656	1188	cmd.exe	timeout.exe
PID 1188 wrote to memory of 1656	1188	cmd.exe	timeout.exe
PID 1188 wrote to memory of 1656	1188	cmd.exe	timeout.exe

outlook_win_path 1 IoCs

Processes:

notepad .exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	notepad .exe

C:\Users\Admin\AppData\Local\Temp\a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe
"C:\Users\Admin\AppData\Local\Temp\a53f2a09a4e4a2522b4cad46f744048beaa55084fb0982f1189fcaf36164623f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\SysWOW64\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
        5⤵
        Drops startup file
        
        PID:1948
- - C:\Users\Admin\AppData\Local\Temp\notepad .exe
    "C:\Users\Admin\AppData\Local\Temp\notepad .exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_win_path
    PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\notepad.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 300
      4⤵
      Delays execution with timeout.exe
      PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
      4⤵
      Drops startup file
      PID:1944
- C:\Users\Admin\AppData\Local\Temp\microsoft .exe
  "C:\Users\Admin\AppData\Local\Temp\microsoft .exe"
  2⤵
  - Executes dropped EXE
  PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
400KB

MD5
fc5302c83a500ae79fb00eec92c8bbd0

SHA1
74bffb6fa5a658279dcd9f82e3c739e0eb2a4863

SHA256
39798a65c94a8adc38420a1aeded5cba7057a151bbab93876f0c939c76dd14e8

SHA512
62d53fe20c35ff0bc910da1d0f52d9934578a98837ac78e6e18f05bdec40cae00c2cefdf3ba107cf2677fe0182076c8d8af019289af9eea76483e0c69c40abea

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
400KB

MD5
fc5302c83a500ae79fb00eec92c8bbd0

SHA1
74bffb6fa5a658279dcd9f82e3c739e0eb2a4863

SHA256
39798a65c94a8adc38420a1aeded5cba7057a151bbab93876f0c939c76dd14e8

SHA512
62d53fe20c35ff0bc910da1d0f52d9934578a98837ac78e6e18f05bdec40cae00c2cefdf3ba107cf2677fe0182076c8d8af019289af9eea76483e0c69c40abea

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat

Filesize
69B

MD5
c96a3b31fc4a115c977ce5d8a3256f4f

SHA1
8c71b0d75099af30ac1fe33266e3970b47ba716d

SHA256
a5b672a4863abcf46556d2e606b2833e8897a3206e554ad93043a82a792df49e

SHA512
f4337e85ca0b3c0242c35a09f1ff7154c9e37ea3c7de3c2337385fb4b57e25a8550877ce2f37d023c94a3fa69b2b4e003207790297879d29a5bbe4856d0a0f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat

Filesize
69B

MD5
c96a3b31fc4a115c977ce5d8a3256f4f

SHA1
8c71b0d75099af30ac1fe33266e3970b47ba716d

SHA256
a5b672a4863abcf46556d2e606b2833e8897a3206e554ad93043a82a792df49e

SHA512
f4337e85ca0b3c0242c35a09f1ff7154c9e37ea3c7de3c2337385fb4b57e25a8550877ce2f37d023c94a3fa69b2b4e003207790297879d29a5bbe4856d0a0f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat

Filesize
109B

MD5
bea41794e37313cb15b71324582a4019

SHA1
984efac58459f8ddb37854ea39a2845d61e5789c

SHA256
31556b6c8a291d5637f445752eb32889448e90a6841d96e828a99e94f9b9f595

SHA512
78eb95b36010a5c625957dd2bed3aa3ba06fa04846623d55c52bc11e70a4970d0e41d87d0084ea2c8303bef0108378ab836e634b53db9911412d2d3373c25cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat

Filesize
109B

MD5
bea41794e37313cb15b71324582a4019

SHA1
984efac58459f8ddb37854ea39a2845d61e5789c

SHA256
31556b6c8a291d5637f445752eb32889448e90a6841d96e828a99e94f9b9f595

SHA512
78eb95b36010a5c625957dd2bed3aa3ba06fa04846623d55c52bc11e70a4970d0e41d87d0084ea2c8303bef0108378ab836e634b53db9911412d2d3373c25cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\notepad.bat

Filesize
222B

MD5
bcc404891a0334e1b2dea09384edc360

SHA1
a9a0da611de43db8c6b6bd45afd01a22340950df

SHA256
db4765bc7c35da763911ea3290eb1fbe1387a3d533f971fe31ba160598e2a35d

SHA512
47cf079b857a573867938d6340db9228521cdf09771198017ac56ecb7a813fcd463a193b2119ac2446ef06e70d90e9bdd1aa02db0ca72c4cd7ae217845e63d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\rundll11-.txt

Filesize
400KB

MD5
fc5302c83a500ae79fb00eec92c8bbd0

SHA1
74bffb6fa5a658279dcd9f82e3c739e0eb2a4863

SHA256
39798a65c94a8adc38420a1aeded5cba7057a151bbab93876f0c939c76dd14e8

SHA512
62d53fe20c35ff0bc910da1d0f52d9934578a98837ac78e6e18f05bdec40cae00c2cefdf3ba107cf2677fe0182076c8d8af019289af9eea76483e0c69c40abea

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\rundll11-.txt

Filesize
400KB

MD5
fc5302c83a500ae79fb00eec92c8bbd0

SHA1
74bffb6fa5a658279dcd9f82e3c739e0eb2a4863

SHA256
39798a65c94a8adc38420a1aeded5cba7057a151bbab93876f0c939c76dd14e8

SHA512
62d53fe20c35ff0bc910da1d0f52d9934578a98837ac78e6e18f05bdec40cae00c2cefdf3ba107cf2677fe0182076c8d8af019289af9eea76483e0c69c40abea

Download Submit
C:\Users\Admin\AppData\Local\Temp\microsoft .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Filesize
400KB

MD5
fc5302c83a500ae79fb00eec92c8bbd0

SHA1
74bffb6fa5a658279dcd9f82e3c739e0eb2a4863

SHA256
39798a65c94a8adc38420a1aeded5cba7057a151bbab93876f0c939c76dd14e8

SHA512
62d53fe20c35ff0bc910da1d0f52d9934578a98837ac78e6e18f05bdec40cae00c2cefdf3ba107cf2677fe0182076c8d8af019289af9eea76483e0c69c40abea

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe

Filesize
400KB

MD5
fc5302c83a500ae79fb00eec92c8bbd0

SHA1
74bffb6fa5a658279dcd9f82e3c739e0eb2a4863

SHA256
39798a65c94a8adc38420a1aeded5cba7057a151bbab93876f0c939c76dd14e8

SHA512
62d53fe20c35ff0bc910da1d0f52d9934578a98837ac78e6e18f05bdec40cae00c2cefdf3ba107cf2677fe0182076c8d8af019289af9eea76483e0c69c40abea

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe

Filesize
400KB

MD5
fc5302c83a500ae79fb00eec92c8bbd0

SHA1
74bffb6fa5a658279dcd9f82e3c739e0eb2a4863

SHA256
39798a65c94a8adc38420a1aeded5cba7057a151bbab93876f0c939c76dd14e8

SHA512
62d53fe20c35ff0bc910da1d0f52d9934578a98837ac78e6e18f05bdec40cae00c2cefdf3ba107cf2677fe0182076c8d8af019289af9eea76483e0c69c40abea

Download Submit
\Users\Admin\AppData\Local\Temp\microsoft .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/540-86-0x0000000000000000-mapping.dmp

Download
memory/1188-107-0x0000000000000000-mapping.dmp

Download
memory/1628-61-0x0000000000000000-mapping.dmp

Download
memory/1656-109-0x0000000000000000-mapping.dmp

Download
memory/1720-71-0x0000000000000000-mapping.dmp

Download
memory/1732-66-0x0000000000000000-mapping.dmp

Download
memory/1868-93-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1868-79-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1868-73-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1868-104-0x0000000000401000-0x0000000000413000-memory.dmp

Filesize
72KB

Download
memory/1868-76-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1868-77-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1868-74-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1868-80-0x000000000041003F-mapping.dmp

Download
memory/1944-100-0x0000000000000000-mapping.dmp

Download
memory/1948-99-0x0000000000000000-mapping.dmp

Download
memory/2004-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2004-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2004-88-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2004-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2004-85-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2004-89-0x000000000041EDAE-mapping.dmp

Download
memory/2020-57-0x0000000000000000-mapping.dmp

Download
memory/2020-106-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-101-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-111-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-105-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-98-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2032-110-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download