Malware Analysis Report

2025-06-16 06:18

Sample ID 240106-wwfvvaefg7
Target 80C6039DC12399E3F771632F0A44C4C3.exe
SHA256 f6b10c59c9ce33c5c8f6b02c3293fe5d479e59542698c91b15af74bcce50ab8f
Tags
nanocore njrat stupids collection evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6b10c59c9ce33c5c8f6b02c3293fe5d479e59542698c91b15af74bcce50ab8f

Threat Level: Known bad

The file 80C6039DC12399E3F771632F0A44C4C3.exe was found to be: Known bad.

Malicious Activity Summary

nanocore njrat stupids collection evasion keylogger persistence spyware stealer trojan

njRAT/Bladabindi

NanoCore

NirSoft MailPassView

Nirsoft

Executes dropped EXE

Reads data files stored by FTP clients

Checks computer location settings

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Loads dropped DLL

Accesses Microsoft Outlook accounts

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-06 18:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 18:16

Reported

2024-01-06 18:19

Platform

win7-20231215-en

Max time kernel

157s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

njRAT/Bladabindi

trojan njrat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe" C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe" C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sanas.scr" C:\Users\Admin\AppData\Local\Temp\sanas.scr N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2328 set thread context of 1312 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 set thread context of 2852 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\ARP Service\arpsvc.exe C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
File created C:\Program Files (x86)\ARP Service\arpsvc.exe C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A
N/A N/A \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sanas.scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sanas.scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe
PID 1720 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe
PID 1720 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe
PID 1720 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe
PID 1720 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe C:\Users\Admin\AppData\Local\Temp\microsofts.exe
PID 1720 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe C:\Users\Admin\AppData\Local\Temp\microsofts.exe
PID 1720 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe C:\Users\Admin\AppData\Local\Temp\microsofts.exe
PID 1720 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe C:\Users\Admin\AppData\Local\Temp\microsofts.exe
PID 1720 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe C:\Users\Admin\AppData\Local\Temp\sanas.scr
PID 1720 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe C:\Users\Admin\AppData\Local\Temp\sanas.scr
PID 1720 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe C:\Users\Admin\AppData\Local\Temp\sanas.scr
PID 1720 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe C:\Users\Admin\AppData\Local\Temp\sanas.scr
PID 2160 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Users\Admin\AppData\Local\Temp\FreeScript.exe
PID 2160 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Users\Admin\AppData\Local\Temp\FreeScript.exe
PID 2160 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Users\Admin\AppData\Local\Temp\FreeScript.exe
PID 2160 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Users\Admin\AppData\Local\Temp\FreeScript.exe
PID 2160 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2160 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2160 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2160 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2160 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Users\Admin\AppData\Local\Temp\Server2223.exe
PID 2160 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Users\Admin\AppData\Local\Temp\Server2223.exe
PID 2160 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Users\Admin\AppData\Local\Temp\Server2223.exe
PID 2160 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe C:\Users\Admin\AppData\Local\Temp\Server2223.exe
PID 2780 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\sanas.scr C:\Windows\system32\rundll32.exe
PID 2780 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\sanas.scr C:\Windows\system32\rundll32.exe
PID 2780 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\sanas.scr C:\Windows\system32\rundll32.exe
PID 784 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
PID 784 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
PID 784 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
PID 2328 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\microsofts.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe

"C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe"

C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe

"C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe"

C:\Users\Admin\AppData\Local\Temp\microsofts.exe

"C:\Users\Admin\AppData\Local\Temp\microsofts.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAZQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGoAcQB3ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAaQBmACAAZQByAHIAbwByAHMAIABjAG8AbgB0AGEAYwB0ACAAbQBlACAAbQBhAGkAawBrAGkANAAyADAAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHMAbABwACMAPgA="

C:\Users\Admin\AppData\Local\Temp\sanas.scr

"C:\Users\Admin\AppData\Local\Temp\sanas.scr" /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcABiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcAB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZQBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAeQBqACMAPgA="

C:\Users\Admin\AppData\Local\Temp\FreeScript.exe

"C:\Users\Admin\AppData\Local\Temp\FreeScript.exe"

C:\Users\Admin\AppData\Local\Temp\Server2223.exe

"C:\Users\Admin\AppData\Local\Temp\Server2223.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Server

C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe

"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"

\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe

"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\tzgozqiz.fac"

\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe

"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\0jnz403f.ivn"

Network

Country Destination Domain Proto
US 8.8.8.8:53 links-transition.gl.at.ply.gg udp
US 147.185.221.17:41958 links-transition.gl.at.ply.gg tcp
US 8.8.8.8:53 fall-sustained.gl.at.ply.gg udp
US 147.185.221.17:41937 fall-sustained.gl.at.ply.gg tcp
US 8.8.8.8:53 plan-holder.at.ply.gg udp
US 209.25.141.211:44833 plan-holder.at.ply.gg tcp
US 209.25.141.211:44833 plan-holder.at.ply.gg tcp
US 209.25.141.211:44833 plan-holder.at.ply.gg tcp
US 209.25.141.211:44833 plan-holder.at.ply.gg tcp
US 209.25.141.211:44833 plan-holder.at.ply.gg tcp
US 209.25.141.211:44833 plan-holder.at.ply.gg tcp
US 209.25.141.211:44833 plan-holder.at.ply.gg tcp

Files

\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe

MD5 4c624867a94fee20d81b9e14755165de
SHA1 6f5afb06ff6278616f8fb0cd81ad1e164b0fee24
SHA256 9a1ef7b5af62c005df90a75846e390e1695ecd18c7727b8e039e4b5842d6f388
SHA512 0a40dc67d116b9726c3129a88e82c536273b4ad42f850ca78828b042dc5d20313caf1ee8a8a7136efab6027fa2f7bcf1551fac61f239c10d865f5664a8006064

\Users\Admin\AppData\Local\Temp\microsofts.exe

MD5 5fdd418baf9c0d789e67758ad9f2dd1a
SHA1 c0be3be193af670cfe01a64aef7c5b0a0b9d091a
SHA256 82f59d1a1a65c0651ae7a965bb6481ba1351ea9efc9f9457de372043709e5a47
SHA512 9ace7aed4e4db6f2df7a8df22227079acf176cb7b7e90a0d2638dfd44296653fae6194531a7335fb10fd9396f3cd4f11621715b2a2e4f948209055a809b00c50

\Users\Admin\AppData\Local\Temp\sanas.scr

MD5 b7cedaa564e3fb095f94aef59f7ed0da
SHA1 3f93a84f2d290840cfb5418e15c47dda39ab967d
SHA256 526a5aae8d6af5d4af48bef2bf37f6a79b1584b7b48d32bef6a2f6f4ee69ccfc
SHA512 18d274dba047179d7cc6b2bb14ede76618bf5c93d8a4b4d1a32bbcf2f6494c9ecc4a601a5a4eae5d7672967be5c3a0c5bfc402f97626638ba7825d6412538f7d

C:\Users\Admin\AppData\Local\Temp\FreeScript.exe

MD5 799c188cf6df366f4c0f98b8800a4977
SHA1 161d6006518879ecba6cf45b29599992d8eadfce
SHA256 32e96ac5e9d2f869ad11ca48401ca8eaeb520027751427145ddb5ab43bce1841
SHA512 32a3749f4ef40e9345644c84666207a7c4f0369274cc18f71eecd1eeb6ea22733bc4cc6751f7281bbdff7e0a2187209a6c00653a95d6d39adb4dab06f355e1b1

\Users\Admin\AppData\Local\Temp\FreeScript.exe

MD5 42c65d605a64d8aec459d064f2e73c6c
SHA1 2ce31f3d85f0f55114c365ac07f13984d83434fa
SHA256 05fb898d917829cc0148b44b2cda2d0fa9bd1864c2034f94e8232cef76ff8325
SHA512 4436d13b33d4bad25da7cd77519aab5f369d8e3d873604280c151422916172d1dfebd2a8aafd8d51242601898fb742f2a16af1e5bb35ace4026fc045df398152

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 b9d1be8ae4f4a7a77f309b032a914564
SHA1 3b9da974e959adbb0f12705c64fd58e0c8ec5b18
SHA256 5f9c9f9af0dc5779d63ea334443d512d675b99c588f2505b652d49d02650c3ba
SHA512 dfadf27f176fe700df9dd9a979e030d362e906a25815eccb1a40c09d8dfee542a75ababbc361833742891fd5d0358233ad68cac05c12aedca1e5d93ae370fc14

\Users\Admin\AppData\Local\Temp\Server.exe

MD5 0b9e45143182f10bde6fff990736d04d
SHA1 de8ceb06ea033e91d69f3f309a66a9b8d2603b9e
SHA256 938c8fb00f7f43b043c53a41f10841c4754f2f82ff4e10b6e3d25c4795db4b28
SHA512 e4fc33f11016bb5f5b847d672afe8825826d185fe63c7924cf0601c5977f41687c930159eefba9150e2fd283b22d7f381efe93fae5f25132dd86055b0be00249

C:\Users\Admin\AppData\Local\Temp\Server2223.exe

MD5 86757f6c08b6cb698250cc9fc1816a8e
SHA1 fa8a2fbc982943a031ad202b3e4b1cdb11bcff6a
SHA256 98fa9c5139362be3e25333a7c48229ed220cc61c0dc41b8270e66d2886aa7dff
SHA512 cb87cf73deda4299561af9e7c4d65a82816ca5f82890edd76cfec258dbf973b197cd6c40bca2f8643d39f451072e71c5f9529864689cc68097a4382bec97a7dc

C:\Users\Admin\AppData\Local\Temp\Server2223.exe

MD5 1c4da972f19b9b17a4131bc7061dc7af
SHA1 4d56a55b060a91e56be8958908747bd55a167ad8
SHA256 b64dc28af6c4090f604d113946f0958c05763c71c63d864f160f34f6ae905431
SHA512 13a37c99a1599f8bed06df229ebb011109fffa0cfc991f4d40714f5c9592b9984e748de5084bd13abf94cc524f7215e67c8ce7aefbce99732f4eccb873a11281

\Users\Admin\AppData\Local\Temp\Server2223.exe

MD5 2d66b8b76c4331aa371c4f93b38451a9
SHA1 2e6a05a162de54858e5693098b483fdfc797dd01
SHA256 91a67fb63c52a6c3a72db412b118fb35c87164d131ab5fd059703c60aef1aab6
SHA512 48820cd84a6c49c93f2b5ebfa27ee95a62948fe3e3f6453df161f1762d7993bc910234b2d9ca03108a44e35223de4feeb1fd3deb367d0babef7f8307ff86866e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1K7DPGZQTW99TYG2FPZW.temp

MD5 b69b633770273a207d0a6cbfd63f1e10
SHA1 66bb1d35ab42aa080c465b558b469107819722e9
SHA256 7b2df526bbb1a7e58287fecd97cb61b922220d9d1d21b510e98e22f1b8080b1b
SHA512 82aa68d9e0aaa7feaeb368716f5c8525190ba576e794091e5e10bb8769df4de9b2ae7723c0306731d28c297aa54a06e6337818d1cbb2bd09113e9d9dddfb9bcc

memory/2780-51-0x0000000001FA0000-0x0000000002020000-memory.dmp

memory/2780-50-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

memory/784-52-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

memory/784-53-0x0000000001F90000-0x0000000002010000-memory.dmp

memory/1916-54-0x00000000737D0000-0x0000000073D7B000-memory.dmp

memory/2328-55-0x00000000737D0000-0x0000000073D7B000-memory.dmp

memory/2328-56-0x00000000004C0000-0x0000000000500000-memory.dmp

memory/2328-57-0x00000000737D0000-0x0000000073D7B000-memory.dmp

memory/1916-58-0x00000000023D0000-0x0000000002410000-memory.dmp

memory/2708-60-0x00000000737D0000-0x0000000073D7B000-memory.dmp

memory/1916-61-0x00000000737D0000-0x0000000073D7B000-memory.dmp

memory/2560-64-0x00000000002B0000-0x00000000002F0000-memory.dmp

memory/2560-65-0x00000000002B0000-0x00000000002F0000-memory.dmp

memory/2708-63-0x0000000001E40000-0x0000000001E80000-memory.dmp

memory/2560-62-0x00000000737D0000-0x0000000073D7B000-memory.dmp

memory/2708-67-0x0000000001E40000-0x0000000001E80000-memory.dmp

memory/2780-66-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

memory/1916-70-0x00000000737D0000-0x0000000073D7B000-memory.dmp

memory/2780-73-0x0000000001FA0000-0x0000000002020000-memory.dmp

memory/784-72-0x0000000001F90000-0x0000000002010000-memory.dmp

memory/2560-71-0x00000000737D0000-0x0000000073D7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\melt.txt

MD5 5389b11510f65424863e2e9724bd65e4
SHA1 071102005e3217b50283b71ee33858bb15606549
SHA256 fecb0cdb9664c0c83a84dff897fecff3773df1d4d5a6fc5c84e2187027315fa7
SHA512 ba78a6c2619bd7a4d4428a5b0b739e109dfa9ddb8925a005067f8b7091744bd9e16e007d32f62ae42768f3f45fb8aefe496f5a3ef617862127b53a88f86514ff

C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe

MD5 a6791ce328bbeb45b5c94fc0f7c0a2cd
SHA1 aee4953385feb9a57a6dde8d6022a5feabe4bb5b
SHA256 231b468f237017af2b49885473cb4fd670f9794bce204d7d5712afaff02ed3de
SHA512 565924c6673ca22ce8edf43a93dae1d5556d1a9c4a6ddb6c9ae7d8d84871d5fd28cc86d36061e022f7902aff8e3d3c17790ed25b3e193fcce6909c268e696e6d

C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe

MD5 3fddfcbf4d1ad3af7ecb226649f8201c
SHA1 106fa1517c77ad55c306d640afa495318c9702b9
SHA256 eba86f8181f775a75983054f58eeccd914d80b02697076e89a20c7f8318db5d1
SHA512 06eb37faa45d360f059e10324410ecd075a055d3614095087b23d07a16566e71ea776985ec905205b176527790eb84350f4a8c44b627141e3b11655ce842ea1c

memory/784-86-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

memory/1868-85-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

memory/1868-87-0x0000000000A90000-0x0000000000B10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\melt.txt

MD5 fba0a770926236f6ba95be6e970e6b84
SHA1 6706c0cf9ce59152c17b887d454c877a9579bd1d
SHA256 10f09dcc6b21f03ab4293d302475f90c96ccc4b746bb3dcdc1b241bcac03aca6
SHA512 700016be260852b8909b69e0fbf26ffc24d3ebfe40604e8f5d8a0bc76dcef861c11b269047ec5b68177dd7f29b8836f92c38864a5a42568f8a1ac8f360fcf252

memory/1868-91-0x0000000000A90000-0x0000000000B10000-memory.dmp

memory/1868-88-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

memory/1868-93-0x0000000000A90000-0x0000000000B10000-memory.dmp

memory/1868-94-0x0000000000A90000-0x0000000000B10000-memory.dmp

memory/2780-96-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

memory/2328-98-0x00000000004C0000-0x0000000000500000-memory.dmp

memory/2708-99-0x00000000737D0000-0x0000000073D7B000-memory.dmp

memory/2708-100-0x0000000001E40000-0x0000000001E80000-memory.dmp

memory/2328-97-0x00000000737D0000-0x0000000073D7B000-memory.dmp

memory/2708-101-0x0000000001E40000-0x0000000001E80000-memory.dmp

memory/1868-102-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

memory/1868-103-0x0000000000A90000-0x0000000000B10000-memory.dmp

memory/1868-104-0x0000000000A90000-0x0000000000B10000-memory.dmp

memory/1868-105-0x0000000000A90000-0x0000000000B10000-memory.dmp

memory/2708-106-0x00000000737D0000-0x0000000073D7B000-memory.dmp

memory/1312-107-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1312-111-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1312-112-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1312-109-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1312-114-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1312-113-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1312-116-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1312-118-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1312-119-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1312-122-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tzgozqiz.fac

MD5 69b2a2e17e78d24abee9f1de2f04811a
SHA1 d19c109704e83876ab3527457f9418a7d053aa33
SHA256 1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd
SHA512 eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f

memory/2852-124-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2852-126-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2852-128-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2852-129-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2852-130-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2852-133-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2852-135-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2852-136-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2852-141-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0jnz403f.ivn

MD5 919e671c3d5959a91ef2d4c377d2b2ff
SHA1 b1202b19512bbd390d3d5164792501c87bb42c41
SHA256 d2e079df7cf6388315368ba79bf099ad2ff5428af51bf5abf2d99a2d7c5eb651
SHA512 f3298256372beab8efe81b2e08d3b3869281f625de1ee13189c6b95eb2134d223df6f64cc9e490dd6b52a53aa936adc17bd5dfe4e50ee0fe420f3ebae276381c

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 18:16

Reported

2024-01-06 18:18

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe

"C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe"

C:\Users\Admin\AppData\Local\Temp\sanas.scr

"C:\Users\Admin\AppData\Local\Temp\sanas.scr" /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcABiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcAB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZQBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAeQBqACMAPgA="

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Users\Admin\AppData\Local\Temp\Server2223.exe

"C:\Users\Admin\AppData\Local\Temp\Server2223.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe

"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe

"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"

C:\Users\Admin\AppData\Local\Temp\FreeScript.exe

"C:\Users\Admin\AppData\Local\Temp\FreeScript.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAZQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGoAcQB3ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAaQBmACAAZQByAHIAbwByAHMAIABjAG8AbgB0AGEAYwB0ACAAbQBlACAAbQBhAGkAawBrAGkANAAyADAAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHMAbABwACMAPgA="

C:\Users\Admin\AppData\Local\Temp\microsofts.exe

"C:\Users\Admin\AppData\Local\Temp\microsofts.exe"

C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe

"C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe"

\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe

"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\bo2ezzp0.hxi"

\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe

"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\zx0bpzxl.geg"

Network

Country Destination Domain Proto
US 8.8.8.8:53 links-transition.gl.at.ply.gg udp
US 147.185.221.17:41958 links-transition.gl.at.ply.gg tcp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 fall-sustained.gl.at.ply.gg udp
US 147.185.221.17:41937 fall-sustained.gl.at.ply.gg tcp
US 147.185.221.17:41937 fall-sustained.gl.at.ply.gg tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 147.185.221.17:41937 fall-sustained.gl.at.ply.gg tcp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 147.185.221.17:41937 fall-sustained.gl.at.ply.gg tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2044-52-0x00007FF862EE0000-0x00007FF863881000-memory.dmp

memory/944-54-0x000000001C120000-0x000000001C1BC000-memory.dmp

memory/2044-53-0x00000000010C0000-0x00000000010D0000-memory.dmp

memory/2044-57-0x00007FF862EE0000-0x00007FF863881000-memory.dmp

memory/944-59-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

memory/2044-60-0x0000000000E90000-0x0000000000E98000-memory.dmp

memory/2044-61-0x000000001C260000-0x000000001C2AC000-memory.dmp

memory/4280-63-0x0000000002570000-0x00000000025A6000-memory.dmp

memory/672-66-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

memory/4280-65-0x00000000050B0000-0x00000000056D8000-memory.dmp

memory/3124-67-0x0000000001350000-0x0000000001360000-memory.dmp

memory/2268-68-0x0000000005160000-0x0000000005170000-memory.dmp

memory/672-64-0x0000000073790000-0x0000000073D41000-memory.dmp

memory/2268-69-0x0000000005160000-0x0000000005170000-memory.dmp

memory/944-62-0x00007FF862EE0000-0x00007FF863881000-memory.dmp

memory/3124-70-0x0000000073790000-0x0000000073D41000-memory.dmp

memory/944-71-0x000000001D240000-0x000000001D54E000-memory.dmp

memory/944-73-0x00007FF862EE0000-0x00007FF863881000-memory.dmp

memory/4280-76-0x0000000074060000-0x0000000074810000-memory.dmp

memory/4280-81-0x00000000056E0000-0x0000000005746000-memory.dmp

memory/4280-78-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/4280-89-0x0000000005860000-0x0000000005BB4000-memory.dmp

memory/944-109-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

memory/1996-116-0x00007FF862EE0000-0x00007FF863881000-memory.dmp

memory/1996-121-0x00007FF862EE0000-0x00007FF863881000-memory.dmp

memory/1996-120-0x00000000011E0000-0x00000000011F0000-memory.dmp

memory/1136-122-0x00007FF862EE0000-0x00007FF863881000-memory.dmp

memory/1136-123-0x00007FF862EE0000-0x00007FF863881000-memory.dmp

memory/944-117-0x00007FF862EE0000-0x00007FF863881000-memory.dmp

memory/4280-124-0x0000000005E30000-0x0000000005E4E000-memory.dmp

memory/4280-126-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

memory/1136-125-0x0000000001370000-0x0000000001380000-memory.dmp

memory/1996-131-0x00000000011E0000-0x00000000011F0000-memory.dmp

memory/1996-132-0x000000001F430000-0x000000001F530000-memory.dmp

memory/2268-88-0x0000000074060000-0x0000000074810000-memory.dmp

memory/4280-83-0x00000000057F0000-0x0000000005856000-memory.dmp

memory/2044-135-0x00007FF862EE0000-0x00007FF863881000-memory.dmp

memory/4280-82-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/2268-77-0x0000000005F90000-0x0000000005FB2000-memory.dmp

memory/672-75-0x0000000073790000-0x0000000073D41000-memory.dmp

memory/2044-51-0x000000001BB10000-0x000000001BFDE000-memory.dmp

memory/2044-45-0x000000001B590000-0x000000001B636000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Server2223.exe

MD5 86757f6c08b6cb698250cc9fc1816a8e
SHA1 fa8a2fbc982943a031ad202b3e4b1cdb11bcff6a
SHA256 98fa9c5139362be3e25333a7c48229ed220cc61c0dc41b8270e66d2886aa7dff
SHA512 cb87cf73deda4299561af9e7c4d65a82816ca5f82890edd76cfec258dbf973b197cd6c40bca2f8643d39f451072e71c5f9529864689cc68097a4382bec97a7dc

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 b9d1be8ae4f4a7a77f309b032a914564
SHA1 3b9da974e959adbb0f12705c64fd58e0c8ec5b18
SHA256 5f9c9f9af0dc5779d63ea334443d512d675b99c588f2505b652d49d02650c3ba
SHA512 dfadf27f176fe700df9dd9a979e030d362e906a25815eccb1a40c09d8dfee542a75ababbc361833742891fd5d0358233ad68cac05c12aedca1e5d93ae370fc14

C:\Users\Admin\AppData\Local\Temp\FreeScript.exe

MD5 bfb9089bf4cd2ee95a235603efb29895
SHA1 511ad28599d423f16be8cacf3ce60088fe556f51
SHA256 b467b658e82b8d57d736a486bdd02fb20d34ab47da7176feae60dff285033c23
SHA512 df46a060a5ac315969e943ac9b121877ba3a348c2ca8dac34d4fda3ab9bf11bce880bb82761274e88d139f9c8bc8f60c5bae43224833bf50f0414220b4ffc6f0

memory/4280-136-0x00000000073F0000-0x0000000007A6A000-memory.dmp

memory/4280-137-0x0000000006360000-0x000000000637A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FreeScript.exe

MD5 799c188cf6df366f4c0f98b8800a4977
SHA1 161d6006518879ecba6cf45b29599992d8eadfce
SHA256 32e96ac5e9d2f869ad11ca48401ca8eaeb520027751427145ddb5ab43bce1841
SHA512 32a3749f4ef40e9345644c84666207a7c4f0369274cc18f71eecd1eeb6ea22733bc4cc6751f7281bbdff7e0a2187209a6c00653a95d6d39adb4dab06f355e1b1

memory/2268-142-0x00000000076F0000-0x0000000007722000-memory.dmp

memory/2268-154-0x00000000076B0000-0x00000000076CE000-memory.dmp

memory/3124-156-0x0000000073790000-0x0000000073D41000-memory.dmp

memory/2268-155-0x0000000007930000-0x00000000079D3000-memory.dmp

memory/4280-144-0x0000000007290000-0x0000000007322000-memory.dmp

memory/2268-143-0x000000006EA30000-0x000000006EA7C000-memory.dmp

memory/2268-141-0x000000007F0C0000-0x000000007F0D0000-memory.dmp

memory/4280-140-0x0000000008020000-0x00000000085C4000-memory.dmp

memory/2268-157-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

memory/3124-27-0x0000000001350000-0x0000000001360000-memory.dmp

memory/2268-158-0x0000000007CE0000-0x0000000007D76000-memory.dmp

memory/2268-159-0x0000000007C60000-0x0000000007C71000-memory.dmp

memory/3124-22-0x0000000073790000-0x0000000073D41000-memory.dmp

memory/2268-161-0x0000000007CB0000-0x0000000007CC4000-memory.dmp

memory/2268-163-0x0000000007D80000-0x0000000007D88000-memory.dmp

memory/2268-162-0x0000000007DA0000-0x0000000007DBA000-memory.dmp

memory/2268-160-0x0000000007CA0000-0x0000000007CAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanas.scr

MD5 b7cedaa564e3fb095f94aef59f7ed0da
SHA1 3f93a84f2d290840cfb5418e15c47dda39ab967d
SHA256 526a5aae8d6af5d4af48bef2bf37f6a79b1584b7b48d32bef6a2f6f4ee69ccfc
SHA512 18d274dba047179d7cc6b2bb14ede76618bf5c93d8a4b4d1a32bbcf2f6494c9ecc4a601a5a4eae5d7672967be5c3a0c5bfc402f97626638ba7825d6412538f7d

C:\Users\Admin\AppData\Local\Temp\microsofts.exe

MD5 5fdd418baf9c0d789e67758ad9f2dd1a
SHA1 c0be3be193af670cfe01a64aef7c5b0a0b9d091a
SHA256 82f59d1a1a65c0651ae7a965bb6481ba1351ea9efc9f9457de372043709e5a47
SHA512 9ace7aed4e4db6f2df7a8df22227079acf176cb7b7e90a0d2638dfd44296653fae6194531a7335fb10fd9396f3cd4f11621715b2a2e4f948209055a809b00c50

memory/2268-166-0x0000000074060000-0x0000000074810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe

MD5 4c624867a94fee20d81b9e14755165de
SHA1 6f5afb06ff6278616f8fb0cd81ad1e164b0fee24
SHA256 9a1ef7b5af62c005df90a75846e390e1695ecd18c7727b8e039e4b5842d6f388
SHA512 0a40dc67d116b9726c3129a88e82c536273b4ad42f850ca78828b042dc5d20313caf1ee8a8a7136efab6027fa2f7bcf1551fac61f239c10d865f5664a8006064

memory/3124-168-0x0000000001350000-0x0000000001360000-memory.dmp

memory/4280-167-0x0000000074060000-0x0000000074810000-memory.dmp

memory/3392-187-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3392-185-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2896-192-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2896-194-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zx0bpzxl.geg

MD5 69b2a2e17e78d24abee9f1de2f04811a
SHA1 d19c109704e83876ab3527457f9418a7d053aa33
SHA256 1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd
SHA512 eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f

memory/2896-201-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bo2ezzp0.hxi

MD5 02524418240369b25b988e9884cd1c54
SHA1 42a33322d952edf6d8431d4cd788bbc863d2b890
SHA256 80b2a0874c2f734dfe1196d7ae2a7bc6ccb30df2d9281513ac33edc529a71a37
SHA512 7c5bbe911f7f0b072d6fdb89ea5759655c2b5cf9ebfddff8f2f67f956141b8ed3697ab0504f60c3992849afbbc79434043a6c04d7cf6ddd958e23354fd3a698f

memory/2896-200-0x0000000000460000-0x0000000000529000-memory.dmp