Malware Analysis Report

2025-04-13 21:10

Sample ID 240127-yc764aafg7
Target 7b1ad881708336e5b8153c12cc70de8f
SHA256 01fdef2521090cced120589336b3c76f3129dc9498ae78c9daa180b586b6eef6
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01fdef2521090cced120589336b3c76f3129dc9498ae78c9daa180b586b6eef6

Threat Level: Known bad

The file 7b1ad881708336e5b8153c12cc70de8f was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 19:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 19:39

Reported

2024-01-27 19:42

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4908 set thread context of 1300 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\SysWOW64\schtasks.exe
PID 4908 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\SysWOW64\schtasks.exe
PID 4908 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\SysWOW64\schtasks.exe
PID 4908 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4908 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4908 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4908 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4908 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4908 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4908 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4908 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4908 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4908 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4908 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4908 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4908 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4908 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1300 wrote to memory of 656 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1300 wrote to memory of 656 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1300 wrote to memory of 656 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1300 wrote to memory of 496 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1300 wrote to memory of 496 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1300 wrote to memory of 496 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe

"C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYSkDCU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp644.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD59.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDB8.tmp"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 udp

Files

memory/4908-0-0x0000000075210000-0x00000000757C1000-memory.dmp

memory/4908-2-0x0000000000E60000-0x0000000000E70000-memory.dmp

memory/4908-1-0x0000000075210000-0x00000000757C1000-memory.dmp

memory/4908-3-0x0000000075210000-0x00000000757C1000-memory.dmp

memory/4908-4-0x0000000000E60000-0x0000000000E70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp644.tmp

MD5 dbd958af4cb910c9fe25c0484583d991
SHA1 378cbdf661adbf868019eb36601216b1177933eb
SHA256 94512af63bb7e2a9580faafba2778fe6ee29bdd8db63e6cc27fc9414eb9ffb17
SHA512 ef918d633c90683b0447f8f00a061ed175ae7a82d7f9a6447538434a94a7d4561637d37f8a788c6209aed0d80395b465e106db2b97dff1fe05e2040266a29396

memory/1300-10-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1300-12-0x0000000075210000-0x00000000757C1000-memory.dmp

memory/4908-13-0x0000000075210000-0x00000000757C1000-memory.dmp

memory/1300-14-0x0000000001880000-0x0000000001890000-memory.dmp

memory/1300-15-0x0000000075210000-0x00000000757C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD59.tmp

MD5 40b11ef601fb28f9b2e69d36857bf2ec
SHA1 b6454020ad2ceed193f4792b77001d0bd741b370
SHA256 c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1
SHA512 e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5

C:\Users\Admin\AppData\Local\Temp\tmpDB8.tmp

MD5 93d357e6194c8eb8d0616a9f592cc4bf
SHA1 5cc3a3d95d82cb88f65cb6dc6c188595fa272808
SHA256 a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713
SHA512 4df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f

memory/1300-23-0x0000000001880000-0x0000000001890000-memory.dmp

memory/1300-24-0x0000000075210000-0x00000000757C1000-memory.dmp

memory/1300-25-0x0000000001880000-0x0000000001890000-memory.dmp

memory/1300-26-0x0000000001880000-0x0000000001890000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 19:39

Reported

2024-01-27 19:42

Platform

win7-20231215-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1864 set thread context of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Service\tcpsvc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\TCP Service\tcpsvc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1864 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1864 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1864 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1864 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1864 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3004 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3004 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3004 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3004 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3004 wrote to memory of 2388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3004 wrote to memory of 2388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3004 wrote to memory of 2388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3004 wrote to memory of 2388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe

"C:\Users\Admin\AppData\Local\Temp\7b1ad881708336e5b8153c12cc70de8f.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dYSkDCU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp85A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE62.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF4D.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp
US 8.8.8.8:53 tzitziklishop.ddns.net udp

Files

memory/1864-0-0x0000000074C80000-0x000000007522B000-memory.dmp

memory/1864-2-0x0000000002370000-0x00000000023B0000-memory.dmp

memory/1864-1-0x0000000074C80000-0x000000007522B000-memory.dmp

memory/1864-3-0x0000000074C80000-0x000000007522B000-memory.dmp

memory/1864-4-0x0000000002370000-0x00000000023B0000-memory.dmp

memory/1864-5-0x0000000002370000-0x00000000023B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp85A.tmp

MD5 38e8dc2ce488f4f4f4a7402a5acf49e6
SHA1 57db86988e0ceb2691963dec3310fcb2d61e03d5
SHA256 efc00ff0f3081e6cded28f5a19313cdb1c6f894a7132bc9bca65a549b85e8dbf
SHA512 6c71449fd75ffc44584bb19dee8890338ed09dd26a02f347f4aaeb7040bda27693922c4a7e69c1d2b2ad4672e56b267d003eeb531670ce758107425d3a48945a

memory/3004-11-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3004-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3004-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3004-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3004-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3004-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3004-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3004-25-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3004-27-0x0000000074C80000-0x000000007522B000-memory.dmp

memory/3004-28-0x0000000000180000-0x00000000001C0000-memory.dmp

memory/1864-26-0x0000000074C80000-0x000000007522B000-memory.dmp

memory/3004-29-0x0000000074C80000-0x000000007522B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE62.tmp

MD5 40b11ef601fb28f9b2e69d36857bf2ec
SHA1 b6454020ad2ceed193f4792b77001d0bd741b370
SHA256 c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1
SHA512 e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5

C:\Users\Admin\AppData\Local\Temp\tmpF4D.tmp

MD5 9db6095f31f8b4ae8173fe11424a8dfe
SHA1 4b0655ae95def24a41710ca137649d93bfa49407
SHA256 9911b4513e44521c90c020ddcddea1ddc58095055a72ec638b593bf9ee23aa72
SHA512 5bee977264545a30a2d53e674f54a4066d4529dc9162d46911b9cac957052cdc1ea7c8d60f9c57d3f33db6cb964b1e6bb2347d0e0e2af0a32ac98938c02ffc1c

memory/3004-37-0x0000000000180000-0x00000000001C0000-memory.dmp

memory/3004-38-0x0000000000180000-0x00000000001C0000-memory.dmp

memory/3004-39-0x0000000074C80000-0x000000007522B000-memory.dmp

memory/3004-40-0x0000000000180000-0x00000000001C0000-memory.dmp

memory/3004-41-0x0000000000180000-0x00000000001C0000-memory.dmp

memory/3004-42-0x0000000000180000-0x00000000001C0000-memory.dmp