Malware Analysis Report

2024-08-06 15:24

Sample ID 240518-k6awssda9y
Target 53fef215700b1e1c3d781f2be9f333d8_JaffaCakes118
SHA256 0e62e4cceadbe0a5b50309f73956bbd1cf51b345b1a4d324e66c10d00c3494d7
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e62e4cceadbe0a5b50309f73956bbd1cf51b345b1a4d324e66c10d00c3494d7

Threat Level: Known bad

The file 53fef215700b1e1c3d781f2be9f333d8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Executes dropped EXE

Unexpected DNS network traffic destination

Checks computer location settings

Loads dropped DLL

Checks whether UAC is enabled

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-18 09:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 09:12

Reported

2024-05-18 09:14

Platform

win7-20240508-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shipping document.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 37.235.1.174 N/A N/A
Destination IP 37.235.1.174 N/A N/A
Destination IP 37.235.1.177 N/A N/A
Destination IP 37.235.1.177 N/A N/A
Destination IP 37.235.1.174 N/A N/A
Destination IP 37.235.1.174 N/A N/A
Destination IP 37.235.1.177 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Host = "C:\\Program Files (x86)\\ARP Host\\arphost.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 616 set thread context of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ARP Host\arphost.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Program Files (x86)\ARP Host\arphost.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FolderN\vname.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 616 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Windows\SysWOW64\cmd.exe
PID 616 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Windows\SysWOW64\cmd.exe
PID 616 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Windows\SysWOW64\cmd.exe
PID 616 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1804 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1804 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1804 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 616 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 616 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 616 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 616 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 616 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 616 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 616 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 616 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 616 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 616 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 616 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 616 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 616 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\shipping document.exe

"C:\Users\Admin\AppData\Local\Temp\shipping document.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\vname.exe.lnk" /f

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

Network

Country Destination Domain Proto
AT 37.235.1.174:53 dengsman.duckdns.org udp
AT 37.235.1.177:53 dengsman.duckdns.org udp
US 8.8.8.8:53 dengsman.duckdns.org udp
LU 194.5.99.9:30201 dengsman.duckdns.org tcp
AT 37.235.1.174:53 dengsman.duckdns.org udp
AT 37.235.1.177:53 dengsman.duckdns.org udp
LU 194.5.99.9:30201 dengsman.duckdns.org tcp
AT 37.235.1.174:53 dengsman.duckdns.org udp
AT 37.235.1.177:53 dengsman.duckdns.org udp
US 8.8.8.8:53 dengsman.duckdns.org udp
LU 194.5.99.9:30201 dengsman.duckdns.org tcp
N/A 127.0.0.1:30201 tcp
N/A 127.0.0.1:30201 tcp
N/A 127.0.0.1:30201 tcp
AT 37.235.1.174:53 dengsman.duckdns.org udp

Files

memory/616-0-0x0000000074081000-0x0000000074082000-memory.dmp

memory/616-1-0x0000000074080000-0x000000007462B000-memory.dmp

memory/616-2-0x0000000074080000-0x000000007462B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\vname.exe

MD5 612dbb3e0e9540bd711321f239e6ae59
SHA1 2f3f519aa1dda89459173f4d4df7b1a9edeb545f
SHA256 68035b3c8c61cb3fd66d50c97af1167418e84d169aa6424364d1effa09598497
SHA512 c8358bc80ba266e6ea7369ae29251e7d6ed30eb83ba1ed28b0369cd2bd7f515373eab55838194ac0e12095c4c4359237ba359d3a2f8cbd3f5b1a3feda4b4edaf

\Users\Admin\AppData\Local\Temp\tmp.exe

MD5 780148d708a0dc38f4236938077bd24b
SHA1 a48c8e96c1138f01ffcbe32c0bc9c8fd455d5398
SHA256 1f71343d779b3d212243a90fc59658406b53a05b5f34fecb7bda4d6d36a2b713
SHA512 54840659439f2acfecf07af7a0a3fcf928537a1b7fea40dbfd11d31d4903ebe2df86a14dd33ada78b5f3e1961bb7bca7bafd9e512abd60f0e0f8233b607964bb

memory/2064-23-0x0000000074080000-0x000000007462B000-memory.dmp

memory/2648-24-0x0000000000080000-0x00000000000B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

memory/2648-42-0x0000000000080000-0x00000000000B8000-memory.dmp

memory/2648-39-0x0000000000080000-0x00000000000B8000-memory.dmp

memory/2648-35-0x0000000000080000-0x00000000000B8000-memory.dmp

memory/2064-44-0x0000000074080000-0x000000007462B000-memory.dmp

memory/2064-45-0x0000000074080000-0x000000007462B000-memory.dmp

memory/2648-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2648-30-0x0000000000080000-0x00000000000B8000-memory.dmp

memory/2648-28-0x0000000000080000-0x00000000000B8000-memory.dmp

memory/2648-26-0x0000000000080000-0x00000000000B8000-memory.dmp

memory/616-48-0x0000000074080000-0x000000007462B000-memory.dmp

memory/2064-49-0x0000000074080000-0x000000007462B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 09:12

Reported

2024-05-18 09:14

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shipping document.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 37.235.1.174 N/A N/A
Destination IP 37.235.1.174 N/A N/A
Destination IP 37.235.1.177 N/A N/A
Destination IP 37.235.1.174 N/A N/A
Destination IP 37.235.1.174 N/A N/A
Destination IP 37.235.1.177 N/A N/A
Destination IP 37.235.1.177 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Monitor = "C:\\Program Files (x86)\\LAN Monitor\\lanmon.exe" C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3080 set thread context of 1492 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LAN Monitor\lanmon.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
File opened for modification C:\Program Files (x86)\LAN Monitor\lanmon.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FolderN\vname.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4068 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4068 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3080 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 3080 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 3080 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 3080 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3080 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3080 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3080 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3080 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3080 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3080 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3080 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\shipping document.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\shipping document.exe

"C:\Users\Admin\AppData\Local\Temp\shipping document.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\vname.exe.lnk" /f

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
AT 37.235.1.174:53 dengsman.duckdns.org udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 174.1.235.37.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
BE 88.221.83.235:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 235.83.221.88.in-addr.arpa udp
BE 88.221.83.235:443 www.bing.com tcp
AT 37.235.1.177:53 dengsman.duckdns.org udp
US 8.8.8.8:53 177.1.235.37.in-addr.arpa udp
US 8.8.8.8:53 dengsman.duckdns.org udp
LU 194.5.99.9:30201 dengsman.duckdns.org tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
AT 37.235.1.174:53 dengsman.duckdns.org udp
AT 37.235.1.177:53 dengsman.duckdns.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
LU 194.5.99.9:30201 dengsman.duckdns.org tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
AT 37.235.1.174:53 dengsman.duckdns.org udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
AT 37.235.1.177:53 dengsman.duckdns.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 dengsman.duckdns.org udp
LU 194.5.99.9:30201 dengsman.duckdns.org tcp
N/A 127.0.0.1:30201 tcp
N/A 127.0.0.1:30201 tcp
N/A 127.0.0.1:30201 tcp
AT 37.235.1.174:53 dengsman.duckdns.org udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/3080-0-0x0000000075572000-0x0000000075573000-memory.dmp

memory/3080-1-0x0000000075570000-0x0000000075B21000-memory.dmp

memory/3080-2-0x0000000075570000-0x0000000075B21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FolderN\vname.exe

MD5 612dbb3e0e9540bd711321f239e6ae59
SHA1 2f3f519aa1dda89459173f4d4df7b1a9edeb545f
SHA256 68035b3c8c61cb3fd66d50c97af1167418e84d169aa6424364d1effa09598497
SHA512 c8358bc80ba266e6ea7369ae29251e7d6ed30eb83ba1ed28b0369cd2bd7f515373eab55838194ac0e12095c4c4359237ba359d3a2f8cbd3f5b1a3feda4b4edaf

C:\Users\Admin\AppData\Local\Temp\tmp.exe

MD5 780148d708a0dc38f4236938077bd24b
SHA1 a48c8e96c1138f01ffcbe32c0bc9c8fd455d5398
SHA256 1f71343d779b3d212243a90fc59658406b53a05b5f34fecb7bda4d6d36a2b713
SHA512 54840659439f2acfecf07af7a0a3fcf928537a1b7fea40dbfd11d31d4903ebe2df86a14dd33ada78b5f3e1961bb7bca7bafd9e512abd60f0e0f8233b607964bb

memory/4760-20-0x0000000075570000-0x0000000075B21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 84c42d0f2c1ae761bef884638bc1eacd
SHA1 4353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256 331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA512 43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

memory/1492-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4760-24-0x0000000075570000-0x0000000075B21000-memory.dmp

memory/1492-26-0x0000000075570000-0x0000000075B21000-memory.dmp

memory/1492-25-0x0000000075570000-0x0000000075B21000-memory.dmp

memory/1492-27-0x0000000075570000-0x0000000075B21000-memory.dmp

memory/4760-31-0x0000000075570000-0x0000000075B21000-memory.dmp

memory/3080-33-0x0000000075570000-0x0000000075B21000-memory.dmp

memory/1492-34-0x0000000075570000-0x0000000075B21000-memory.dmp

memory/1492-35-0x0000000075570000-0x0000000075B21000-memory.dmp