Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	N/A

Checks whether UAC is enabled

evasion trojan

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 3008 set thread context of 2360	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2488 set thread context of 108	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2868 set thread context of 2296	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1400 set thread context of 320	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Scheduled Task/Job: Scheduled Task

persistence execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious behavior: GetForegroundWindowSpam

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3008 wrote to memory of 2360	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 2360	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 2360	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 2360	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 2360	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 2360	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 2360	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 2360	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 2360	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 2360	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 2360	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 2360	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3008 wrote to memory of 3056	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 3056	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 3056	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 3056	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2696	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2696	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2696	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2696	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2712	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2712	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2712	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2712	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2632	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2632	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2632	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 2632	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 596 wrote to memory of 2488	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 596 wrote to memory of 2488	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 596 wrote to memory of 2488	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 596 wrote to memory of 2488	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 2488 wrote to memory of 108	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2488 wrote to memory of 108	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2488 wrote to memory of 108	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2488 wrote to memory of 108	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2488 wrote to memory of 108	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2488 wrote to memory of 108	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2488 wrote to memory of 108	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2488 wrote to memory of 108	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2488 wrote to memory of 108	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2488 wrote to memory of 108	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2488 wrote to memory of 108	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2488 wrote to memory of 108	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2488 wrote to memory of 1656	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1656	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1656	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1656	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1540	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1540	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1540	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 1540	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2596	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2596	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2596	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2596	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1960	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1540 wrote to memory of 1960	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1540 wrote to memory of 1960	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1540 wrote to memory of 1960	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 596 wrote to memory of 2868	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 596 wrote to memory of 2868	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 596 wrote to memory of 2868	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 596 wrote to memory of 2868	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

Processes

C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe

"C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {F8973C02-28D9-4969-A2E5-B3765BC416D3} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	munan.duckdns.org	udp
US	18.210.161.224:3637	munan.duckdns.org	tcp

Files

memory/3008-0-0x000000007472E000-0x000000007472F000-memory.dmp

memory/3008-1-0x0000000000140000-0x0000000000190000-memory.dmp

memory/3008-2-0x0000000074720000-0x0000000074E0E000-memory.dmp

memory/2360-4-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2360-13-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2360-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2360-17-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2360-15-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2360-10-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2360-7-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2360-5-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3008-20-0x0000000074720000-0x0000000074E0E000-memory.dmp

memory/2360-22-0x0000000000480000-0x000000000048A000-memory.dmp

memory/2360-24-0x00000000004F0000-0x000000000050E000-memory.dmp

memory/2360-23-0x00000000004E0000-0x00000000004EC000-memory.dmp

memory/2360-25-0x0000000000510000-0x000000000051A000-memory.dmp

memory/2360-28-0x00000000006F0000-0x00000000006FC000-memory.dmp

memory/2360-29-0x00000000009F0000-0x0000000000A0A000-memory.dmp

memory/2360-31-0x0000000000B90000-0x0000000000BA2000-memory.dmp

memory/2360-30-0x0000000000710000-0x000000000071E000-memory.dmp

memory/2360-34-0x0000000000BC0000-0x0000000000BD4000-memory.dmp

memory/2360-33-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

memory/2360-32-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

memory/2360-35-0x0000000000BD0000-0x0000000000BE4000-memory.dmp

memory/2360-36-0x0000000000C20000-0x0000000000C2E000-memory.dmp

memory/2360-37-0x00000000045D0000-0x00000000045FE000-memory.dmp

memory/2360-38-0x0000000000C40000-0x0000000000C54000-memory.dmp

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

MD5	ec03c8da575fa5ee4745506b340968e6
SHA1	357374aa9b28d6571ebcf3b535b3cd8fe85eebba
SHA256	26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7
SHA512	2d01fa27ef375f77db7e3a896877db902ea52578aaa13aaec2aef3ce8a0199b1de56ca70602bac24f4fd2278ed5835e2c373c0626a05e95929deb93abb94137a

memory/2488-42-0x0000000000840000-0x0000000000890000-memory.dmp

memory/108-60-0x0000000000090000-0x00000000000CA000-memory.dmp

memory/108-58-0x0000000000090000-0x00000000000CA000-memory.dmp

memory/108-53-0x0000000000090000-0x00000000000CA000-memory.dmp

memory/2868-62-0x0000000000E30000-0x0000000000E80000-memory.dmp

memory/1400-76-0x00000000011B0000-0x0000000001200000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 19:49

Reported

2024-06-19 19:52

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Detects executables packed with SmartAssembly

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	N/A

Checks whether UAC is enabled

evasion trojan

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 3932 set thread context of 3808	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 set thread context of 2340	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3672 set thread context of 316	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Scheduled Task/Job: Scheduled Task

persistence execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious behavior: GetForegroundWindowSpam

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3932 wrote to memory of 3808	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3932 wrote to memory of 3808	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3932 wrote to memory of 3808	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3932 wrote to memory of 3808	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3932 wrote to memory of 3808	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3932 wrote to memory of 3808	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3932 wrote to memory of 3808	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3932 wrote to memory of 3808	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3932 wrote to memory of 1136	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 1136	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 1136	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 3828	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 3828	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 3828	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 3992	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 3992	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3932 wrote to memory of 3992	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 5084	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3828 wrote to memory of 5084	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3828 wrote to memory of 5084	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4908 wrote to memory of 2340	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 2340	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 2340	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 2340	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 2340	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 2340	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 2340	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 2340	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 wrote to memory of 2036	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2036	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2036	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1052	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1052	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1052	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 1336	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2192 wrote to memory of 1336	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2192 wrote to memory of 1336	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3672 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3672 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3672 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3672 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3672 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3672 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3672 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3672 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3672 wrote to memory of 3880	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 3880	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 3880	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 3528	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 3528	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 3528	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 824	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 824	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 824	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 3996	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3528 wrote to memory of 3996	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3528 wrote to memory of 3996	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe

"C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	209.205.72.20.in-addr.arpa	udp
US	8.8.8.8:53	138.107.17.2.in-addr.arpa	udp
GB	96.16.110.114:80		tcp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	22.177.190.20.in-addr.arpa	udp
US	8.8.8.8:53	munan.duckdns.org	udp
US	18.210.161.224:3637	munan.duckdns.org	tcp
US	8.8.8.8:53	241.150.49.20.in-addr.arpa	udp
US	8.8.8.8:53	224.161.210.18.in-addr.arpa	udp
GB	142.250.187.202:443		tcp
US	8.8.8.8:53	183.59.114.20.in-addr.arpa	udp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	154.239.44.20.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	76.234.34.23.in-addr.arpa	udp
US	8.8.8.8:53	203.107.17.2.in-addr.arpa	udp
NL	52.142.223.178:80		tcp
US	8.8.8.8:53	13.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	226.162.46.104.in-addr.arpa	udp

Files

memory/3932-0-0x000000007531E000-0x000000007531F000-memory.dmp

memory/3932-1-0x0000000000CB0000-0x0000000000D00000-memory.dmp

memory/3932-2-0x0000000005C50000-0x00000000061F4000-memory.dmp

memory/3932-3-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/3808-4-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3808-5-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/3808-9-0x0000000005790000-0x0000000005822000-memory.dmp

memory/3932-10-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/3808-11-0x0000000005910000-0x00000000059AC000-memory.dmp

memory/3808-12-0x0000000005850000-0x000000000585A000-memory.dmp

memory/3808-14-0x00000000058E0000-0x00000000058EA000-memory.dmp

memory/3808-16-0x0000000005B20000-0x0000000005B3E000-memory.dmp

memory/3808-15-0x0000000005900000-0x000000000590C000-memory.dmp

memory/3808-17-0x0000000005DF0000-0x0000000005DFA000-memory.dmp

memory/3808-18-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/3808-21-0x0000000005E10000-0x0000000005E1C000-memory.dmp

memory/3808-22-0x0000000006F60000-0x0000000006F7A000-memory.dmp

memory/3808-23-0x0000000006F90000-0x0000000006F9E000-memory.dmp

memory/3808-24-0x0000000006FA0000-0x0000000006FB2000-memory.dmp

memory/3808-27-0x0000000006FD0000-0x0000000006FE4000-memory.dmp

memory/3808-26-0x0000000006FC0000-0x0000000006FCE000-memory.dmp

memory/3808-25-0x0000000006FB0000-0x0000000006FBC000-memory.dmp

memory/3808-28-0x0000000006FE0000-0x0000000006FF4000-memory.dmp

memory/3808-29-0x0000000007010000-0x000000000701E000-memory.dmp

memory/3808-30-0x0000000007020000-0x000000000704E000-memory.dmp

memory/3808-31-0x0000000007050000-0x0000000007064000-memory.dmp

memory/3808-32-0x0000000007230000-0x0000000007296000-memory.dmp

memory/3808-34-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/3808-35-0x0000000075310000-0x0000000075AC0000-memory.dmp

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

MD5	ec03c8da575fa5ee4745506b340968e6
SHA1	357374aa9b28d6571ebcf3b535b3cd8fe85eebba
SHA256	26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7
SHA512	2d01fa27ef375f77db7e3a896877db902ea52578aaa13aaec2aef3ce8a0199b1de56ca70602bac24f4fd2278ed5835e2c373c0626a05e95929deb93abb94137a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DDfiles.exe.log

MD5	03febbff58da1d3318c31657d89c8542
SHA1	c9e017bd9d0a4fe533795b227c855935d86c2092
SHA256	5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4
SHA512	3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5	84e77a587d94307c0ac1357eb4d3d46f
SHA1	83cc900f9401f43d181207d64c5adba7a85edc1e
SHA256	e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512	aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Sample ID	240619-yjyk8syerh
Target	26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7
SHA256	26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7
Tags	nanocore evasion keylogger spyware stealer trojan

Malware Analysis Report

2024-08-06 14:45

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files