nanocore | 05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743

Analysis

max time kernel
80s
max time network
82s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-12-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe
Size

567KB
MD5

5c1cd29e458e43381dee5769b9c39db0
SHA1

f936c464cf2ae05817ca83392f3bf0132cb93033
SHA256

05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743
SHA512

16e2eb7c19050c963c1613402382889525222beda60542d4177434bc3716296e3fba3565f1e406717b2e6fb4a9079721cb2ca4b729a5c3f54d23a2067cfaa289
SSDEEP

6144:NJUJOAPzekZusrr7nDbOpkexqknYSQpJH1PD9YVDsKmTFGHXrkYOCxrgbe1Ig9:NgPzeWapkexqRYV7mAiCJg/g9

Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

69.61.59.215:60003

cldgr.duckdns.org:60003

Mutex

0c1e37c4-6fe0-4fbd-a4f4-dbf4c0453c4a

Attributes

activate_away_mode
false
backup_connection_host
cldgr.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-08-14T15:52:11.646113636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
60003
default_group
winter
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
0c1e37c4-6fe0-4fbd-a4f4-dbf4c0453c4a
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
69.61.59.215
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProPlayer = "C:\\Users\\Admin\\AppData\\Roaming\\ProPlayer\\Player.exe.exe"	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2992	2380	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2B4C2481-BE9D-11EF-9EA5-F2BBDB1F0DCB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b7de02aa52db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000765581d0b2ff6544b93e54b1245da16e0000000002000000000010660000000100002000000060e0cf31409deaa50472ae1c20b0ceaec2e41f3ae660ea29fe72d81a4899861b000000000e800000000200002000000046e4c2a096dfd8d6f8f9e509baa65c9baf1d42fb1d8bf718aa0b28ed354d60222000000027332c0a7d83607358f3a53aea20e70781b3f1c641a442e870e285fed5387f3e40000000393d3dea95432d4640e733a5356e78b40c0d08242fc6cd0d8527316098069bc686ce70b7a7046ec9990beb5451572bf76e3a821f93b0c05e6489b3988ca5c598	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000765581d0b2ff6544b93e54b1245da16e00000000020000000000106600000001000020000000bb6a7ab4adc9fc91990531141b42ecb185a41d8f2d978b55951159036c121ce3000000000e8000000002000020000000bc7af84530a4129ae48dd0e381d3ca9654a60aeb1fefae3cb0ee17f748212e3390000000818a8699bc9ff2a5b29d00a3b4e92a0c893965063d6c628a0eb67869f41b2a1792d1ce49d7e329c448bf293c567fd65b07172efa474fb5e0e6386c5875938a417fc61ec5a12f46f3d38c7085d19b84b1770ff0c3ee350cb71f213e08d83dc585af0dad24f4b651e4d07ed2e616f795a682144df4ed832270c3f49096f35057a708826e31b309348b70ba8652172aa52b4000000078f1f05ea7b1ca244ebee33fcbeeb5847abe23cde0c985ecb471d00b8522501b5d4981d71f13be84326a1f080ce24d1dca733b3f8b6f496b87b2c45fbb559db4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440838639"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2032	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2380	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe
2032	iexplore.exe
2032	iexplore.exe
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2992	2380	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe	31
PID 2380 wrote to memory of 2992	2380	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe	31
PID 2380 wrote to memory of 2992	2380	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe	31
PID 2380 wrote to memory of 2992	2380	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe	31
PID 2380 wrote to memory of 2992	2380	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe	31
PID 2380 wrote to memory of 2992	2380	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe	31
PID 2380 wrote to memory of 2992	2380	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe	31
PID 2380 wrote to memory of 2992	2380	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe	31
PID 2380 wrote to memory of 2992	2380	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe	31
PID 2992 wrote to memory of 2032	2992	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.EXE	32
PID 2992 wrote to memory of 2032	2992	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.EXE	32
PID 2992 wrote to memory of 2032	2992	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.EXE	32
PID 2992 wrote to memory of 2032	2992	05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.EXE	32
PID 2032 wrote to memory of 2796	2032	iexplore.exe	33
PID 2032 wrote to memory of 2796	2032	iexplore.exe	33
PID 2032 wrote to memory of 2796	2032	iexplore.exe	33
PID 2032 wrote to memory of 2796	2032	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe
"C:\Users\Admin\AppData\Local\Temp\05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.EXE
  "C:\Users\Admin\AppData\Local\Temp\05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=05b36f97235b55ac54f925bae607ac4cbe074a64061cbd4ec6e73008c5233743N.EXE&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
11355b8ea3d013e6e501295e5c074af3

SHA1
85b74d71c31a1cbc84e4d2b98ed306911ea57f03

SHA256
aa64b3f118b286dbb77a2aff8725f367c4476a98ed8bf8b30346d4b4279f2c6e

SHA512
f5e0b21fdf5fa744a0e90a04364168b88f39a35c60ecf589f5d9a484f757701e11259b0232ad8c881b0f132674179495ab67a7dbf9b99be34d2d4d469002981b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4aed413b85ad30a9d9387a950069545b

SHA1
b6f132d9690da86bd0c6d0d9ca4a47300da60a14

SHA256
27f07a9aa41e8739592520c410967fa05ffd10fb15f0f8b15d93b9fe5ef1b5af

SHA512
428c7be6df7d2fa2fe99bd8b3b3b50a3fafef47061e26640713c4bf12e50486e4fb291e11b50fdd11352cf89fb99ae2a01238cfa9500b7ea06387fff38d83955

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c2df24c301cace04df99ac1659085c9

SHA1
10046b601d86afc54bc9371b514341efeaec0c40

SHA256
0735df47d72190eef906a26aed58894abfd62a5ee0869a34bad6934474614e9e

SHA512
e0317bae8364bdc1e3091836d1d5ab66a0df241ee82fdc0a324889f44adf08d05c0935d611d5823d0ab2f455610d22242aac5630be34e4ff4ca99decff797d40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc1e842a1e8589753b0908e199e357e1

SHA1
0260bd67ba209c43965a979536808c2bd4330d13

SHA256
c5208e32e921c48fc164202614871f2dce09e756dfd36ec61cc6741319d9abd0

SHA512
7aa2d19144e36bd6a181885f7149d975cd54cde208914ffac86c385d57bbfa0d10feba63fad317a3c9b47043ee47ce9465a8ce8969fe569fa50d7b4e87463c84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
772c7aa6f05d5fe103c8e0595bff3f85

SHA1
21f378d77947ba50657e75a1238457cf8a648651

SHA256
c9f0f1d3b4e950e48bfdcd9bc3d6ddd50eab7d3ff2e5a203ac629926ecbedcb7

SHA512
7e69576f2414b844ee84aec7a51506f4ae9c12d1f3f31673fdf785d6277da835f6afbc1ca0f7a7c255f4344cb94fffdfb83090da6a4a1b0569e0ecad46f16e8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f7678a508605080af2887b89836a645

SHA1
f2e98e947cae0b251ad656bf41edbf0d694b9048

SHA256
89b33238d6ad5fc50369c54d7a82c9fd1b58c951fb3ee6819e60afa1b82bf988

SHA512
5c8e389f6d856c5c698f7b41ce337770cf1efe431da9bef70d610b16541132c6ac553dd258cb796e53b5aa56aabdc6371ddee84367b2b4207f7b6e3ab9d79d9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17192770fc618171ef81f21018142f7b

SHA1
dbc77f6e11cc19da427790e035697296ab633b82

SHA256
58bc281c69d7d5fa5e040a9c5e2f02795b62836f13530c0ca9664dea8c792ec5

SHA512
744ce421ae435efd2823eb8919a0482b704b9fb3ec92e60b8662023bfa71c44636e36c03a7ab252a5d67129078e10872e971d621a4cef7ef04e32acf0e0eb9f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
929f962474116f5d1525093b2aec3a59

SHA1
5b105b4425b3f5573b032d71462407e5d289a069

SHA256
c531373f0aa2686baa954ab1c95f61f562a92d03d7192f4ab514b64b3fe725da

SHA512
f63afb13c90e1b65357c0338f341fd682a3b1a19c6d74b718368f1e0bbb85562b161d48ede09b219ce9b4820705703fb6bc1cb927cc84537f05d5650d4c98933

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28fde49bc5d7926c41f76a0c654c9399

SHA1
4c7556c922fd439cc6d47ed4048952142eebaf4b

SHA256
89084313de00d5ea219a8d074cd7cce7e07bb6598e4afe5518c006f3e288ae98

SHA512
e9e497f241abb917dfb75bb518bc0d0cb30315087776b4f1ae565dda9c0b38747e2141ebcbef1ff69a6282b1f4deadf77195117d8ac4dae8827c928245f5ebc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a98085527ad2913f7bad5c14a4214894

SHA1
40f5fee76f282d198468b4d5a9812cf4bd7d427c

SHA256
6fc1cfeb6ee2d37f14ad9a229f920812f6a3f10a1c2aecf3ef0a7df1eb2c1c86

SHA512
216a7895c77545a472f07f695e797f6ce6c9513b481c9f0860ecc6a7e9c41462c3d23ab792ecfb960586c06499555bfe56901cc304a71e2a0641f4a2e55f782c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f277c11492c9ba3fd200bb06a68b74c

SHA1
7393ee32f94f238849c5bbdaef1f745ad69e8713

SHA256
d2628e2dc89fb47c841e15f9d5fd8f72ae8c57e4b267bd894ce85776b50cd9e9

SHA512
efb464824fedc15a8856171562eeebbe378405e5770a1a69e6cef1152adda014f52f59bb847badffd9b2700c1ef093a3bf0dfc9af8d7de173d9c28b4f8203c77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7798801bca91f9f5ec5727a919c524fd

SHA1
7d4c0f6d788fbcb7bf321de93a67b65812f644e3

SHA256
7df80635c0186980996c3c281b496b3c6fc35720847de307f2014847d2f79621

SHA512
5d017b60f9f4faa569c8e72540eac696cce6a16e33af26e83024a04437916e80ce1342f3b21429c8d3f7d99724c889d5297039229721bbc3fc86711eff346ddd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28fa6b4e6d408b917b2082a79aaba156

SHA1
4df9a70a851637047f917c5a78c2fc7cb5028667

SHA256
173e1429fa574aa8d5f516fb7bb84ca3365fdfcd8eb0ea9db9f430374541f715

SHA512
cc5291d6bc1c7c72d5aa495a0e356922dd7a60cedd78148c22a1093b10b83a91bb6665513132003ff15f6c409bb03ae2794d6b3c4c52fdd314b04c78639e1a5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfe06a323746322009dc4a196c25a5a0

SHA1
0b7f6bf302e5366d3c6461e84b6ffa226b15e8f7

SHA256
876237c3b090d1099fc77b2b63ce78e049dcba0e51c7bf7e647415a999702554

SHA512
ff0cfe8dc9ee9800ae678b34c06c614b4a04a2c060315cf141b738a9cb7e25e35d23f1dee5b87fd58c1fcf0d2a44437b1e722240cba3f8f81587623bf50fcbc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcdff4941831c0e28e178466e29ecec0

SHA1
f89e4474d7fd8917c665b96b24f1cb1dff5a0a21

SHA256
86994eb5838f2b950e02af6caaf826247be0c6ff5f50080192cc16f4e379bbfd

SHA512
05eec80fd72b43e7e1c89d24fa0bea3eff6c968834a5c3b0c01995d5b223f7afe9a7079d161d044a643d2292bd8ce09e2ff238bf0e71d525a56cb85a9673f45f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77d746c77bac661fa14bc2fcff89b347

SHA1
4b7e06b03ac50fbb84bf0201d605c02f87935acd

SHA256
cd30508b704c45be729d6b416ecb13b59a516a1ea38ce101ab57ef554455259f

SHA512
51f2cb230b547a875a2a0904f85a805db845857f5ce9474a56d7093ef07f941ccabf7978ecacbb63826d1c33c8a4e11d6e6a0fd5d45bd90c8c761f92ef02a196

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a63b5e63595efb0489206eaa5cf0e91

SHA1
39032d86bb923edf095868c8ac8c839b118e07bc

SHA256
afd49a32941276e8f76edd7543172da09c867f3f627c9709a3d219aa67c0e7a8

SHA512
ea9b9d45d02c27195ce03353e2a97d1e650b89e32555f8c2f3f4de2fdd309c9f04dbd2865d484d9e166932c632bbaab570450e17193f7da85b485cb036009a26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9df4312d2aab17d489ad7b46693b324

SHA1
2b836a638cb9e4ba403c97fa1e7e2aad449a3b15

SHA256
a133f5094d2cb4b9511c469589e46295ce0a50cba346770ed3c9c089494aeabb

SHA512
d44ccdce3fbe300926bf72c87dc71517ef118a4b3bc8c6e8919578f9bc7f854e26e042e0a407c185d1fd91c8973e1a862566218ed951ee86a796cd2e23089063

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f4255adb9f71194b4854c23e9fd32a8

SHA1
e02b76edaa1edfa599995b816a1e210ffcf5b44e

SHA256
72859aea9a23e8db45cd8a8282c3be23fdfe8756c755c614e84acdad43a2d849

SHA512
3952b84be215b60a83ac8efb7eebd8ca70727a27fb16f15a1143edc5ec6637626e5004e32e7be806db286d1c78801e15cf2606a52b1fcd56383fb1aa31bc20a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43d595ac28d60ae5914265727a724141

SHA1
46fe5b24a7fadadda590eb28ce966ea276f1dc50

SHA256
41193aca3d560c793a707ecec0c2ad35f2ec388ee61426431cefd72f093fee32

SHA512
f4e5d76a847e261143b9544d3f22473ed0fdc51170999277b8d8869107425cd88725ed413f3b95455ae55ac813c4e7c8d532bf9b180a06633300d6ee336eee96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f423a7be2b0c7a11a4224a523e4bb10

SHA1
500b62a3c129bda09cb2010d66dfa48db3a4c1e3

SHA256
ea7f50b68fbe8763003ef23a36f39ed94c6b87a6af58cc2ec309019eeb72c459

SHA512
c40f8edfa0579715640fcdca3aad026a2ddd149538f7475866c8a443e265671dc63d9b23d8a4ff90dca7f541744c56e705ef5f03f5f815f1c46dbc61354ff36e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d42c232746b57c689f339a7d41ae1ff4

SHA1
b70acaa01f5829c7cc70265647ef91a4f35d051b

SHA256
a7afe502fa4abdd337c9c829591de919e5454db6785ddee179f4ba8d301a2c75

SHA512
3ae4135a3c349a70392af588af9717ced04d31e809eec42221d887715dcdf7b8d7a41f752ba835495f37bdbfd0cc5bcce85a57b6866d85095a38e2755ce0b9a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5017166a215259776ad7cab79c0a9fa0

SHA1
c1203bfd50f34512db46aace310bef2b94503b15

SHA256
5946176be9494677370eaf71fdd2127ee48c4cb2d5774bad9eba2953449eedf3

SHA512
bedb1c74cc6ff1d638a159a0060087e6f551b3851265e138400e45d1c86036aecc0eafe2169672a8f6c04b3a4eeefa1bcb05b0d96a7d9bf0ea9a34f499c35dc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b53e088006c23daa60fb0b39c64c41a

SHA1
d0f0b7edbfac40706747144ad0a4016230b9525b

SHA256
78c5a578fefa1f09a10594e84bc9dda3051ed452d9cad8861679498aa8c03f2b

SHA512
24660511ece082a625bd2f7ab527c1623bc735102215988bdf802b9b5f93f81172412d7802a08b8178e19578eafb47434c534ab2bf3ab044629b2d7eb9514f18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb915a842cbe706ef64b674ac9c90668

SHA1
3f0e83e8bd31d5ddf17461c59fc34a907638eb7a

SHA256
58a3c80af7e65b6c40bac28ef514f48e503ced1a5e8de67756acd92dcecb9f94

SHA512
98e301ada47daa041cf493452312aacc375e7489309193d20ad31cb74bd25814fb69f31d6de27197368696aaed5a423d53e0e9e7775895fc7650d788618ea49d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9040e605bf2b4d8711d226ed601a60e

SHA1
bbf726cb9738aadaf73ece40f615e96e06d3e212

SHA256
438f1004819d4398635343046b0936e238a82e66f0c255eefaea52df1b43e080

SHA512
cf2a949e38d797654748aea1d280821b254d15f76bc1bee54f71d290584a135d5faa9c00cf24f3ae7d499ae742ba2f970a5052fa19028256e12616a6e9e51ae9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bd727a5c9934c0dd7f6c09c84dd6c03

SHA1
427df5a2af291546cb4562c619be66146dd5f2c3

SHA256
d3bfd9d8b2f56428501980f07ff7bd7ef0d5c2e682e402eea77cc3f87c013d73

SHA512
53362ac33f709d7637fbd3c08bfb1055cef446b3af4780bd30d40d29c97cb545013c5d5fea7ed74397495fe4f3a6a0529608975ffa32b7dd009d20fe946c24d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
219bc0895f5b2bc6717e9df31a811540

SHA1
381df94526196563909a47fd7fc512826fcf4931

SHA256
4f289c397117e03e8b0696b4395a38120c670a6b9df2242e835e67837a33e1fb

SHA512
e42f8132c37821e49c4339656e1258336b4cda75aa94dcba0bc96542597f24472842f0430900c1a86ac6e945f5083422c4ff13168dadea8ea728699b49835087

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75140141dbc365e616a4dca8457e3dd6

SHA1
219f54d6fc7318021bf80b70cc6cb45f7e1c9188

SHA256
70af260e93271f6f8e6f93cc3df5a7519fbcc634684df17c83f230576a0cfbbb

SHA512
60b97ddaecfa69505a1f12bd8aba4c132c6455fcbf53868717841900f895acb4d76900685b40efdcc5e7341580d0a6a9ceb0d55534a8d4e05ba8c890cb56ae6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
179ed5539fb41362ef43fa9a5f523202

SHA1
e4bc3ffc52ab28f7835e83e342a5f04a6722f5ae

SHA256
ae4a785a7e178edcf95a7422d7ed0ce8fbc0994f4b23473f9c1c0f29812c80cf

SHA512
7e55f856844572f6d489ef4459cfda48228a57c8359877debcd0beabc3805abe32db870e8f799db6669b5530adea4a9e65261f39cda07a5f59e32481caf42089

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5FA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6C9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2992-4-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2992-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2992-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2992-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2992-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2992-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2992-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2992-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads