Malware Analysis Report

2025-06-16 06:19

Sample ID 231226-w3abmshac9
Target 840ef8d2d1936ebf66e63f85c7dece42
SHA256 6dad4f5325f635039e443e725ddaf3eb210952b0ebe81027dae9f9fb0a09e831
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dad4f5325f635039e443e725ddaf3eb210952b0ebe81027dae9f9fb0a09e831

Threat Level: Known bad

The file 840ef8d2d1936ebf66e63f85c7dece42 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Windows security bypass

Windows security modification

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 18:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 18:26

Reported

2024-01-07 00:01

Platform

win7-20231215-en

Max time kernel

134s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe = "0" C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe = "0" C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2acfo6aw = "C:\\Program Files\\Common Files\\System\\IfB44785yo4aR44dco3pdD14W\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2992 set thread context of 1472 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A
File opened for modification C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 588 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 588 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 588 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2992 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe
PID 2992 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WerFault.exe
PID 2992 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WerFault.exe
PID 2992 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WerFault.exe
PID 2992 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe

"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe" -Force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe

"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"

C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe

"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"

C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe

"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 540

Network

Country Destination Domain Proto
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp

Files

memory/2992-0-0x0000000000BD0000-0x0000000000DC2000-memory.dmp

memory/2992-1-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/2992-2-0x0000000000490000-0x00000000004D0000-memory.dmp

memory/2992-3-0x0000000002310000-0x00000000023B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 b34658f22668a6fe56131681fc549e2a
SHA1 4cd335909f463688f2e4e17f18746311eea8a005
SHA256 2b7fc3d7c2a6738b52000b4bf9fdad6492ed8629139d7dc872d9a9213f3565fb
SHA512 34f66f9c441f744731d4329319b7c55dd9b01a748c378f3fac1636d6bb7b120e7db5e1acb23d8d682a3e838885f2466ea1a1acd3640bee59ad2e3f44e13c041b

memory/2748-17-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

memory/2780-18-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

memory/2644-19-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

memory/2780-20-0x00000000027D0000-0x0000000002810000-memory.dmp

memory/2748-21-0x0000000002580000-0x00000000025C0000-memory.dmp

memory/2748-22-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

memory/2644-23-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

memory/2748-24-0x0000000002580000-0x00000000025C0000-memory.dmp

memory/2780-25-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

memory/1472-27-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1472-30-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2748-33-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

memory/1472-34-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2780-32-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

memory/1472-29-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1472-28-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1472-26-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2644-37-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

memory/1472-36-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1472-39-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1472-40-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/1472-41-0x00000000003A0000-0x00000000003E0000-memory.dmp

memory/1472-43-0x0000000000450000-0x000000000045A000-memory.dmp

memory/1472-44-0x0000000000460000-0x000000000047E000-memory.dmp

memory/1472-45-0x0000000000480000-0x000000000048A000-memory.dmp

memory/2992-46-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/2992-47-0x0000000000490000-0x00000000004D0000-memory.dmp

memory/1472-48-0x0000000074910000-0x0000000074FFE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 18:26

Reported

2024-01-07 00:01

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe

"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe" -Force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe

"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3624 -ip 3624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1608

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 omaprilcode.duckdns.org udp
RU 194.147.140.25:8090 omaprilcode.duckdns.org tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/3624-0-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/3624-1-0x00000000003F0000-0x00000000005E2000-memory.dmp

memory/3624-3-0x0000000004FD0000-0x000000000506C000-memory.dmp

memory/3624-2-0x0000000005490000-0x0000000005A34000-memory.dmp

memory/3624-4-0x0000000006C30000-0x0000000006C40000-memory.dmp

memory/3624-5-0x0000000004F30000-0x0000000004FD2000-memory.dmp

memory/3624-8-0x0000000008480000-0x0000000008512000-memory.dmp

memory/1712-9-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/1712-13-0x0000000000900000-0x0000000000910000-memory.dmp

memory/1712-11-0x0000000004CB0000-0x00000000052D8000-memory.dmp

memory/2336-14-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/3624-10-0x0000000007190000-0x000000000719A000-memory.dmp

memory/1712-12-0x0000000000900000-0x0000000000910000-memory.dmp

memory/4500-16-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/1712-15-0x0000000004AB0000-0x0000000004AD2000-memory.dmp

memory/1712-26-0x0000000005450000-0x00000000054B6000-memory.dmp

memory/4500-31-0x0000000002CF0000-0x0000000002D00000-memory.dmp

memory/4500-50-0x00000000061D0000-0x0000000006524000-memory.dmp

memory/2336-25-0x0000000002E20000-0x0000000002E30000-memory.dmp

memory/2336-18-0x0000000002E20000-0x0000000002E30000-memory.dmp

memory/2336-19-0x0000000006010000-0x0000000006076000-memory.dmp

memory/1712-51-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

memory/4500-17-0x0000000002CF0000-0x0000000002D00000-memory.dmp

memory/1712-52-0x0000000005F20000-0x0000000005F6C000-memory.dmp

memory/1712-7-0x00000000021C0000-0x00000000021F6000-memory.dmp

memory/1712-53-0x0000000000900000-0x0000000000910000-memory.dmp

memory/4500-54-0x0000000002CF0000-0x0000000002D00000-memory.dmp

memory/2336-55-0x0000000002E20000-0x0000000002E30000-memory.dmp

memory/4500-58-0x0000000070170000-0x00000000701BC000-memory.dmp

memory/2336-60-0x0000000070170000-0x00000000701BC000-memory.dmp

memory/4500-81-0x0000000007660000-0x0000000007703000-memory.dmp

memory/1712-83-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/1712-82-0x0000000070170000-0x00000000701BC000-memory.dmp

memory/3624-71-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/4500-70-0x0000000006C20000-0x0000000006C3E000-memory.dmp

memory/2336-94-0x0000000007A10000-0x0000000007A2A000-memory.dmp

memory/2336-93-0x0000000008050000-0x00000000086CA000-memory.dmp

memory/4500-59-0x000000007F070000-0x000000007F080000-memory.dmp

memory/4500-95-0x00000000077F0000-0x00000000077FA000-memory.dmp

memory/2336-57-0x0000000007680000-0x00000000076B2000-memory.dmp

memory/2336-56-0x000000007F8D0000-0x000000007F8E0000-memory.dmp

memory/2336-96-0x0000000007C90000-0x0000000007D26000-memory.dmp

memory/1712-97-0x0000000006FA0000-0x0000000006FB1000-memory.dmp

memory/4500-98-0x0000000007BC0000-0x0000000007BCE000-memory.dmp

memory/1712-99-0x0000000006FE0000-0x0000000006FF4000-memory.dmp

memory/2336-100-0x0000000007D50000-0x0000000007D6A000-memory.dmp

memory/2336-101-0x0000000007D30000-0x0000000007D38000-memory.dmp

memory/1712-111-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/1372-112-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1372-113-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/1372-115-0x0000000005C60000-0x0000000005C70000-memory.dmp

memory/3624-114-0x0000000006C30000-0x0000000006C40000-memory.dmp

memory/2336-110-0x0000000074C80000-0x0000000075430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7f373306d581126483e9abb53e2c6d9c
SHA1 a4224e6c111a120684726d13b66185b03929b438
SHA256 3d779c72a91d1c808d48468a72d7ce6bfb310f0797d1145ff86e8ae7e4e1c74d
SHA512 6f4db363a8ad5975dfbe83109024f8a0a43996527a9d6ac3cf4e82eff573038dded42996736f0b71f35fdc8188e218f82e2aa72b6f1e20597d9e4833ea04e815

memory/1372-118-0x0000000005F60000-0x0000000005F7E000-memory.dmp

memory/1372-119-0x0000000005FA0000-0x0000000005FAA000-memory.dmp

memory/1372-117-0x0000000005AE0000-0x0000000005AEA000-memory.dmp

memory/4500-107-0x0000000074C80000-0x0000000075430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 83e783907e18e90f5e5e6aebc34f2ac5
SHA1 038aeadb925b5c455993ec1a6f5765099ba7b5c7
SHA256 315ae4165153e728b2e8aae5d68b310cf4d9f4f9dc181856b68f5bfeba67c5cd
SHA512 e4352c19f29fec832b1403e35a280dd788734b16863fed363c18aafb5e3cdc36e9525a7d38727fc000dfa317f9b180983fce82a443e544aeba89c4e0c740fb72

memory/3624-120-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/1372-121-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/1372-122-0x0000000005C60000-0x0000000005C70000-memory.dmp