Malware Analysis Report

2024-10-23 19:45

Sample ID 240429-e3t8daac34
Target gK5vkTm6WAcfbiz.exe
SHA256 0117ba3b90a77a00da548bf15490d6623de69e535d75fbbce8279b91c82f5ef6
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0117ba3b90a77a00da548bf15490d6623de69e535d75fbbce8279b91c82f5ef6

Threat Level: Known bad

The file gK5vkTm6WAcfbiz.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-29 04:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 04:28

Reported

2024-04-29 04:30

Platform

win7-20240419-en

Max time kernel

134s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Manager = "C:\\Program Files (x86)\\DOS Manager\\dosmgr.exe" C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2012 set thread context of 2516 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DOS Manager\dosmgr.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A
File opened for modification C:\Program Files (x86)\DOS Manager\dosmgr.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2012 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2012 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2012 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2012 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2012 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2012 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2012 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2012 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2516 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2516 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe

"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZYoQJBONC.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZYoQJBONC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EC1.tmp"

C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe

"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DOS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8102.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DOS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8161.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 december2nd.ddns.net udp
US 8.8.8.8:53 december2nd.ddns.net udp
US 8.8.8.8:53 december2nd.ddns.net udp
US 8.8.8.8:53 december2n.duckdns.org udp
US 8.8.8.8:53 december2n.duckdns.org udp
US 8.8.8.8:53 december2n.duckdns.org udp
US 8.8.8.8:53 december2nd.ddns.net udp
US 8.8.8.8:53 december2nd.ddns.net udp

Files

memory/2012-0-0x0000000000DC0000-0x0000000000E64000-memory.dmp

memory/2012-1-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/2012-2-0x00000000004B0000-0x00000000004F0000-memory.dmp

memory/2012-3-0x00000000007F0000-0x0000000000808000-memory.dmp

memory/2012-4-0x00000000009E0000-0x00000000009EE000-memory.dmp

memory/2012-5-0x00000000009F0000-0x0000000000A06000-memory.dmp

memory/2012-6-0x0000000004890000-0x000000000490C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LK4NVNQVVWU1KI1NR6QR.temp

MD5 b9f7fdde95b31ec1b9a6c229620f9e29
SHA1 141a7419029ac49c1190c6dd6f9941643b260713
SHA256 4c995708eda7ffec29fd5f4ccc5b3fba666929183b103cef600423db1873fe07
SHA512 80f6cb8c334a320da9a72e7cf2c37249ef315eaaba52f1867e78a284c6bc5404b2cf8230b1f0326de7cd9b1fb7eb09cc993b84263c85b5ad6bbb17f064252c80

C:\Users\Admin\AppData\Local\Temp\tmp7EC1.tmp

MD5 0a049d946a141d3cf1d8b8917003f93a
SHA1 8ae6b06e1cf75e80be62b278244cc58a5c839149
SHA256 e22dc75cb060563ef3bb857ac763319c7fac3456b98f8b2f96b961f6c9e1e70a
SHA512 b96195367b0614ea56f31e7985e052eb4dd16b2ce7eb13fd9ddbf83314340ece5d9401605461694dc254fee8647ca73b06b2103677ed0cde8f756d698970b71f

memory/2516-19-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2516-29-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2516-31-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2516-28-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2516-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2516-25-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2516-23-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2516-21-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2012-32-0x0000000073FD0000-0x00000000746BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8102.tmp

MD5 d4561c71381b52aaedee04fb1dd48775
SHA1 c8c2ff059414c1e9fd75a6f4e69067de017f5358
SHA256 7a0ff9bd88d411effa13a431e003693a1a3e5b5f02d0b68a6f42db98cc214b09
SHA512 c1bd2bab168965624bcb758f360f87492a4dfadb11a95b6becc98b670f43aa49adc6cb1c93e4bbf44333993d59c697fd8450dc3ce7377a4ebdad3650684b962f

C:\Users\Admin\AppData\Local\Temp\tmp8161.tmp

MD5 8f5713b14cee3089852f6c8d2a7a7d57
SHA1 8bffbea05715c6434ad593cce8a2c737f80ff788
SHA256 ab3ce102242c3144f87bcbfe83984a478821cd09e62c0e5211b2ab37dde02d2c
SHA512 82bd2378c2d6bb34a1ad3f2d26bfea583fc8403691bed6668521ba3e8bc7bdbdf142f872ddbc8e5251550f47c9bbee4eb3d0d6096f80d85259082cf68a454c72

memory/2516-40-0x00000000009B0000-0x00000000009BA000-memory.dmp

memory/2516-41-0x00000000009C0000-0x00000000009CC000-memory.dmp

memory/2516-42-0x0000000000B60000-0x0000000000B7E000-memory.dmp

memory/2516-43-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 04:28

Reported

2024-04-29 04:30

Platform

win10v2004-20240419-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe" C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2624 set thread context of 1636 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Host\dhcphost.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Host\dhcphost.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2624 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2624 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 2624 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2624 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2624 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2624 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2624 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2624 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2624 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2624 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2624 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2624 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 2624 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe
PID 1636 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe

"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZYoQJBONC.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZYoQJBONC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8906.tmp"

C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe

"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"

C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe

"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8D8A.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8F31.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 december2nd.ddns.net udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 december2n.duckdns.org udp
US 8.8.8.8:53 december2nd.ddns.net udp
US 8.8.8.8:53 december2nd.ddns.net udp
US 8.8.8.8:53 december2n.duckdns.org udp
US 8.8.8.8:53 december2n.duckdns.org udp
US 8.8.8.8:53 december2nd.ddns.net udp
US 8.8.8.8:53 december2nd.ddns.net udp
US 8.8.8.8:53 december2n.duckdns.org udp

Files

memory/2624-0-0x00000000001A0000-0x0000000000244000-memory.dmp

memory/2624-2-0x00000000050D0000-0x0000000005674000-memory.dmp

memory/2624-1-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/2624-3-0x0000000004C20000-0x0000000004CB2000-memory.dmp

memory/2624-4-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

memory/2624-5-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/2624-6-0x0000000004FA0000-0x0000000004FB8000-memory.dmp

memory/2624-7-0x0000000005E80000-0x0000000005E8E000-memory.dmp

memory/2624-8-0x0000000005E90000-0x0000000005EA6000-memory.dmp

memory/2624-9-0x0000000005F10000-0x0000000005F8C000-memory.dmp

memory/2624-10-0x0000000008630000-0x00000000086CC000-memory.dmp

memory/4080-15-0x00000000029A0000-0x00000000029D6000-memory.dmp

memory/4080-17-0x0000000005510000-0x0000000005B38000-memory.dmp

memory/2624-16-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/4080-18-0x00000000054E0000-0x0000000005502000-memory.dmp

memory/4080-19-0x0000000005BB0000-0x0000000005C16000-memory.dmp

memory/2624-24-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

memory/4080-23-0x0000000002B10000-0x0000000002B20000-memory.dmp

memory/4080-22-0x0000000002B10000-0x0000000002B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_spos4lhu.x4u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4080-21-0x0000000005C20000-0x0000000005C86000-memory.dmp

memory/4040-35-0x0000000004550000-0x0000000004560000-memory.dmp

memory/4040-34-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/4040-37-0x0000000004550000-0x0000000004560000-memory.dmp

memory/4080-36-0x0000000005D90000-0x00000000060E4000-memory.dmp

memory/4080-20-0x0000000074AD0000-0x0000000075280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8906.tmp

MD5 253388a458ba2d6ec842afc7a55e6854
SHA1 64ee2323d2e053e40f268f9e5147b1f204970c23
SHA256 79361b7bf0a99528f67732286f3180d020dc571573ba7f0fc9b254e9edb92fc4
SHA512 426d58e694bac78fcf0966b45d17f5636935c840fa3fc4cc038e59145c61e52f3af6d0aa8b21a1a9bc19c282339ec4d9609ac5c9e34691d4970f4563a0a9b09a

memory/1636-48-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2624-50-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/4080-52-0x0000000006880000-0x00000000068CC000-memory.dmp

memory/4080-51-0x00000000062A0000-0x00000000062BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8D8A.tmp

MD5 d4561c71381b52aaedee04fb1dd48775
SHA1 c8c2ff059414c1e9fd75a6f4e69067de017f5358
SHA256 7a0ff9bd88d411effa13a431e003693a1a3e5b5f02d0b68a6f42db98cc214b09
SHA512 c1bd2bab168965624bcb758f360f87492a4dfadb11a95b6becc98b670f43aa49adc6cb1c93e4bbf44333993d59c697fd8450dc3ce7377a4ebdad3650684b962f

C:\Users\Admin\AppData\Local\Temp\tmp8F31.tmp

MD5 0479d5f304ef2d7e3c15fb24a99f88c1
SHA1 8edbb1450a656fac5f5e96779ffe440ee8c1aec9
SHA256 112557c2b2d0c669a3b115129dc32f005341e965330fa8f2ad3e5de1926594bc
SHA512 537e8d87e5cd975f0e69bb145f81d6e9d7b0d82eed143ac351304ea38577137386a51fdb7357ec6d641eb04ff5f51e249bba2db8a4b5bf2934d561394a4a3f15

memory/1636-62-0x0000000005000000-0x000000000501E000-memory.dmp

memory/1636-63-0x0000000005FC0000-0x0000000005FCA000-memory.dmp

memory/1636-61-0x0000000004FB0000-0x0000000004FBC000-memory.dmp

memory/1636-60-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

memory/4080-77-0x00000000072D0000-0x0000000007373000-memory.dmp

memory/4040-76-0x00000000712C0000-0x000000007130C000-memory.dmp

memory/4080-75-0x0000000006820000-0x000000000683E000-memory.dmp

memory/4080-65-0x00000000712C0000-0x000000007130C000-memory.dmp

memory/4080-64-0x0000000007290000-0x00000000072C2000-memory.dmp

memory/4040-87-0x00000000073B0000-0x0000000007A2A000-memory.dmp

memory/4080-88-0x00000000073C0000-0x00000000073DA000-memory.dmp

memory/4040-89-0x0000000006DD0000-0x0000000006DDA000-memory.dmp

memory/4080-90-0x0000000007870000-0x0000000007906000-memory.dmp

memory/4080-91-0x00000000077D0000-0x00000000077E1000-memory.dmp

memory/4080-92-0x0000000007800000-0x000000000780E000-memory.dmp

memory/4080-93-0x0000000007810000-0x0000000007824000-memory.dmp

memory/4080-94-0x0000000007910000-0x000000000792A000-memory.dmp

memory/4080-95-0x0000000007850000-0x0000000007858000-memory.dmp

memory/4040-99-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/4080-98-0x0000000074AD0000-0x0000000075280000-memory.dmp