Malware Analysis Report

2024-10-19 07:12

Sample ID 240506-lawdasfe8t
Target 1bcefc01a210a73a4c627b093bd86383_JaffaCakes118
SHA256 1fc02ca1e56c70c0b8e0d3f459c5e154660e9bf3bb2be1ea86a56e09b4c6227f
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1fc02ca1e56c70c0b8e0d3f459c5e154660e9bf3bb2be1ea86a56e09b4c6227f

Threat Level: Known bad

The file 1bcefc01a210a73a4c627b093bd86383_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

NanoCore

Drops startup file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

NTFS ADS

Creates scheduled task(s)

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-06 09:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 09:20

Reported

2024-05-06 09:22

Platform

win7-20240221-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe.lnk C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1688 set thread context of 1708 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1688 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1688 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1688 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1688 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 1688 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 1688 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 1688 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 1688 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 1688 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 1688 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 1688 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 1688 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 1688 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 1688 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\schtasks.exe
PID 2504 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2504 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2504 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2504 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe

"C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe.lnk" /f

C:\Users\Admin\AppData\Roaming\tmp.exe

"C:\Users\Admin\AppData\Roaming\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe

"C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe.bat

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5C34.tmp"

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

Network

Country Destination Domain Proto
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp

Files

memory/1688-0-0x0000000074121000-0x0000000074122000-memory.dmp

memory/1688-1-0x0000000074120000-0x00000000746CB000-memory.dmp

memory/1688-2-0x0000000074120000-0x00000000746CB000-memory.dmp

C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe

MD5 8c810e18058e24ff54a30a44e040569a
SHA1 b0329f16013e786898cd75c101565fa70850be03
SHA256 0e07d406f33fbf19219ea60e644cfd634fc8c934508bb608a6a1a3f13db1cc5a
SHA512 f9beeaf52b85d01596382b2d5a64922332fea7f4894c24eeeae45ad07ba80cd70800a81e29f13922accc1d922b0ba56e8456a24bd03f0f1e51c623f2cc6726e1

\Users\Admin\AppData\Roaming\tmp.exe

MD5 aee43daf7741caca297366c1b3847064
SHA1 1489823a4d9b9a1af0c0b68d4f9736b2e4e8760c
SHA256 86f69803a5ef3352b380deeb1f13a31ea64a284ef468aa383c18a362f0136533
SHA512 2ae87b23504e2fa2b5cf971c3aa90dd5169b7d867608e1ed03519545904bcf512a2798cd1efb2cd781a96e7e146ce346cd2470fb77fcf9a8633928fee31f7f15

memory/1708-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2644-21-0x000007FEF54AE000-0x000007FEF54AF000-memory.dmp

memory/1708-31-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1708-33-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1708-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1708-29-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1708-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1708-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1708-32-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe.bat

MD5 a6a348e297488daf6ff46dfa30aae8b2
SHA1 df8d695405da71f61dc6640882ce942271ae5695
SHA256 877588837ba56aebb4e60e060f881401a081fdc852e6cdea71086d86b6f82daa
SHA512 82227ba2d19b6b8ee1fe0f4a034b1725a33fb524d53bc045c471da724798ccd2327173fb1b113056a31e09fd228059f6335050ceeb4c0f33f349b60caa49a3ba

memory/2644-44-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

memory/2644-45-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5C34.tmp

MD5 e5cc560fef620b58811b19ec54168440
SHA1 a6d5d68e2009bb12ffd49c5251d26fe973f7e10f
SHA256 82da477cdf0dc2ed8197afd69d702e34240578250c233b489dfe5e8472f56b75
SHA512 64e5b751072bb0eea1b36dd6385be0b824e90db08fac384ce02f63a51b9a23ad7efd2ac7c71d5c2f1f2f7018c881335dae321ed96c821adca5d9b58ed6ec7bb6

memory/1688-48-0x0000000074120000-0x00000000746CB000-memory.dmp

memory/2644-49-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

memory/1688-50-0x0000000074120000-0x00000000746CB000-memory.dmp

memory/1688-51-0x0000000074120000-0x00000000746CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 09:20

Reported

2024-05-06 09:22

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe.lnk C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4268 set thread context of 4324 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4268 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3204 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3204 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4268 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 4268 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Roaming\tmp.exe
PID 4268 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 4268 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 4268 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 4268 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 4268 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 4268 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 4268 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 4268 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe
PID 4268 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\schtasks.exe
PID 4324 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\schtasks.exe
PID 4324 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe C:\Windows\SysWOW64\schtasks.exe
PID 4392 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4392 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4392 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe

"C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe.lnk" /f

C:\Users\Admin\AppData\Roaming\tmp.exe

"C:\Users\Admin\AppData\Roaming\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe

"C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe.bat

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6C95.tmp"

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 216.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp
US 8.8.8.8:53 happiboi.hopto.org udp

Files

memory/4268-0-0x00000000748D2000-0x00000000748D3000-memory.dmp

memory/4268-1-0x00000000748D0000-0x0000000074E81000-memory.dmp

memory/4268-2-0x00000000748D0000-0x0000000074E81000-memory.dmp

C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe

MD5 8c810e18058e24ff54a30a44e040569a
SHA1 b0329f16013e786898cd75c101565fa70850be03
SHA256 0e07d406f33fbf19219ea60e644cfd634fc8c934508bb608a6a1a3f13db1cc5a
SHA512 f9beeaf52b85d01596382b2d5a64922332fea7f4894c24eeeae45ad07ba80cd70800a81e29f13922accc1d922b0ba56e8456a24bd03f0f1e51c623f2cc6726e1

C:\Users\Admin\AppData\Roaming\tmp.exe

MD5 aee43daf7741caca297366c1b3847064
SHA1 1489823a4d9b9a1af0c0b68d4f9736b2e4e8760c
SHA256 86f69803a5ef3352b380deeb1f13a31ea64a284ef468aa383c18a362f0136533
SHA512 2ae87b23504e2fa2b5cf971c3aa90dd5169b7d867608e1ed03519545904bcf512a2798cd1efb2cd781a96e7e146ce346cd2470fb77fcf9a8633928fee31f7f15

memory/4324-21-0x00000000748D0000-0x0000000074E81000-memory.dmp

memory/4324-22-0x00000000748D0000-0x0000000074E81000-memory.dmp

memory/4580-27-0x00007FFA94065000-0x00007FFA94066000-memory.dmp

memory/4580-26-0x0000000001510000-0x0000000001520000-memory.dmp

memory/4324-25-0x00000000748D0000-0x0000000074E81000-memory.dmp

memory/4580-28-0x000000001C130000-0x000000001C5FE000-memory.dmp

memory/4580-32-0x000000001C6A0000-0x000000001C73C000-memory.dmp

memory/4580-31-0x00007FFA93DB0000-0x00007FFA94751000-memory.dmp

C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe.bat

MD5 a6a348e297488daf6ff46dfa30aae8b2
SHA1 df8d695405da71f61dc6640882ce942271ae5695
SHA256 877588837ba56aebb4e60e060f881401a081fdc852e6cdea71086d86b6f82daa
SHA512 82227ba2d19b6b8ee1fe0f4a034b1725a33fb524d53bc045c471da724798ccd2327173fb1b113056a31e09fd228059f6335050ceeb4c0f33f349b60caa49a3ba

memory/4580-33-0x000000001C8F0000-0x000000001C996000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6C95.tmp

MD5 e5cc560fef620b58811b19ec54168440
SHA1 a6d5d68e2009bb12ffd49c5251d26fe973f7e10f
SHA256 82da477cdf0dc2ed8197afd69d702e34240578250c233b489dfe5e8472f56b75
SHA512 64e5b751072bb0eea1b36dd6385be0b824e90db08fac384ce02f63a51b9a23ad7efd2ac7c71d5c2f1f2f7018c881335dae321ed96c821adca5d9b58ed6ec7bb6

memory/4580-37-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

memory/4268-38-0x00000000748D2000-0x00000000748D3000-memory.dmp

memory/4268-39-0x00000000748D0000-0x0000000074E81000-memory.dmp

memory/4580-41-0x00007FFA93DB0000-0x00007FFA94751000-memory.dmp

memory/4268-43-0x00000000748D0000-0x0000000074E81000-memory.dmp

memory/4324-44-0x00000000748D0000-0x0000000074E81000-memory.dmp

memory/4324-45-0x00000000748D0000-0x0000000074E81000-memory.dmp