Malware Analysis Report

2024-10-19 07:11

Sample ID 240511-kbaybagg6x
Target 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
SHA256 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
Tags
nanocore execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c

Threat Level: Known bad

The file 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c was found to be: Known bad.

Malicious Activity Summary

nanocore execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 08:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 08:25

Reported

2024-05-11 08:27

Platform

win7-20240221-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Host = "C:\\Program Files (x86)\\NAS Host\\nashost.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1952 set thread context of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NAS Host\nashost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\NAS Host\nashost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1952 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1952 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1952 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1952 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1952 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1952 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1952 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1952 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1952 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1952 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1952 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2472 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C41.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7E54.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NAS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7EB2.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp

Files

memory/1952-0-0x000000007466E000-0x000000007466F000-memory.dmp

memory/1952-1-0x0000000000AA0000-0x0000000000B92000-memory.dmp

memory/1952-2-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/1952-3-0x0000000000370000-0x000000000038E000-memory.dmp

memory/1952-4-0x00000000004B0000-0x00000000004C0000-memory.dmp

memory/1952-5-0x00000000004C0000-0x00000000004D6000-memory.dmp

memory/1952-6-0x0000000005490000-0x000000000550C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7C41.tmp

MD5 1e5308ea8227ef915028e2a7c6c8ab4d
SHA1 c982ed02e9d692ce14c989ab8459a901b9b2e13d
SHA256 203e8c1e354a2e9786583e5898217aa21ba6d281659bed3d819ea3b5df14d042
SHA512 60cdd2531680758904f1f36c8a48d62b42948c228266bd30fb973d45c8581165baafecbf4059f03d5476ab90a1d7d52e3d8072d1b5858e62f6f849ec871f7569

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 6761041d7ffc843d830f55e3dcc0ef2a
SHA1 f3e68276c808ae030d9a4f5bd18080e744913f98
SHA256 9619f24c0e3d9b1a47399a698c457fc5106aff8e2bdb035c6c9d5cf2501ae1fa
SHA512 da5ab4f4067a58056772f6e57440021a2709f4ad12c9d9d3fbe64e47b66c8bcf9f59166def3d70ee972c4dde8e93582d41980392bcb1c660a6ec2e7151b50ef9

memory/2472-20-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2472-29-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2472-31-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2472-28-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2472-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2472-25-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2472-23-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2472-21-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1952-32-0x0000000074660000-0x0000000074D4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7E54.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp7EB2.tmp

MD5 9f554f602c22cfc20079e966d177fadb
SHA1 789baa3425849bf239e47c6bcf352e6693a8c337
SHA256 4c760d5fe0c06cf4bf554170870f41181c61a217c37eb826903094dda86dd1f1
SHA512 b83e3e97dbe38ec4c64d9bef65e2521416f2d7434d78d05e66f729a2e0fbfea3f9bc6f6c4abaf76555af89a9565dfc0853d99067be9042dd66ed6246696eecbb

memory/2472-40-0x00000000005D0000-0x00000000005DA000-memory.dmp

memory/2472-41-0x00000000006A0000-0x00000000006AC000-memory.dmp

memory/2472-42-0x0000000000800000-0x000000000081E000-memory.dmp

memory/2472-43-0x0000000000820000-0x000000000082A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 08:25

Reported

2024-05-11 08:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1524 set thread context of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Service\dhcpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Service\dhcpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1524 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4384 wrote to memory of 3960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4384 wrote to memory of 3960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4384 wrote to memory of 3960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4384 wrote to memory of 3084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4384 wrote to memory of 3084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4384 wrote to memory of 3084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp97FA.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9D69.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9ED1.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
BE 88.221.83.217:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp

Files

memory/1524-0-0x000000007522E000-0x000000007522F000-memory.dmp

memory/1524-1-0x0000000000FC0000-0x00000000010B2000-memory.dmp

memory/1524-2-0x0000000005FD0000-0x0000000006574000-memory.dmp

memory/1524-3-0x0000000005A20000-0x0000000005AB2000-memory.dmp

memory/1524-4-0x0000000005970000-0x000000000597A000-memory.dmp

memory/1524-5-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/1524-6-0x0000000005C50000-0x0000000005C6E000-memory.dmp

memory/1524-7-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

memory/1524-8-0x0000000005CD0000-0x0000000005CE6000-memory.dmp

memory/1524-9-0x0000000006EF0000-0x0000000006F6C000-memory.dmp

memory/1524-10-0x0000000009600000-0x000000000969C000-memory.dmp

memory/1524-13-0x000000007522E000-0x000000007522F000-memory.dmp

memory/3160-16-0x0000000002460000-0x0000000002496000-memory.dmp

memory/1524-17-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/3160-18-0x0000000004FC0000-0x00000000055E8000-memory.dmp

memory/3160-19-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/3160-20-0x0000000075220000-0x00000000759D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp97FA.tmp

MD5 b7304fae98f79cca9a46e35ea6295e70
SHA1 c5728f90dc7eac1d991beb6b145a15acffe88f4b
SHA256 5af6ba12665361e283e4affac08134f50e2a855aa0e901554d5d906acb375305
SHA512 4accba4d47714ddcd52d2cf33c5af476933ec4b47b1a871f35e4760c6a8ec77875149c6e8afa8f0f10a83ba0adf0a684fcaf545af8b9a2129018b12e94a582af

memory/3160-23-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/3160-25-0x00000000055F0000-0x0000000005656000-memory.dmp

memory/1940-26-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/3160-27-0x0000000005760000-0x0000000005AB4000-memory.dmp

memory/4384-33-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0xbognce.z4a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1940-45-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/1940-49-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/1524-50-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/3160-24-0x0000000004E70000-0x0000000004ED6000-memory.dmp

memory/3160-22-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

memory/1940-54-0x00000000063B0000-0x00000000063CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9D69.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

memory/1940-56-0x0000000006400000-0x000000000644C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9ED1.tmp

MD5 a77c223a0fc492dccd6fb9975f7a8766
SHA1 5e813636ae9b8138d78919348a5da3a6e8bd74b5
SHA256 589df7325d42409c50827600fedb240171ee4bdab85916474a37800c2382829e
SHA512 315cea8fde3c594404f5d3c96c710af1214cff6d08ccdb40634a739e108ff810e02624735a2b8c3e3720157b4a55327f317c3c23c3a681b46b9ab0f19060f7c0

memory/4384-60-0x0000000005290000-0x000000000529A000-memory.dmp

memory/4384-63-0x00000000063A0000-0x00000000063AA000-memory.dmp

memory/4384-62-0x00000000052E0000-0x00000000052FE000-memory.dmp

memory/4384-61-0x00000000052A0000-0x00000000052AC000-memory.dmp

memory/1940-65-0x00000000717F0000-0x000000007183C000-memory.dmp

memory/1940-64-0x0000000007350000-0x0000000007382000-memory.dmp

memory/1940-75-0x0000000006990000-0x00000000069AE000-memory.dmp

memory/1940-76-0x00000000073A0000-0x0000000007443000-memory.dmp

memory/3160-77-0x00000000717F0000-0x000000007183C000-memory.dmp

memory/1940-87-0x0000000007D20000-0x000000000839A000-memory.dmp

memory/1940-88-0x00000000076E0000-0x00000000076FA000-memory.dmp

memory/1940-89-0x0000000007750000-0x000000000775A000-memory.dmp

memory/1940-90-0x0000000007960000-0x00000000079F6000-memory.dmp

memory/3160-91-0x00000000072B0000-0x00000000072C1000-memory.dmp

memory/3160-92-0x00000000072E0000-0x00000000072EE000-memory.dmp

memory/1940-93-0x0000000007920000-0x0000000007934000-memory.dmp

memory/3160-94-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/1940-95-0x0000000007A00000-0x0000000007A08000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1940-101-0x0000000075220000-0x00000000759D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a28a1b4bb4e52623cf53eaa43312aac1
SHA1 f04e08dfdc09cbbe555d87d016f8c72b2fe637fb
SHA256 8bbb981a31a4620e1529c3e07915becd9086317ab9317042afd6042a6efffe0c
SHA512 e11f5947d8f50c9393c071326932f2d1ee6dbd07885d1809b0bce0218f369caa9352782a41ac48de2f210b26f2f35c7b8f745df3fee34aa20ef3a2568446503e

memory/3160-102-0x0000000075220000-0x00000000759D0000-memory.dmp