Malware Analysis Report

2024-10-19 07:11

Sample ID 240511-kbcrxabd75
Target 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
SHA256 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
Tags
nanocore execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c

Threat Level: Known bad

The file 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c was found to be: Known bad.

Malicious Activity Summary

nanocore execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 08:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 08:25

Reported

2024-05-11 08:27

Platform

win7-20240220-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2700 set thread context of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2700 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2700 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2700 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2700 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2700 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2700 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2700 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2700 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2700 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2700 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2700 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2700 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2880 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2188 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2188 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2188 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2188 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7742.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7907.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp79B3.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 december2nd.ddns.net udp

Files

memory/2700-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

memory/2700-1-0x00000000013D0000-0x00000000014C2000-memory.dmp

memory/2700-2-0x00000000744C0000-0x0000000074BAE000-memory.dmp

memory/2700-3-0x0000000000560000-0x000000000057E000-memory.dmp

memory/2700-4-0x00000000005B0000-0x00000000005C0000-memory.dmp

memory/2700-5-0x00000000005C0000-0x00000000005D6000-memory.dmp

memory/2700-6-0x0000000004FA0000-0x000000000501C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7742.tmp

MD5 39342423d1db4a7b342db335a3a4d8cb
SHA1 6e801a19fbd3841f2ee128ec5ea58ef0215fde7c
SHA256 7cd50a22781c280647310895644046e1002fed993869625be028cdcf09fa482e
SHA512 cc91b2570e293e80f349903cf7581d4761cd96865eae770e5ab8d1b0f7113bab842866b14c5724cfe3b528bb57e5ce474d5ae34b7222b00b3a5e644a4204c62d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 1809e60d2527473ca694a78da9fdfbbb
SHA1 10115dd2bb144b6afdb9fc8834d2668b020d14ce
SHA256 f6e7ebe8405a60db8bebc73793df75feed9b1b50a7f7022551043c8d6e703b3b
SHA512 43247d6c40f900d49684139cd5f5e13eef1521acd853533da72276b83c6e9d848b251b6f955abee42fcf3e8ff261eaab843011876a179ca98ca86e482aeaf41b

memory/2880-25-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2880-28-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2880-30-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2880-29-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2880-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2880-21-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2880-19-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2880-23-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2700-31-0x00000000744C0000-0x0000000074BAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7907.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp79B3.tmp

MD5 4b7ef560289c0f62d0baf6f14f48a57a
SHA1 8331acb90dde588aa3196919f6e847f398fd06d1
SHA256 062844155306130d6fafc4fe10ac9e5ddd2ed462532b729c50cdc979c0d83207
SHA512 ecaa27c4b703d95f9f9b37d8c339982970482e7dab968c2010e0aa644bbfa31973111aafb827565af30c423d1d14e4ff997ec149614e713ff7ef3456894d02d8

memory/2880-39-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/2880-40-0x00000000003C0000-0x00000000003CC000-memory.dmp

memory/2880-41-0x00000000003D0000-0x00000000003EE000-memory.dmp

memory/2880-42-0x00000000004E0000-0x00000000004EA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 08:25

Reported

2024-05-11 08:27

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4700 set thread context of 2076 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4700 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4700 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4700 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4700 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4700 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4700 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4700 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4700 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4700 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4700 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2076 wrote to memory of 1796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2076 wrote to memory of 1796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2076 wrote to memory of 1796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2076 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2076 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2076 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9673.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9C30.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9DC7.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.249:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.83.221.88.in-addr.arpa udp
BE 88.221.83.249:443 www.bing.com tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp

Files

memory/4700-0-0x000000007501E000-0x000000007501F000-memory.dmp

memory/4700-1-0x0000000000FD0000-0x00000000010C2000-memory.dmp

memory/4700-2-0x0000000006090000-0x0000000006634000-memory.dmp

memory/4700-3-0x0000000005AE0000-0x0000000005B72000-memory.dmp

memory/4700-4-0x0000000005AC0000-0x0000000005ACA000-memory.dmp

memory/4700-5-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4700-6-0x0000000005EA0000-0x0000000005EBE000-memory.dmp

memory/4700-7-0x0000000005EF0000-0x0000000005F00000-memory.dmp

memory/4700-8-0x0000000005F20000-0x0000000005F36000-memory.dmp

memory/4700-9-0x0000000007040000-0x00000000070BC000-memory.dmp

memory/4700-10-0x00000000096C0000-0x000000000975C000-memory.dmp

memory/4700-15-0x000000007501E000-0x000000007501F000-memory.dmp

memory/4860-16-0x0000000002480000-0x00000000024B6000-memory.dmp

memory/4860-18-0x0000000005050000-0x0000000005678000-memory.dmp

memory/4860-17-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4700-19-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4564-20-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4564-21-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4860-22-0x0000000005000000-0x0000000005022000-memory.dmp

memory/4564-25-0x0000000005F60000-0x0000000005FC6000-memory.dmp

memory/4860-24-0x0000000075010000-0x00000000757C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nie4phco.sdq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmp9673.tmp

MD5 af4404b2f40347b8dc341fc4a8f2cfcf
SHA1 5d157fb481c54c9c9aa0c397c96d892943738976
SHA256 c6b214362ad6eea7d8e857a9f794eab01930feeb3707b168ca29d1efbc70b412
SHA512 31ee8bc3ef818b3495f87bb6cfece9ea97e3f41d059426a9f85489c0a780bb26cab93920aba1962c6b84be5fe3eb3c2999af1a3e0e10e1c8804486dab410a983

memory/4564-23-0x0000000005EF0000-0x0000000005F56000-memory.dmp

memory/4860-46-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4564-45-0x0000000006170000-0x00000000064C4000-memory.dmp

memory/2076-47-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4564-48-0x0000000006590000-0x00000000065AE000-memory.dmp

memory/4564-50-0x0000000006640000-0x000000000668C000-memory.dmp

memory/4700-51-0x0000000075010000-0x00000000757C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9C30.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp9DC7.tmp

MD5 2f26d92c1eeead3896820e56ec46f6f1
SHA1 d95533b61eed7d89e4ada56bc566d60e42ac1f61
SHA256 99a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa
SHA512 6c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892

memory/2076-59-0x00000000052D0000-0x00000000052DA000-memory.dmp

memory/2076-62-0x0000000005F10000-0x0000000005F1A000-memory.dmp

memory/2076-61-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

memory/2076-60-0x0000000005EC0000-0x0000000005ECC000-memory.dmp

memory/4564-63-0x0000000007770000-0x00000000077A2000-memory.dmp

memory/4564-75-0x00000000077B0000-0x0000000007853000-memory.dmp

memory/4564-74-0x0000000006B60000-0x0000000006B7E000-memory.dmp

memory/4564-64-0x0000000070570000-0x00000000705BC000-memory.dmp

memory/4860-76-0x0000000070570000-0x00000000705BC000-memory.dmp

memory/4564-86-0x0000000007F00000-0x000000000857A000-memory.dmp

memory/4860-87-0x00000000070E0000-0x00000000070FA000-memory.dmp

memory/4860-88-0x0000000007150000-0x000000000715A000-memory.dmp

memory/4564-89-0x0000000007B40000-0x0000000007BD6000-memory.dmp

memory/4860-90-0x00000000072E0000-0x00000000072F1000-memory.dmp

memory/4860-91-0x0000000007310000-0x000000000731E000-memory.dmp

memory/4564-92-0x0000000007B00000-0x0000000007B14000-memory.dmp

memory/4860-94-0x0000000007400000-0x0000000007408000-memory.dmp

memory/4860-93-0x0000000007420000-0x000000000743A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 302e29fb02a4710c8af4b60cd9c82d5d
SHA1 2a7972366ac48f8a0f51be310befd4ded6cd5c26
SHA256 4caa4e7aaabffadd0d32401a153de261a91c82a7ad7d66615bf3395b38bf3805
SHA512 8f44f6932ac75d4c0da329251d0acfa1000c41365a590bff7ac3fde10fd92a487252458f9b07671d341dc25125e5782c3c0c134d75d9b624f80ef3324f24e70b

memory/4564-101-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4860-100-0x0000000075010000-0x00000000757C0000-memory.dmp