Malware Analysis Report

2024-08-06 14:45

Sample ID 240626-bwgrxsygqp
Target a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe
SHA256 a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d
Tags
nanocore execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d

Threat Level: Known bad

The file a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe was found to be: Known bad.

Malicious Activity Summary

nanocore execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-26 01:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 01:29

Reported

2024-06-26 01:32

Platform

win7-20240611-en

Max time kernel

122s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsvc.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2192 set thread context of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Service\ddpsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Program Files (x86)\DDP Service\ddpsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2192 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2192 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2192 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2192 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2192 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2192 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2192 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2192 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2192 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2192 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2192 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2192 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2192 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2192 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2192 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2192 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe

"C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mmkGgxmHZUo.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mmkGgxmHZUo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3801.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 newsddawork.3utilities.com udp
US 104.243.242.163:1620 newsddawork.3utilities.com tcp

Files

memory/2192-0-0x00000000748DE000-0x00000000748DF000-memory.dmp

memory/2192-1-0x0000000000300000-0x00000000003F0000-memory.dmp

memory/2192-2-0x00000000748D0000-0x0000000074FBE000-memory.dmp

memory/2192-3-0x0000000000410000-0x0000000000422000-memory.dmp

memory/2192-4-0x0000000000560000-0x0000000000568000-memory.dmp

memory/2192-5-0x0000000000740000-0x000000000074C000-memory.dmp

memory/2192-6-0x0000000004BA0000-0x0000000004C2A000-memory.dmp

memory/2192-7-0x00000000055B0000-0x000000000562A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3801.tmp

MD5 98a8cd88202469304b7945c25de5147e
SHA1 5f31a2b80ea79f7699772ef558d5f2abad259ff4
SHA256 3ce6e2ea083471edbf2610c4acb4a94fbbc80c69f522b63f92d9d331aded9837
SHA512 f79465ffd67d51a48f5450e4656ebed0a0cd87248b40b5e5cc2138adf43214bb04dcc44df48becf310cfaf1849837f2ddd6e5d8167568312c8f6d4416fd9ac03

memory/2576-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2576-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2576-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2576-25-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2576-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2576-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2576-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2576-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2192-28-0x00000000748D0000-0x0000000074FBE000-memory.dmp

memory/2576-30-0x0000000000510000-0x000000000051A000-memory.dmp

memory/2576-31-0x0000000000560000-0x000000000057E000-memory.dmp

memory/2576-32-0x0000000000580000-0x000000000058A000-memory.dmp

memory/2576-35-0x0000000000850000-0x0000000000862000-memory.dmp

memory/2576-36-0x0000000000990000-0x00000000009AA000-memory.dmp

memory/2576-37-0x00000000009B0000-0x00000000009BE000-memory.dmp

memory/2576-40-0x0000000002100000-0x000000000210E000-memory.dmp

memory/2576-39-0x00000000020B0000-0x00000000020BC000-memory.dmp

memory/2576-38-0x00000000020A0000-0x00000000020B2000-memory.dmp

memory/2576-42-0x0000000002120000-0x0000000002130000-memory.dmp

memory/2576-41-0x0000000002110000-0x0000000002124000-memory.dmp

memory/2576-43-0x0000000002170000-0x0000000002184000-memory.dmp

memory/2576-44-0x0000000002180000-0x000000000218E000-memory.dmp

memory/2576-45-0x0000000004840000-0x000000000486E000-memory.dmp

memory/2576-46-0x00000000021A0000-0x00000000021B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 01:29

Reported

2024-06-26 01:32

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Service = "C:\\Program Files (x86)\\AGP Service\\agpsv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2652 set thread context of 5096 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AGP Service\agpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Program Files (x86)\AGP Service\agpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2652 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2652 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2652 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2652 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2652 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2652 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2652 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2652 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2652 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2652 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe

"C:\Users\Admin\AppData\Local\Temp\a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mmkGgxmHZUo.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mmkGgxmHZUo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp63FA.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 newsddawork.3utilities.com udp
US 8.8.4.4:53 newsddawork.3utilities.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 newsddawork.3utilities.com udp
US 8.8.8.8:53 newsddawork.3utilities.com udp
US 8.8.4.4:53 newsddawork.3utilities.com udp
US 8.8.8.8:53 newsddawork.3utilities.com udp
US 8.8.8.8:53 newsddawork.3utilities.com udp
US 8.8.4.4:53 newsddawork.3utilities.com udp
US 8.8.8.8:53 newsddawork.3utilities.com udp
US 8.8.8.8:53 maxlogs.webhop.me udp
US 8.8.4.4:53 maxlogs.webhop.me udp
US 8.8.8.8:53 maxlogs.webhop.me udp

Files

memory/2652-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

memory/2652-1-0x00000000005A0000-0x0000000000690000-memory.dmp

memory/2652-2-0x00000000055F0000-0x0000000005B94000-memory.dmp

memory/2652-3-0x00000000050E0000-0x0000000005172000-memory.dmp

memory/2652-4-0x00000000050A0000-0x00000000050AA000-memory.dmp

memory/2652-5-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/2652-6-0x0000000005340000-0x00000000053DC000-memory.dmp

memory/2652-7-0x00000000060D0000-0x00000000065FC000-memory.dmp

memory/2652-8-0x00000000055D0000-0x00000000055E2000-memory.dmp

memory/2652-9-0x0000000006080000-0x0000000006088000-memory.dmp

memory/2652-10-0x0000000006090000-0x000000000609C000-memory.dmp

memory/2652-11-0x0000000009230000-0x00000000092BA000-memory.dmp

memory/2652-12-0x0000000009550000-0x00000000095CA000-memory.dmp

memory/4004-17-0x00000000028B0000-0x00000000028E6000-memory.dmp

memory/4004-18-0x00000000052F0000-0x0000000005918000-memory.dmp

memory/4004-19-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/4004-21-0x0000000074BA0000-0x0000000075350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp63FA.tmp

MD5 58d1d11d4fa2cb8b18da906d38cd261c
SHA1 3d5a8008d3a15381ad8a7017ffff88d298ba86f2
SHA256 13fdc9e804520abccd2b3a109ab226aef464a81c9ec2d3bc89530248fd19cf4b
SHA512 b163479746e945c873f0e064a79715383d9ef525466824a39fce6edd808b99ea5bed51376d916c0e781317370370cbca8cede8b664665647c1159358fff84b8a

memory/5096-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4004-22-0x0000000074BA0000-0x0000000075350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bikw3nuw.gmv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4004-28-0x0000000005AF0000-0x0000000005B56000-memory.dmp

memory/4004-25-0x0000000005990000-0x00000000059F6000-memory.dmp

memory/4004-24-0x0000000005280000-0x00000000052A2000-memory.dmp

memory/4004-37-0x0000000005C60000-0x0000000005FB4000-memory.dmp

memory/2652-38-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/4004-41-0x0000000006110000-0x000000000612E000-memory.dmp

memory/5096-42-0x0000000005370000-0x000000000537A000-memory.dmp

memory/4004-43-0x0000000006170000-0x00000000061BC000-memory.dmp

memory/5096-44-0x0000000005590000-0x00000000055AE000-memory.dmp

memory/5096-45-0x00000000060D0000-0x00000000060DA000-memory.dmp

memory/4004-46-0x00000000070F0000-0x0000000007122000-memory.dmp

memory/4004-47-0x0000000075420000-0x000000007546C000-memory.dmp

memory/4004-57-0x00000000066E0000-0x00000000066FE000-memory.dmp

memory/4004-58-0x0000000007330000-0x00000000073D3000-memory.dmp

memory/4004-59-0x0000000007A90000-0x000000000810A000-memory.dmp

memory/4004-60-0x0000000007450000-0x000000000746A000-memory.dmp

memory/4004-61-0x00000000074C0000-0x00000000074CA000-memory.dmp

memory/4004-62-0x00000000076D0000-0x0000000007766000-memory.dmp

memory/4004-63-0x0000000007650000-0x0000000007661000-memory.dmp

memory/4004-64-0x0000000007680000-0x000000000768E000-memory.dmp

memory/4004-65-0x0000000007690000-0x00000000076A4000-memory.dmp

memory/4004-66-0x0000000007790000-0x00000000077AA000-memory.dmp

memory/4004-67-0x0000000007770000-0x0000000007778000-memory.dmp

memory/4004-70-0x0000000074BA0000-0x0000000075350000-memory.dmp