Malware Analysis Report

2024-08-06 14:45

Sample ID 240626-c6c26asgpn
Target 5a42e2442b79943419bf0e39ad7be827.bin
SHA256 8802fb63419902bbd4f9679966f483c755f503b2f0a4345b59b1669a9c025a73
Tags
nanocore execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8802fb63419902bbd4f9679966f483c755f503b2f0a4345b59b1669a9c025a73

Threat Level: Known bad

The file 5a42e2442b79943419bf0e39ad7be827.bin was found to be: Known bad.

Malicious Activity Summary

nanocore execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-26 02:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 02:40

Reported

2024-06-26 02:43

Platform

win7-20240220-en

Max time kernel

118s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2932 set thread context of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2932 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2932 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2932 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2932 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2932 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2932 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2932 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2932 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe

"C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zzTmYAoKh.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zzTmYAoKh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp311E.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 newsddawork.3utilities.com udp
US 104.243.242.163:1620 newsddawork.3utilities.com tcp

Files

memory/2932-0-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

memory/2932-1-0x00000000000F0000-0x000000000018C000-memory.dmp

memory/2932-2-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/2932-3-0x00000000047B0000-0x0000000004842000-memory.dmp

memory/2932-4-0x0000000000740000-0x0000000000752000-memory.dmp

memory/2932-5-0x00000000007D0000-0x00000000007D8000-memory.dmp

memory/2932-6-0x00000000007E0000-0x00000000007EC000-memory.dmp

memory/2932-7-0x00000000053C0000-0x000000000543A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp311E.tmp

MD5 408af4db7221cf0e486909a3251725f8
SHA1 facf550e8ba10fb34c194811159af470f564dba9
SHA256 b3a7b37e1758b292828bf9889337345fd4bc1b245b623f544c094e8efb485468
SHA512 03e8c890d30ee2fcfac4c7d7f9c347d5147afa6389070f0fa85da789217fcc7ec68fe9efbcf443eb567292fa39d33fe47c6fccac3d7d87260b2690c530857d37

memory/2448-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2448-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2448-25-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2448-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2448-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2448-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2448-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2448-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2932-28-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/2448-31-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/2448-32-0x00000000003E0000-0x00000000003FE000-memory.dmp

memory/2448-33-0x0000000000440000-0x000000000044A000-memory.dmp

memory/2448-39-0x0000000000550000-0x0000000000562000-memory.dmp

memory/2448-40-0x0000000000560000-0x000000000056C000-memory.dmp

memory/2448-41-0x0000000000580000-0x000000000058E000-memory.dmp

memory/2448-43-0x0000000000620000-0x0000000000630000-memory.dmp

memory/2448-42-0x0000000000590000-0x00000000005A4000-memory.dmp

memory/2448-38-0x0000000000530000-0x000000000053E000-memory.dmp

memory/2448-37-0x0000000000510000-0x000000000052A000-memory.dmp

memory/2448-36-0x00000000004B0000-0x00000000004C2000-memory.dmp

memory/2448-44-0x0000000000630000-0x0000000000644000-memory.dmp

memory/2448-46-0x0000000000B80000-0x0000000000BAE000-memory.dmp

memory/2448-45-0x0000000000720000-0x000000000072E000-memory.dmp

memory/2448-47-0x0000000000880000-0x0000000000894000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 02:40

Reported

2024-06-26 02:43

Platform

win10v2004-20240611-en

Max time kernel

134s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Subsystem = "C:\\Program Files (x86)\\DDP Subsystem\\ddpss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1540 set thread context of 5036 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Subsystem\ddpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Program Files (x86)\DDP Subsystem\ddpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1540 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1540 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1540 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1540 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1540 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1540 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1540 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1540 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1540 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1540 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe

"C:\Users\Admin\AppData\Local\Temp\b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zzTmYAoKh.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zzTmYAoKh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp470.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 newsddawork.3utilities.com udp
US 104.243.242.163:1620 newsddawork.3utilities.com tcp
US 8.8.8.8:53 163.242.243.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1540-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

memory/1540-1-0x0000000000830000-0x00000000008CC000-memory.dmp

memory/1540-2-0x0000000005970000-0x0000000005F14000-memory.dmp

memory/1540-3-0x00000000052F0000-0x0000000005382000-memory.dmp

memory/1540-4-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/1540-5-0x00000000052E0000-0x00000000052EA000-memory.dmp

memory/1540-6-0x0000000005550000-0x00000000055EC000-memory.dmp

memory/1540-7-0x0000000006450000-0x000000000697C000-memory.dmp

memory/1540-8-0x0000000006FF0000-0x0000000007082000-memory.dmp

memory/1540-9-0x00000000056F0000-0x0000000005702000-memory.dmp

memory/1540-10-0x0000000005960000-0x0000000005968000-memory.dmp

memory/1540-11-0x0000000006430000-0x000000000643C000-memory.dmp

memory/1540-12-0x0000000006B90000-0x0000000006C0A000-memory.dmp

memory/4704-17-0x0000000005040000-0x0000000005076000-memory.dmp

memory/4704-20-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4704-19-0x0000000005820000-0x0000000005E48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp470.tmp

MD5 085ca02bb98c3ccf537f9125475f1683
SHA1 4c486dc32e74837c9708ff710ee3b646b5fcf58c
SHA256 302fe1fb61ce332fe558b99295fb51885d2cee8a8c06503c0316d46e5016b882
SHA512 4154e584f7f1d7cfe9d8eb8441531d09137621d6795273e8927223cc83b504b4f5e0139eafda0bcdf58f722ba4457610e605cc47fd0b7772fe9f29dd3a74c2d5

memory/4704-21-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4704-22-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/5036-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4704-26-0x0000000005FA0000-0x0000000006006000-memory.dmp

memory/4704-25-0x0000000005EC0000-0x0000000005F26000-memory.dmp

memory/4704-24-0x0000000005720000-0x0000000005742000-memory.dmp

memory/5036-28-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4704-29-0x0000000006010000-0x0000000006364000-memory.dmp

memory/1540-30-0x0000000074D00000-0x00000000754B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0cxclxgw.khd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4704-40-0x00000000065F0000-0x000000000660E000-memory.dmp

memory/4704-41-0x0000000006B70000-0x0000000006BBC000-memory.dmp

memory/5036-44-0x0000000005150000-0x000000000515A000-memory.dmp

memory/5036-45-0x0000000005410000-0x000000000542E000-memory.dmp

memory/5036-46-0x0000000005F20000-0x0000000005F2A000-memory.dmp

memory/4704-47-0x0000000007800000-0x0000000007832000-memory.dmp

memory/4704-48-0x00000000755B0000-0x00000000755FC000-memory.dmp

memory/4704-58-0x0000000006B40000-0x0000000006B5E000-memory.dmp

memory/4704-59-0x0000000007840000-0x00000000078E3000-memory.dmp

memory/4704-61-0x0000000007F70000-0x00000000085EA000-memory.dmp

memory/4704-62-0x0000000007910000-0x000000000792A000-memory.dmp

memory/4704-63-0x00000000079A0000-0x00000000079AA000-memory.dmp

memory/4704-64-0x0000000007BB0000-0x0000000007C46000-memory.dmp

memory/4704-65-0x0000000007B30000-0x0000000007B41000-memory.dmp

memory/4704-66-0x0000000007B60000-0x0000000007B6E000-memory.dmp

memory/4704-67-0x0000000007B70000-0x0000000007B84000-memory.dmp

memory/4704-68-0x0000000007C70000-0x0000000007C8A000-memory.dmp

memory/4704-69-0x0000000007C50000-0x0000000007C58000-memory.dmp

memory/4704-72-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/5036-85-0x0000000006AD0000-0x0000000006AE4000-memory.dmp

memory/5036-84-0x0000000006AA0000-0x0000000006ACE000-memory.dmp

memory/5036-83-0x0000000006A90000-0x0000000006A9E000-memory.dmp

memory/5036-82-0x0000000006A70000-0x0000000006A84000-memory.dmp

memory/5036-81-0x0000000006A50000-0x0000000006A60000-memory.dmp

memory/5036-80-0x0000000006A40000-0x0000000006A54000-memory.dmp

memory/5036-79-0x0000000006A30000-0x0000000006A3E000-memory.dmp

memory/5036-78-0x0000000006A20000-0x0000000006A2C000-memory.dmp

memory/5036-77-0x0000000006A10000-0x0000000006A22000-memory.dmp

memory/5036-76-0x0000000006A00000-0x0000000006A0E000-memory.dmp

memory/5036-75-0x00000000069D0000-0x00000000069EA000-memory.dmp

memory/5036-74-0x00000000069C0000-0x00000000069D2000-memory.dmp

memory/5036-87-0x0000000074D00000-0x00000000754B0000-memory.dmp