Malware Analysis Report

2024-10-19 07:05

Sample ID 240805-wstmjaxfjb
Target 0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3
SHA256 0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3
Tags
nanocore discovery execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3

Threat Level: Known bad

The file 0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3 was found to be: Known bad.

Malicious Activity Summary

nanocore discovery execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-05 18:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 18:11

Reported

2024-08-05 18:14

Platform

win7-20240705-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Subsystem = "C:\\Program Files (x86)\\AGP Subsystem\\agpss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2372 set thread context of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AGP Subsystem\agpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\AGP Subsystem\agpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe

"C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mzHFviYTm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mzHFviYTm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1BAB.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1D7F.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1DCE.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 december2n.duckdns.org udp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65140 december2n.duckdns.org tcp
US 192.169.69.26:65140 december2n.duckdns.org tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 94.156.65.159:65140 december2nd.ddns.net tcp
NL 94.156.65.159:65140 december2nd.ddns.net tcp
NL 94.156.65.159:65140 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65140 december2n.duckdns.org tcp
US 192.169.69.26:65140 december2n.duckdns.org tcp
US 192.169.69.26:65140 december2n.duckdns.org tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 94.156.65.159:65140 december2nd.ddns.net tcp
NL 94.156.65.159:65140 december2nd.ddns.net tcp
NL 94.156.65.159:65140 tcp

Files

memory/2372-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

memory/2372-1-0x0000000000050000-0x00000000000FE000-memory.dmp

memory/2372-2-0x0000000074A50000-0x000000007513E000-memory.dmp

memory/2372-3-0x0000000000880000-0x0000000000898000-memory.dmp

memory/2372-4-0x00000000008A0000-0x00000000008AE000-memory.dmp

memory/2372-5-0x0000000000A80000-0x0000000000A96000-memory.dmp

memory/2372-6-0x00000000058F0000-0x000000000596C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1BAB.tmp

MD5 dfa09ddcfd1937a6af01dd0a99f1b2b7
SHA1 cf5af2524c4af1cbd40744c5dce520dc0b5d1340
SHA256 24df013ee91967e64a038166c0cc155f8731b4dbe22538fad19831ed887009a1
SHA512 6841306787671d4916ed49173801dca20de13c54c28451b7642983f29bc88d366fd7af7db01f01219614b769aed0bf3bd416aeee2234c0eea447812b74d0289f

memory/2476-23-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2476-14-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2476-24-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2476-26-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2476-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2476-20-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2476-18-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2476-16-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2372-27-0x0000000074A50000-0x000000007513E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1D7F.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp1DCE.tmp

MD5 8aefdc623880016d77594b1802f74db6
SHA1 17608aaab6106247dec66a472516d023272c9b9b
SHA256 ccd9d374a356e8635fe06015e07c986fb0e6f71099234ddc2935a6cb5e1571ac
SHA512 bde73cc8244dcb054ff68b86df14ae644b0816aac8524e746e9bf0e68406c6d7e8ee6a0c642b11a9b197319b023c43fcbdc5eafe9c32e4011ad8065cea0b1eb5

memory/2476-35-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/2476-36-0x0000000000480000-0x000000000048C000-memory.dmp

memory/2476-37-0x0000000000790000-0x00000000007AE000-memory.dmp

memory/2476-38-0x0000000000680000-0x000000000068A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 18:11

Reported

2024-08-05 18:14

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3936 set thread context of 2576 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3936 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3936 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3936 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2576 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2576 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2576 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2576 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2576 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2576 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe

"C:\Users\Admin\AppData\Local\Temp\0211ec291040f1e5ada7c762b20df963381cae88923e3f103d588a382d3a19f3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mzHFviYTm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mzHFviYTm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA91.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDD8F.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDDBE.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 december2n.duckdns.org udp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65140 december2n.duckdns.org tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:65140 december2n.duckdns.org tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 94.156.65.159:65140 december2nd.ddns.net tcp
NL 94.156.65.159:65140 december2nd.ddns.net tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
NL 94.156.65.159:65140 december2nd.ddns.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 192.169.69.26:65140 december2n.duckdns.org tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65140 december2n.duckdns.org tcp
US 192.169.69.26:65140 december2n.duckdns.org tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 94.156.65.159:65140 december2nd.ddns.net tcp
NL 94.156.65.159:65140 december2nd.ddns.net tcp
NL 94.156.65.159:65140 december2nd.ddns.net tcp

Files

memory/3936-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

memory/3936-1-0x0000000000100000-0x00000000001AE000-memory.dmp

memory/3936-2-0x0000000005090000-0x0000000005634000-memory.dmp

memory/3936-3-0x0000000004B90000-0x0000000004C22000-memory.dmp

memory/3936-4-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/3936-5-0x0000000004C40000-0x0000000004C4A000-memory.dmp

memory/3936-6-0x0000000004F00000-0x0000000004F18000-memory.dmp

memory/3936-7-0x0000000004F20000-0x0000000004F2E000-memory.dmp

memory/3936-8-0x0000000005050000-0x0000000005066000-memory.dmp

memory/3936-9-0x0000000008990000-0x0000000008A0C000-memory.dmp

memory/3936-10-0x0000000008780000-0x000000000881C000-memory.dmp

memory/3936-14-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

memory/4156-16-0x0000000002E00000-0x0000000002E36000-memory.dmp

memory/3936-17-0x0000000074F30000-0x00000000756E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDA91.tmp

MD5 7981eebe755ccc342576981272e781a6
SHA1 7f8ac0e50a7bd2fb923b85944aff8df941973e54
SHA256 665d2204f88763f169136196875e2ca72039416460b61c330863a938db0090e8
SHA512 eb0dbe1b45d84ec140b62a13117df1379b61f94004bc2da17b000d322c29cf7493b5de57f601d583b9a742c3f7d3cbd12fffbf0360cba142237c08099947a2e0

memory/4156-19-0x0000000005B90000-0x00000000061B8000-memory.dmp

memory/4156-20-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/4156-21-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/2576-22-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2576-23-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/3936-25-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/4156-28-0x0000000005AA0000-0x0000000005B06000-memory.dmp

memory/4156-27-0x0000000005A30000-0x0000000005A96000-memory.dmp

memory/4156-26-0x0000000005990000-0x00000000059B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dpfxg4q4.434.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmpDD8F.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmpDDBE.tmp

MD5 5fea24e883e06e4df6d240dc72abf2c5
SHA1 d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256 e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA512 15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924

memory/2576-48-0x00000000068C0000-0x00000000068DE000-memory.dmp

memory/2576-49-0x00000000069F0000-0x00000000069FA000-memory.dmp

memory/2576-47-0x0000000005A70000-0x0000000005A7C000-memory.dmp

memory/2576-46-0x0000000005950000-0x000000000595A000-memory.dmp

memory/4156-40-0x00000000061C0000-0x0000000006514000-memory.dmp

memory/4156-50-0x0000000006720000-0x000000000673E000-memory.dmp

memory/4156-51-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/4156-52-0x00000000076F0000-0x0000000007722000-memory.dmp

memory/4156-53-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/4156-63-0x0000000006D10000-0x0000000006D2E000-memory.dmp

memory/4156-64-0x0000000007730000-0x00000000077D3000-memory.dmp

memory/4156-65-0x00000000080B0000-0x000000000872A000-memory.dmp

memory/4156-66-0x0000000007A70000-0x0000000007A8A000-memory.dmp

memory/4156-67-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

memory/4156-68-0x0000000007CF0000-0x0000000007D86000-memory.dmp

memory/4156-69-0x0000000007C70000-0x0000000007C81000-memory.dmp

memory/4156-70-0x0000000007CA0000-0x0000000007CAE000-memory.dmp

memory/4156-71-0x0000000007CB0000-0x0000000007CC4000-memory.dmp

memory/4156-72-0x0000000007DB0000-0x0000000007DCA000-memory.dmp

memory/4156-73-0x0000000007D90000-0x0000000007D98000-memory.dmp

memory/4156-76-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/2576-77-0x0000000074F30000-0x00000000756E0000-memory.dmp