Malware Analysis Report

2025-08-10 19:47

Sample ID 221116-hmgtwshe69
Target from-imgML1.EXE1.exe
SHA256 64c51e8596ab37cfd98095e97ed384143354721a5e27dba94ffe877232966572
Tags
nanocore evasion keylogger persistence spyware stealer trojan collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64c51e8596ab37cfd98095e97ed384143354721a5e27dba94ffe877232966572

Threat Level: Known bad

The file from-imgML1.EXE1.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan collection

NanoCore

NirSoft MailPassView

Nirsoft

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Checks whether UAC is enabled

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

NSIS installer

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-16 06:51

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-16 06:51

Reported

2022-11-16 06:53

Platform

win7-20220812-en

Max time kernel

45s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lgso = "C:\\Users\\Admin\\AppData\\Roaming\\rhrggiixd\\mscnrw.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\eyyqrt.exe\"" C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 304 set thread context of 984 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A
File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 1480 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 1480 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 1480 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 304 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 304 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 304 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 304 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 304 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 984 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe

"C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe"

C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe

"C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe"

C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe

"C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp501.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6F5.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 nanomalay23.hopto.org udp
N/A 85.208.136.69:6932 nanomalay23.hopto.org tcp

Files

memory/1480-54-0x0000000076201000-0x0000000076203000-memory.dmp

\Users\Admin\AppData\Local\Temp\eyyqrt.exe

MD5 559cba07d143656673e152b138c083c4
SHA1 84d7c8d67b191dcc61355150f19431075122df31
SHA256 50b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512 def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd

C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe

MD5 559cba07d143656673e152b138c083c4
SHA1 84d7c8d67b191dcc61355150f19431075122df31
SHA256 50b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512 def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd

memory/304-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\djonutjxoko.eu

MD5 dac1eb49b88de22d36af72e81ccced77
SHA1 7a60169c4ac6382c1aceb3b3f3bc3361f8676597
SHA256 fd25495c55c46bf8c6eb3b8acf9aa09f664decb2a3e6694bbf403011e49a2f3b
SHA512 7dd2f0969a25c948c29340992f62c8548eaf470513eed3a6e8f91896f9fac1c978128ec5fd301cf5d5de403271a35527f111a86bdcf5964cb7e042e1f4c52f1f

C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe

MD5 559cba07d143656673e152b138c083c4
SHA1 84d7c8d67b191dcc61355150f19431075122df31
SHA256 50b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512 def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd

C:\Users\Admin\AppData\Local\Temp\glhevhy.blm

MD5 3b0e37cc36b6ad56ebc4df099f57d83d
SHA1 b77a8b37a343bfd51868fd6eb9fd3e96ac02f6a6
SHA256 965cd0c1822e538e6d2ec273f8817a3d48c21add51034203fe1b6a6c304bf839
SHA512 5ef8a815e3d7fb7ebaae832d6aa1b8cc1b8bc1392563d1783631b3b74198dc0572e5de971716c74ba6f06545169d0efb70d710d62e4bd02fa960de6d335e4580

\Users\Admin\AppData\Local\Temp\eyyqrt.exe

MD5 559cba07d143656673e152b138c083c4
SHA1 84d7c8d67b191dcc61355150f19431075122df31
SHA256 50b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512 def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd

C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe

MD5 559cba07d143656673e152b138c083c4
SHA1 84d7c8d67b191dcc61355150f19431075122df31
SHA256 50b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512 def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd

memory/984-63-0x0000000000401896-mapping.dmp

memory/984-66-0x0000000000370000-0x00000000003A8000-memory.dmp

memory/984-67-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1484-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp501.tmp

MD5 9ee60333aa25733020c9902afb222008
SHA1 98064f5644019e39a7a5230943b248f0d66b05db
SHA256 22c0da1ba1296b531734d24317e03008fbb3eea28ac8c4d8667972e59b9c44ad
SHA512 18ae16776024031ef9539565e3d3654d4131e00bccae18b44c31937d2cf7fd4de629159de69143f8c23667102d9e6e999f7c24f84b2bc11f65a27cd130e8bd97

memory/2024-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6F5.tmp

MD5 981e126601526eaa5b0ad45c496c4465
SHA1 d610d6a21a8420cc73fcd3e54ddae75a5897b28b
SHA256 11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527
SHA512 a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb

memory/984-72-0x00000000007D0000-0x00000000007DA000-memory.dmp

memory/984-73-0x00000000007E0000-0x00000000007FE000-memory.dmp

memory/984-74-0x0000000000800000-0x000000000080A000-memory.dmp

memory/984-76-0x0000000001F50000-0x0000000001F6A000-memory.dmp

memory/984-75-0x0000000000870000-0x0000000000882000-memory.dmp

memory/984-77-0x0000000002090000-0x000000000209E000-memory.dmp

memory/984-78-0x00000000020A0000-0x00000000020B2000-memory.dmp

memory/984-79-0x0000000002240000-0x000000000224E000-memory.dmp

memory/984-81-0x0000000002260000-0x0000000002274000-memory.dmp

memory/984-80-0x0000000002250000-0x000000000225C000-memory.dmp

memory/984-82-0x0000000002270000-0x0000000002280000-memory.dmp

memory/984-83-0x0000000004340000-0x0000000004354000-memory.dmp

memory/984-85-0x0000000004510000-0x000000000453E000-memory.dmp

memory/984-84-0x0000000004350000-0x000000000435E000-memory.dmp

memory/984-86-0x00000000044B0000-0x00000000044C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-16 06:51

Reported

2022-11-16 06:53

Platform

win10v2004-20221111-en

Max time kernel

131s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lgso = "C:\\Users\\Admin\\AppData\\Roaming\\rhrggiixd\\mscnrw.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\eyyqrt.exe\"" C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Monitor = "C:\\Program Files (x86)\\UPNP Monitor\\upnpmon.exe" C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\UPNP Monitor\upnpmon.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A
File opened for modification C:\Program Files (x86)\UPNP Monitor\upnpmon.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 3352 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 3352 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 1392 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 1392 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 1392 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 1392 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe
PID 2532 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe
PID 2532 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe
PID 2532 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe
PID 2532 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe
PID 2532 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe
PID 2532 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe C:\Windows\SysWOW64\schtasks.exe
PID 2532 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
PID 2532 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe

"C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe"

C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe

"C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe"

C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe

"C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "UPNP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp88CC.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "UPNP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8A25.tmp"

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe

"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\eteu2r1v.yu1"

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe

"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\eteu2r1v.yu1"

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe

"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\dju0gs15.i14"

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe

"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\dju0gs15.i14"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 nanomalay23.hopto.org udp
N/A 85.208.136.69:6932 nanomalay23.hopto.org tcp
N/A 93.184.220.29:80 tcp
N/A 104.80.225.205:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe

MD5 559cba07d143656673e152b138c083c4
SHA1 84d7c8d67b191dcc61355150f19431075122df31
SHA256 50b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512 def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd

memory/1392-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe

MD5 559cba07d143656673e152b138c083c4
SHA1 84d7c8d67b191dcc61355150f19431075122df31
SHA256 50b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512 def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd

C:\Users\Admin\AppData\Local\Temp\djonutjxoko.eu

MD5 dac1eb49b88de22d36af72e81ccced77
SHA1 7a60169c4ac6382c1aceb3b3f3bc3361f8676597
SHA256 fd25495c55c46bf8c6eb3b8acf9aa09f664decb2a3e6694bbf403011e49a2f3b
SHA512 7dd2f0969a25c948c29340992f62c8548eaf470513eed3a6e8f91896f9fac1c978128ec5fd301cf5d5de403271a35527f111a86bdcf5964cb7e042e1f4c52f1f

C:\Users\Admin\AppData\Local\Temp\glhevhy.blm

MD5 3b0e37cc36b6ad56ebc4df099f57d83d
SHA1 b77a8b37a343bfd51868fd6eb9fd3e96ac02f6a6
SHA256 965cd0c1822e538e6d2ec273f8817a3d48c21add51034203fe1b6a6c304bf839
SHA512 5ef8a815e3d7fb7ebaae832d6aa1b8cc1b8bc1392563d1783631b3b74198dc0572e5de971716c74ba6f06545169d0efb70d710d62e4bd02fa960de6d335e4580

memory/2532-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe

MD5 559cba07d143656673e152b138c083c4
SHA1 84d7c8d67b191dcc61355150f19431075122df31
SHA256 50b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512 def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd

memory/2532-139-0x00000000057B0000-0x0000000005D54000-memory.dmp

memory/2532-140-0x0000000005200000-0x0000000005292000-memory.dmp

memory/2532-141-0x0000000005340000-0x00000000053DC000-memory.dmp

memory/2532-142-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2532-143-0x00000000052A0000-0x00000000052AA000-memory.dmp

memory/4216-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp88CC.tmp

MD5 9ee60333aa25733020c9902afb222008
SHA1 98064f5644019e39a7a5230943b248f0d66b05db
SHA256 22c0da1ba1296b531734d24317e03008fbb3eea28ac8c4d8667972e59b9c44ad
SHA512 18ae16776024031ef9539565e3d3654d4131e00bccae18b44c31937d2cf7fd4de629159de69143f8c23667102d9e6e999f7c24f84b2bc11f65a27cd130e8bd97

memory/208-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8A25.tmp

MD5 c9a4c783d2e18eea86e071de92f36f02
SHA1 4cb02db05386ccb70a23fa89dbadfddfc8f7b6af
SHA256 21d669a674eb23538f38f6822429d797e69e0685d18c0e6e03ec6801098b240a
SHA512 b6d5198d9ca83687fcc491c02ad8b417e02dff0150b514c3d39d13b8de9ffba6f3779ee7bb6350b087474fb6e0d1bd10b8fdd5c8f48a46c9cfd183d9045b80ef

memory/2532-148-0x0000000006C30000-0x0000000006C96000-memory.dmp

memory/3140-149-0x0000000000000000-mapping.dmp

memory/920-150-0x0000000000000000-mapping.dmp

memory/920-151-0x0000000000400000-0x000000000041B000-memory.dmp

memory/920-153-0x0000000000400000-0x000000000041B000-memory.dmp

memory/920-154-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eteu2r1v.yu1

MD5 69b2a2e17e78d24abee9f1de2f04811a
SHA1 d19c109704e83876ab3527457f9418a7d053aa33
SHA256 1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd
SHA512 eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f

memory/4620-156-0x0000000000000000-mapping.dmp

memory/4912-157-0x0000000000000000-mapping.dmp

memory/4912-158-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4912-160-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4912-161-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dju0gs15.i14

MD5 02524418240369b25b988e9884cd1c54
SHA1 42a33322d952edf6d8431d4cd788bbc863d2b890
SHA256 80b2a0874c2f734dfe1196d7ae2a7bc6ccb30df2d9281513ac33edc529a71a37
SHA512 7c5bbe911f7f0b072d6fdb89ea5759655c2b5cf9ebfddff8f2f67f956141b8ed3697ab0504f60c3992849afbbc79434043a6c04d7cf6ddd958e23354fd3a698f