Malware Analysis Report

2024-10-24 17:07

Sample ID 240412-csl3xacd75
Target b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602
SHA256 b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602
Tags
orcus ligeon rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602

Threat Level: Known bad

The file b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602 was found to be: Known bad.

Malicious Activity Summary

orcus ligeon rat spyware stealer

Orcus

Orcurs Rat Executable

Deletes itself

Checks computer location settings

Executes dropped EXE

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-12 02:20

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-12 02:20

Reported

2024-04-12 02:22

Platform

win7-20240221-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1924 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1924 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1924 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1924 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1924 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1924 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1924 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1924 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1924 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2572 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2572 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2572 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2868 wrote to memory of 2908 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2868 wrote to memory of 2908 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2868 wrote to memory of 2908 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2868 wrote to memory of 2908 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2908 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2908 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2908 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2908 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2908 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2908 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2908 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2908 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2908 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2908 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2908 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2908 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2908 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2868 wrote to memory of 3012 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2868 wrote to memory of 3012 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2868 wrote to memory of 3012 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2868 wrote to memory of 3012 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 3012 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 3012 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 3012 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 3012 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe

"C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe & exit

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -t 0

C:\Windows\system32\taskeng.exe

taskeng.exe {31579939-7B68-410E-8D52-D31AF114E430} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 ligeon.ddns.net udp

Files

memory/1924-0-0x0000000001390000-0x000000000163A000-memory.dmp

memory/1924-1-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

memory/1704-2-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/1704-3-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/1704-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1704-9-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/1704-10-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/1704-13-0x0000000000A80000-0x0000000000A8E000-memory.dmp

memory/1704-15-0x0000000000B30000-0x0000000000B70000-memory.dmp

memory/1704-14-0x0000000074370000-0x0000000074A5E000-memory.dmp

memory/1704-16-0x0000000000AD0000-0x0000000000B2C000-memory.dmp

memory/1704-17-0x0000000000C50000-0x0000000000C62000-memory.dmp

memory/1704-18-0x0000000000C70000-0x0000000000C78000-memory.dmp

memory/1704-19-0x0000000000C80000-0x0000000000C98000-memory.dmp

memory/1704-20-0x0000000004220000-0x0000000004230000-memory.dmp

memory/1704-21-0x0000000074370000-0x0000000074A5E000-memory.dmp

memory/1704-22-0x0000000000B30000-0x0000000000B70000-memory.dmp

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

MD5 8afceb4ebed2eb7746d2abdbb25c48a7
SHA1 e4a038943074c85a7abc38f859c574aa491edaf4
SHA256 86f12f0ab95f023757640b57d29ac34bbfe299c3f1e7d27278592e6c9568d68a
SHA512 cef169aebe7e96ebbf84f40c90b8be0dcc15f5f2c91379bed5b81d556cd98a67f55716a3b2a8d22bb46376be67b357ef962f2dc00882cb9c99717efbfb810430

memory/2908-25-0x0000000001190000-0x000000000143A000-memory.dmp

memory/1868-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1868-35-0x0000000074370000-0x0000000074A5E000-memory.dmp

memory/1868-36-0x0000000074370000-0x0000000074A5E000-memory.dmp

memory/3012-38-0x0000000001190000-0x000000000143A000-memory.dmp

memory/560-48-0x0000000074370000-0x0000000074A5E000-memory.dmp

memory/560-49-0x0000000004A60000-0x0000000004AA0000-memory.dmp

memory/560-50-0x0000000074370000-0x0000000074A5E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-12 02:20

Reported

2024-04-12 02:22

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2092 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2092 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2092 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2092 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2092 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\schtasks.exe
PID 2092 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\schtasks.exe
PID 2092 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\schtasks.exe
PID 2092 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4436 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4436 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2076 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2076 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2076 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2076 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2076 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2076 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2076 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2076 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 3552 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3552 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3552 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3552 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3552 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3552 wrote to memory of 60 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 3552 wrote to memory of 60 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 3552 wrote to memory of 60 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe

"C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\Admin\AppData\Local\Temp\b7bcab6254e350d3e6726f221ef90abe3a909ba4cd0ad17cbfc11a0e651e5602.exe & exit

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -t 0

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp

Files

memory/2092-0-0x0000000000AB0000-0x0000000000D5A000-memory.dmp

memory/2092-1-0x00000000027D0000-0x00000000027D1000-memory.dmp

memory/4992-2-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/4992-7-0x0000000073950000-0x0000000074100000-memory.dmp

memory/4992-9-0x0000000002E20000-0x0000000002E2E000-memory.dmp

memory/4992-8-0x00000000056F0000-0x0000000005700000-memory.dmp

memory/4992-10-0x0000000005420000-0x000000000547C000-memory.dmp

memory/4992-13-0x0000000005CB0000-0x0000000006254000-memory.dmp

memory/4992-14-0x00000000055C0000-0x0000000005652000-memory.dmp

memory/4992-15-0x00000000056A0000-0x00000000056B2000-memory.dmp

memory/4992-16-0x00000000056B0000-0x00000000056B8000-memory.dmp

memory/4992-17-0x00000000056D0000-0x00000000056E8000-memory.dmp

memory/4992-18-0x0000000006430000-0x00000000065F2000-memory.dmp

memory/4992-19-0x0000000005C80000-0x0000000005C90000-memory.dmp

memory/4992-20-0x0000000006740000-0x000000000674A000-memory.dmp

memory/4992-21-0x0000000073950000-0x0000000074100000-memory.dmp

memory/4992-22-0x00000000056F0000-0x0000000005700000-memory.dmp

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

MD5 8afceb4ebed2eb7746d2abdbb25c48a7
SHA1 e4a038943074c85a7abc38f859c574aa491edaf4
SHA256 86f12f0ab95f023757640b57d29ac34bbfe299c3f1e7d27278592e6c9568d68a
SHA512 cef169aebe7e96ebbf84f40c90b8be0dcc15f5f2c91379bed5b81d556cd98a67f55716a3b2a8d22bb46376be67b357ef962f2dc00882cb9c99717efbfb810430

memory/2076-24-0x0000000000D60000-0x000000000100A000-memory.dmp

memory/4276-26-0x0000000000900000-0x00000000009EA000-memory.dmp

memory/4276-32-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/4276-31-0x0000000073950000-0x0000000074100000-memory.dmp

memory/4276-34-0x0000000073950000-0x0000000074100000-memory.dmp

memory/3552-36-0x0000000000D60000-0x000000000100A000-memory.dmp

memory/2928-37-0x0000000000570000-0x000000000065A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

MD5 0672db2ef13237d5cb85075ff4915942
SHA1 ad8b4d3eb5e40791c47d48b22e273486f25f663f
SHA256 0a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519
SHA512 84ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b

memory/2928-43-0x0000000073950000-0x0000000074100000-memory.dmp

memory/2928-44-0x0000000004D90000-0x0000000004DA0000-memory.dmp

memory/2928-45-0x0000000073950000-0x0000000074100000-memory.dmp