Malware Analysis Report

2024-08-06 15:22

Sample ID 240518-w3v84she46
Target 09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5
SHA256 09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5
Tags
upx nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5

Threat Level: Known bad

The file 09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5 was found to be: Known bad.

Malicious Activity Summary

upx nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

UPX packed file

Drops startup file

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-18 18:27

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 18:27

Reported

2024-05-18 18:29

Platform

win7-20240221-en

Max time kernel

134s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PasswordOnWakeSettingFlyout.url C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2176 set thread context of 2268 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Host\dhcphost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Host\dhcphost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2176 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2176 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2176 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2176 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2176 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2176 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2176 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2176 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2268 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe

"C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp17D4.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1823.tmp"

Network

Country Destination Domain Proto
NL 213.184.126.143:1993 tcp
NL 213.184.126.143:1993 tcp
NL 213.184.126.143:1993 tcp
NL 213.184.126.143:1993 tcp
NL 213.184.126.143:1993 tcp

Files

memory/2176-0-0x0000000000B50000-0x0000000000C98000-memory.dmp

memory/2176-1-0x0000000000B50000-0x0000000000C98000-memory.dmp

memory/2176-2-0x0000000000B50000-0x0000000000C98000-memory.dmp

memory/2176-3-0x0000000000B50000-0x0000000000C98000-memory.dmp

memory/2176-4-0x0000000000B50000-0x0000000000C98000-memory.dmp

memory/2176-5-0x0000000000B50000-0x0000000000C98000-memory.dmp

memory/2176-6-0x0000000000B50000-0x0000000000C98000-memory.dmp

memory/2176-7-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2268-8-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2268-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2268-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2268-16-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2268-9-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2268-17-0x0000000073FF2000-0x0000000073FF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp17D4.tmp

MD5 c6f0625bf4c1cdfb699980c9243d3b22
SHA1 43de1fe580576935516327f17b5da0c656c72851
SHA256 8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA512 9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

C:\Users\Admin\AppData\Local\Temp\tmp1823.tmp

MD5 0479d5f304ef2d7e3c15fb24a99f88c1
SHA1 8edbb1450a656fac5f5e96779ffe440ee8c1aec9
SHA256 112557c2b2d0c669a3b115129dc32f005341e965330fa8f2ad3e5de1926594bc
SHA512 537e8d87e5cd975f0e69bb145f81d6e9d7b0d82eed143ac351304ea38577137386a51fdb7357ec6d641eb04ff5f51e249bba2db8a4b5bf2934d561394a4a3f15

memory/2176-25-0x0000000000B50000-0x0000000000C98000-memory.dmp

memory/2176-26-0x0000000000B50000-0x0000000000C98000-memory.dmp

memory/2176-30-0x0000000000B50000-0x0000000000C98000-memory.dmp

memory/2268-31-0x0000000073FF2000-0x0000000073FF4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 18:27

Reported

2024-05-18 18:29

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PasswordOnWakeSettingFlyout.url C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2628 set thread context of 4688 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2628 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2628 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2628 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2628 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2628 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4688 wrote to memory of 4868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 4688 wrote to memory of 4868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 4688 wrote to memory of 4868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 4688 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 4688 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 4688 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe

"C:\Users\Admin\AppData\Local\Temp\09bc8f508d13b32a88d742229c4d33cbec3399c54e6259c6a0f8d499e6f229a5.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4C27.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4C57.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
NL 213.184.126.143:1993 tcp
NL 213.184.126.143:1993 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 213.184.126.143:1993 tcp
NL 213.184.126.143:1993 tcp
NL 213.184.126.143:1993 tcp

Files

memory/2628-0-0x0000000000DA0000-0x0000000000EE8000-memory.dmp

memory/2628-1-0x0000000000DA0000-0x0000000000EE8000-memory.dmp

memory/2628-2-0x0000000000DA0000-0x0000000000EE8000-memory.dmp

memory/2628-3-0x0000000000DA0000-0x0000000000EE8000-memory.dmp

memory/2628-4-0x0000000000DA0000-0x0000000000EE8000-memory.dmp

memory/2628-5-0x0000000000DA0000-0x0000000000EE8000-memory.dmp

memory/2628-6-0x0000000000DA0000-0x0000000000EE8000-memory.dmp

memory/2628-12-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/4688-13-0x0000000073F22000-0x0000000073F23000-memory.dmp

memory/4688-14-0x0000000073F20000-0x00000000744D1000-memory.dmp

memory/4688-15-0x0000000073F20000-0x00000000744D1000-memory.dmp

memory/4688-8-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4C57.tmp

MD5 2f26d92c1eeead3896820e56ec46f6f1
SHA1 d95533b61eed7d89e4ada56bc566d60e42ac1f61
SHA256 99a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa
SHA512 6c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892

C:\Users\Admin\AppData\Local\Temp\tmp4C27.tmp

MD5 c6f0625bf4c1cdfb699980c9243d3b22
SHA1 43de1fe580576935516327f17b5da0c656c72851
SHA256 8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA512 9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

memory/2628-23-0x0000000000DA0000-0x0000000000EE8000-memory.dmp

memory/2628-24-0x0000000000DA0000-0x0000000000EE8000-memory.dmp

memory/2628-28-0x0000000000DA0000-0x0000000000EE8000-memory.dmp

memory/4688-30-0x0000000073F20000-0x00000000744D1000-memory.dmp

memory/4688-29-0x0000000073F22000-0x0000000073F23000-memory.dmp