IOC Report

loading gif

Files

File Path
Type
Category
Malicious
4Y85lSOUJ0.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\ProgramData\nano.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\ProgramData\output.exe
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\4Y85lSOUJ0.exe.log
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
ISO-8859 text, with NEL line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\output.exe.log
ASCII text, with CRLF line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\Capture.jpg
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
dropped
clean
C:\Users\user\AppData\Local\Temp\login.db
SQLite 3.x database, last written using SQLite version 3032001
dropped
clean
\Device\ConDrv
ASCII text, with very long lines, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\4Y85lSOUJ0.exe
"C:\Users\user\Desktop\4Y85lSOUJ0.exe"
malicious
C:\ProgramData\nano.exe
"C:\ProgramData\nano.exe"
malicious
C:\ProgramData\output.exe
"C:\ProgramData\output.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
malicious
https://discord.com
unknown
malicious
https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cp
unknown
malicious
https://discord.com/api/webhooks/927987281703350292/hNa4BC1580ABvkRj9aSBy9rORGnNfCEHIauFtOCPo1WWv1cprxylpPM2dUs4LrksljK7
162.159.137.232
malicious
https://ip4.seeip.org/
23.128.64.141
clean
https://discordapp.com/api/v8/users/
unknown
clean
https://i.imgur.com/vgxBhmx.pngultipart/form-data
unknown
clean
https://www.countryflags.io/CH/flat/48.png
unknown
clean
http://ip-api.com//json/84.17.52.18
208.95.112.1
clean
https://ip4.seeip.org
unknown
clean
http://discord.com
unknown
clean
https://ip4.seeip.orgx
unknown
clean
https://www.countryflags.io/
unknown
clean
http://ip-api.comx
unknown
clean
https://cdn.discordapp.com/attachments/923954670580420641/931537240771944498/passwords.txt
unknown
clean
http://ip-api.com//json/
unknown
clean
https://discord.com8
unknown
clean
https://discord.comx
unknown
clean
http://ip-api.com
unknown
clean
https://cdn.discordapp.com/attachments/923954670580420641/931537246346162207/Capture.jpg
unknown
clean
https://media.discordapp.net/attachments/923954670580420641/931537240771944498/passwords.txt
unknown
clean
https://cdn.discordapp.com/avatars/
unknown
clean
https://i.imgur.com/vgxBhmx.png
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean
https://media.discordapp.net/attachments/923954670580420641/931537246346162207/Capture.jpg
unknown
clean
http://ip4.seeip.org
unknown
clean
There are 16 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
discord.com
162.159.137.232
malicious
ip-api.com
208.95.112.1
clean
ip4.seeip.org
23.128.64.141
clean

IPs

IP
Domain
Country
Malicious
162.159.137.232
discord.com
United States
malicious
208.95.112.1
ip-api.com
United States
clean
23.128.64.141
ip4.seeip.org
United States
clean

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
DHCP Monitor
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASAPI32
EnableFileTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASAPI32
EnableAutoFileTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASAPI32
EnableConsoleTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASAPI32
FileTracingMask
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASAPI32
ConsoleTracingMask
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASAPI32
MaxFileSize
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASAPI32
FileDirectory
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASMANCS
EnableFileTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASMANCS
EnableAutoFileTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASMANCS
EnableConsoleTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASMANCS
FileTracingMask
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASMANCS
ConsoleTracingMask
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASMANCS
MaxFileSize
clean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\output_RASMANCS
FileDirectory
clean
There are 5 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
692000
unkown image
page readonly
malicious
A82000
unkown image
page readonly
malicious
2DE1000
unkown
page read and write
malicious
A82000
unkown image
page readonly
malicious
3DE4000
unkown
page read and write
malicious
A82000
unkown image
page readonly
malicious