Malware Analysis Report

2024-11-30 16:02

Sample ID 220620-vcdeyahdh6
Target 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347
SHA256 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347

Threat Level: Known bad

The file 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347 was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Enumerates processes with tasklist

Checks processor information in registry

Delays execution with timeout.exe

NTFS ADS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-20 16:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-20 16:50

Reported

2022-06-20 16:53

Platform

win7-20220414-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe"

Signatures

Imminent RAT

trojan spyware imminent

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 272 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 272 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 272 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 272 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1364 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1364 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1364 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 272 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 272 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 272 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 272 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 272 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 272 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 272 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 272 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 272 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 272 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 272 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 272 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 272 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 340 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 340 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 340 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 340 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 272 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 272 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 272 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 272 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 272 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 272 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 272 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1208 wrote to memory of 600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1208 wrote to memory of 600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1208 wrote to memory of 600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1208 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1208 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1208 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1208 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1208 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1208 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe
PID 1208 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe
PID 1208 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe
PID 1208 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe
PID 1208 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe
PID 1208 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe
PID 1208 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe
PID 1928 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1084 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1084 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1084 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1928 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1928 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1928 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1928 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1928 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe

"C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.lnk" /f

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 388

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 120

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist /nh /fi "imagename eq .exe"

C:\Windows\SysWOW64\find.exe

find /i ".exe"

C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe

"C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.lnk" /f

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 388

C:\Windows\SysWOW64\timeout.exe

timeout /t 120

Network

Country Destination Domain Proto
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp

Files

memory/272-54-0x0000000075951000-0x0000000075953000-memory.dmp

memory/1364-55-0x0000000000000000-mapping.dmp

memory/840-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe

MD5 9feaf964c8cf229116b3439a7520bbed
SHA1 0a606159afef156db4df1f6a2b79d933379b5198
SHA256 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347
SHA512 7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

\Users\Admin\AppData\Local\Temp\WinDir\Update.exe

MD5 9feaf964c8cf229116b3439a7520bbed
SHA1 0a606159afef156db4df1f6a2b79d933379b5198
SHA256 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347
SHA512 7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

\Users\Admin\AppData\Local\Temp\tmp.exe

MD5 56a28a67e708d9f099528457384f456d
SHA1 a625be6fba78381e79da9912bbefce21e05031dd
SHA256 a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d
SHA512 1c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261

C:\Users\Admin\AppData\Local\Temp\tmp.exe

MD5 56a28a67e708d9f099528457384f456d
SHA1 a625be6fba78381e79da9912bbefce21e05031dd
SHA256 a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d
SHA512 1c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261

memory/944-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp.exe

MD5 56a28a67e708d9f099528457384f456d
SHA1 a625be6fba78381e79da9912bbefce21e05031dd
SHA256 a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d
SHA512 1c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

memory/340-64-0x0000000000400000-0x0000000000458000-memory.dmp

memory/340-65-0x0000000000400000-0x0000000000458000-memory.dmp

memory/340-67-0x0000000000400000-0x0000000000458000-memory.dmp

memory/340-68-0x0000000000400000-0x0000000000458000-memory.dmp

memory/340-69-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

memory/340-70-0x00000000004521BE-mapping.dmp

memory/340-73-0x0000000000400000-0x0000000000458000-memory.dmp

memory/340-75-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

memory/276-78-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

memory/944-81-0x0000000000040000-0x0000000000098000-memory.dmp

memory/272-83-0x0000000074710000-0x0000000074CBB000-memory.dmp

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

memory/340-85-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/1208-86-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.bat

MD5 3b6a56f303d5dd98b42084fac3feb0d1
SHA1 a8bdb37904ef6aa59608088f19ba98d38f494117
SHA256 ef83e0a4dfad7ba70badd2153861ba96bba3a09bcd26195c5534952ffda2e696
SHA512 66070b7139213da25bcf0945622802dad37a3eface1745c617bbbc6b3aca2b88d7ad8eb4b8ac20647805773f5fd9f71d4d49c2dc56566ed5a1e1d7e708d62c3c

memory/600-88-0x0000000000000000-mapping.dmp

memory/944-89-0x0000000000340000-0x0000000000350000-memory.dmp

memory/944-90-0x0000000004950000-0x0000000004A00000-memory.dmp

memory/944-91-0x00000000003F0000-0x0000000000418000-memory.dmp

memory/944-93-0x00000000004B0000-0x00000000004C6000-memory.dmp

memory/272-94-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/340-95-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/1828-96-0x0000000000000000-mapping.dmp

memory/1140-97-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\WinDir\Update.exe

MD5 9feaf964c8cf229116b3439a7520bbed
SHA1 0a606159afef156db4df1f6a2b79d933379b5198
SHA256 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347
SHA512 7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe

MD5 9feaf964c8cf229116b3439a7520bbed
SHA1 0a606159afef156db4df1f6a2b79d933379b5198
SHA256 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347
SHA512 7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe

MD5 9feaf964c8cf229116b3439a7520bbed
SHA1 0a606159afef156db4df1f6a2b79d933379b5198
SHA256 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347
SHA512 7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

memory/1928-100-0x0000000000000000-mapping.dmp

memory/1928-103-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/1084-104-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.lnk

MD5 623e40a7b9876d9b6204217bff6f0364
SHA1 c752cb509589015855d89065ec0af9eb3bcd754a
SHA256 b3fa57455edc0934c97d07433783d37138b57986a4a3f606513d00d3f33061aa
SHA512 fa098a690f6650b4453c4fe22d20a1a1f4f5e0177af3621e3a8d5d05becf181ed84df88b561b04b48dca31c1ab29abd6e45c5a76233f32eed205299bf5c54409

memory/1612-107-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\WinDir\Update.exe

MD5 9feaf964c8cf229116b3439a7520bbed
SHA1 0a606159afef156db4df1f6a2b79d933379b5198
SHA256 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347
SHA512 7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe

MD5 9feaf964c8cf229116b3439a7520bbed
SHA1 0a606159afef156db4df1f6a2b79d933379b5198
SHA256 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347
SHA512 7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

\Users\Admin\AppData\Local\Temp\tmp.exe

MD5 56a28a67e708d9f099528457384f456d
SHA1 a625be6fba78381e79da9912bbefce21e05031dd
SHA256 a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d
SHA512 1c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261

C:\Users\Admin\AppData\Local\Temp\tmp.exe

MD5 56a28a67e708d9f099528457384f456d
SHA1 a625be6fba78381e79da9912bbefce21e05031dd
SHA256 a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d
SHA512 1c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261

memory/964-110-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

memory/1952-119-0x00000000004521BE-mapping.dmp

memory/2012-126-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

memory/1952-131-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/1928-132-0x0000000074710000-0x0000000074CBB000-memory.dmp

memory/624-133-0x0000000000000000-mapping.dmp

memory/1952-134-0x0000000074710000-0x0000000074CBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-20 16:50

Reported

2022-06-20 16:54

Platform

win10v2004-20220414-en

Max time kernel

187s

Max time network

193s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2968 set thread context of 2992 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 3832 wrote to memory of 4716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3832 wrote to memory of 4716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3832 wrote to memory of 4716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2968 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 2968 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 2968 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2968 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2968 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2992 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 2992 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 3036 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3036 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3036 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe

"C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.lnk" /f

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 804

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 120

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 20.189.173.7:443 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 93.184.221.240:80 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
IE 20.54.89.15:443 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp
US 104.128.234.104:8383 tcp

Files

memory/2968-130-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/3832-131-0x0000000000000000-mapping.dmp

memory/4716-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.jpg

MD5 9feaf964c8cf229116b3439a7520bbed
SHA1 0a606159afef156db4df1f6a2b79d933379b5198
SHA256 3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347
SHA512 7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

memory/3932-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp.exe

MD5 56a28a67e708d9f099528457384f456d
SHA1 a625be6fba78381e79da9912bbefce21e05031dd
SHA256 a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d
SHA512 1c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261

C:\Users\Admin\AppData\Local\Temp\tmp.exe

MD5 56a28a67e708d9f099528457384f456d
SHA1 a625be6fba78381e79da9912bbefce21e05031dd
SHA256 a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d
SHA512 1c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261

memory/2992-137-0x0000000000000000-mapping.dmp

memory/2968-138-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/2992-139-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 84c42d0f2c1ae761bef884638bc1eacd
SHA1 4353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256 331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA512 43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 84c42d0f2c1ae761bef884638bc1eacd
SHA1 4353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256 331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA512 43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

memory/2992-142-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/3036-143-0x0000000000000000-mapping.dmp

memory/1756-144-0x0000000000000000-mapping.dmp

memory/2992-145-0x00000000752F0000-0x00000000758A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.bat

MD5 3b6a56f303d5dd98b42084fac3feb0d1
SHA1 a8bdb37904ef6aa59608088f19ba98d38f494117
SHA256 ef83e0a4dfad7ba70badd2153861ba96bba3a09bcd26195c5534952ffda2e696
SHA512 66070b7139213da25bcf0945622802dad37a3eface1745c617bbbc6b3aca2b88d7ad8eb4b8ac20647805773f5fd9f71d4d49c2dc56566ed5a1e1d7e708d62c3c

memory/4456-147-0x0000000000000000-mapping.dmp

memory/2968-148-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/3932-149-0x0000000006590000-0x000000000662C000-memory.dmp

memory/3932-150-0x0000000006BE0000-0x0000000007184000-memory.dmp

memory/3932-151-0x0000000006810000-0x00000000068A2000-memory.dmp

memory/2992-152-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/3932-153-0x0000000006B60000-0x0000000006BC6000-memory.dmp

memory/3932-154-0x0000000007A40000-0x0000000007A4A000-memory.dmp