Malware Analysis Report

2024-11-30 15:59

Sample ID 220625-njajascea7
Target 644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c
SHA256 644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c

Threat Level: Known bad

The file 644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Executes dropped EXE

Loads dropped DLL

Drops startup file

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-25 11:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 11:25

Reported

2022-06-25 13:33

Platform

win7-20220414-en

Max time kernel

168s

Max time network

192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrsss.exe.lnk C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1912 set thread context of 1168 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1288 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1288 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1288 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 1912 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 1912 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 1912 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 1912 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 1912 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 1912 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 1912 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 1912 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 1912 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1708 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1708 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1708 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe

"C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe.lnk " /f

C:\Users\Admin\AppData\Local\Temp\csrsss.exe

"C:\Users\Admin\AppData\Local\Temp\csrsss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

Network

Country Destination Domain Proto
US 8.8.8.8:53 auxwin.duckdns.org udp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
US 8.8.8.8:53 auxwin.duckdns.org udp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
US 8.8.8.8:53 auxwin.duckdns.org udp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp

Files

memory/1912-54-0x0000000076721000-0x0000000076723000-memory.dmp

memory/1912-55-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/1288-56-0x0000000000000000-mapping.dmp

memory/1376-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe

MD5 bf41f994a287a74be5fa1b9bbef61e25
SHA1 6dad025caf3ab68aeba93b079356eeb9edc36d16
SHA256 644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c
SHA512 ccc28c30cb0cc380aecf6067b66312e423341dd46112652b69137dd333f4683dfa779c2509e97f7c39a61f5e7ee647ff04016407e5a98a3738b5cf2c6d946294

\Users\Admin\AppData\Local\Temp\csrsss.exe

MD5 278edbd499374bf73621f8c1f969d894
SHA1 a81170af14747781c5f5f51bb1215893136f0bc0
SHA256 c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA512 93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

memory/1168-60-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1168-61-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1168-63-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1168-64-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1168-65-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1168-66-0x000000000045810E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\csrsss.exe

MD5 278edbd499374bf73621f8c1f969d894
SHA1 a81170af14747781c5f5f51bb1215893136f0bc0
SHA256 c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA512 93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

memory/1168-69-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1168-71-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrsss.exe

MD5 278edbd499374bf73621f8c1f969d894
SHA1 a81170af14747781c5f5f51bb1215893136f0bc0
SHA256 c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA512 93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

memory/1168-74-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/1912-75-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/1708-76-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe.bat

MD5 f20919d9be671888ac2a4d7a0c3aa4ae
SHA1 1a1c34123521d4c7ad2a45508eee464020dbf1bb
SHA256 fd14bcdf0e40636dfbdcecf19d26c5177f4bd8ac28e2a16930b9e0c6e31de43b
SHA512 38c4e8665c5e37556ba6463a9abcda6922aff537796adaccfd9a0bb6c716776bdf38c2873ecdfb91260d012089e7aa44715ee660873dc901593054498e926343

memory/1460-78-0x0000000000000000-mapping.dmp

memory/1912-79-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/1168-80-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 11:25

Reported

2022-06-25 13:31

Platform

win10v2004-20220414-en

Max time kernel

144s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrsss.exe.lnk C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2912 set thread context of 3428 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrsss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 2912 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 2912 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 2912 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 2912 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 2912 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 2912 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 2912 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Users\Admin\AppData\Local\Temp\csrsss.exe
PID 2912 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4536 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4536 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe

"C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe.lnk " /f

C:\Users\Admin\AppData\Local\Temp\csrsss.exe

"C:\Users\Admin\AppData\Local\Temp\csrsss.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

Network

Country Destination Domain Proto
US 8.253.208.112:80 tcp
US 8.8.8.8:53 auxwin.duckdns.org udp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
US 13.107.21.200:443 tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
US 52.168.117.170:443 tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
US 8.8.8.8:53 auxwin.duckdns.org udp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp
US 8.8.8.8:53 auxwin.duckdns.org udp
RS 109.92.38.96:8284 auxwin.duckdns.org tcp

Files

memory/2912-130-0x0000000074690000-0x0000000074C41000-memory.dmp

memory/1612-131-0x0000000000000000-mapping.dmp

memory/1272-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe

MD5 bf41f994a287a74be5fa1b9bbef61e25
SHA1 6dad025caf3ab68aeba93b079356eeb9edc36d16
SHA256 644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c
SHA512 ccc28c30cb0cc380aecf6067b66312e423341dd46112652b69137dd333f4683dfa779c2509e97f7c39a61f5e7ee647ff04016407e5a98a3738b5cf2c6d946294

memory/3428-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\csrsss.exe

MD5 a64daca3cfbcd039df3ec29d3eddd001
SHA1 eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256 403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512 b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

C:\Users\Admin\AppData\Local\Temp\csrsss.exe

MD5 a64daca3cfbcd039df3ec29d3eddd001
SHA1 eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256 403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512 b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

memory/4536-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe.bat

MD5 f20919d9be671888ac2a4d7a0c3aa4ae
SHA1 1a1c34123521d4c7ad2a45508eee464020dbf1bb
SHA256 fd14bcdf0e40636dfbdcecf19d26c5177f4bd8ac28e2a16930b9e0c6e31de43b
SHA512 38c4e8665c5e37556ba6463a9abcda6922aff537796adaccfd9a0bb6c716776bdf38c2873ecdfb91260d012089e7aa44715ee660873dc901593054498e926343

memory/4508-140-0x0000000000000000-mapping.dmp

memory/3428-141-0x0000000074690000-0x0000000074C41000-memory.dmp

memory/2912-142-0x0000000074690000-0x0000000074C41000-memory.dmp

memory/2912-143-0x0000000074690000-0x0000000074C41000-memory.dmp

memory/3428-144-0x0000000074690000-0x0000000074C41000-memory.dmp