Malware Analysis Report

2024-11-30 15:57

Sample ID 220724-eqzmbsehc7
Target 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
Tags
persistence imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131

Threat Level: Known bad

The file 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131 was found to be: Known bad.

Malicious Activity Summary

persistence imminent spyware trojan

Imminent RAT

Modifies WinLogon for persistence

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-24 04:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-24 04:09

Reported

2022-07-25 12:56

Platform

win7-20220718-en

Max time kernel

100s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Win Update\\Win Update.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Win Update\\Win Update.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1652 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1652 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1652 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1652 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1652 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 980 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 980 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 980 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 980 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 976 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 976 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 976 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 976 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 976 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 692 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 692 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 692 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 692 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1124 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1124 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1848 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1848 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1848 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\Win Update\Win Update.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\Win Update\Win Update.exe"

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\Win Update\Win Update.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\Win Update\Win Update.exe"

Network

N/A

Files

memory/1652-54-0x0000000076201000-0x0000000076203000-memory.dmp

memory/1652-55-0x0000000074DF0000-0x000000007539B000-memory.dmp

memory/1652-56-0x00000000021F5000-0x0000000002206000-memory.dmp

memory/1652-58-0x0000000074DF0000-0x000000007539B000-memory.dmp

memory/976-59-0x0000000000400000-0x000000000044C000-memory.dmp

memory/976-57-0x0000000000400000-0x000000000044C000-memory.dmp

memory/976-61-0x0000000000400000-0x000000000044C000-memory.dmp

memory/976-62-0x0000000000400000-0x000000000044C000-memory.dmp

memory/976-63-0x0000000000400000-0x000000000044C000-memory.dmp

memory/976-64-0x000000000044662E-mapping.dmp

memory/976-66-0x0000000000400000-0x000000000044C000-memory.dmp

memory/976-68-0x0000000000400000-0x000000000044C000-memory.dmp

memory/980-70-0x0000000000000000-mapping.dmp

memory/1136-71-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

memory/1124-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

memory/692-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

memory/1656-78-0x0000000000000000-mapping.dmp

memory/976-79-0x0000000074DF0000-0x000000007539B000-memory.dmp

memory/1124-81-0x00000000001D5000-0x00000000001E6000-memory.dmp

memory/1124-82-0x0000000074DF0000-0x000000007539B000-memory.dmp

memory/1652-80-0x00000000021F5000-0x0000000002206000-memory.dmp

\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

memory/1124-93-0x00000000001D5000-0x00000000001E6000-memory.dmp

memory/1124-94-0x0000000074DF0000-0x000000007539B000-memory.dmp

memory/1848-95-0x0000000000000000-mapping.dmp

memory/1844-96-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-24 04:09

Reported

2022-07-25 12:55

Platform

win10v2004-20220722-en

Max time kernel

155s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

Signatures

Imminent RAT

trojan spyware imminent

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Win Update\\Win Update.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Win Update\\Win Update.exe" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3880 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 3880 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 3880 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 3880 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 3880 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 3880 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 3880 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 3880 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 3880 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 3880 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 3880 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1312 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1312 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1312 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1312 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4592 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4592 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4132 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4132 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4132 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1724 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1724 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1724 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1724 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1724 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1724 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1724 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1724 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1724 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1724 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1724 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe
PID 1724 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\Win Update\Win Update.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\Win Update\Win Update.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

"C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\Win Update\Win Update.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\Win Update\Win Update.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 minecraft-stuff.ddns.net udp
US 8.8.8.8:53 minecraft-stuff.ddns.net udp
US 8.8.8.8:53 minecraft-stuff.ddns.net udp
US 8.8.8.8:53 minecraft-stuff.ddns.net udp
US 8.8.8.8:53 minecraft-stuff.ddns.net udp
US 8.8.8.8:53 minecraft-stuff.ddns.net udp
US 8.8.8.8:53 minecraft-stuff.ddns.net udp
US 8.8.8.8:53 minecraft-stuff.ddns.net udp

Files

memory/3880-132-0x0000000075260000-0x0000000075811000-memory.dmp

memory/3880-133-0x0000000075260000-0x0000000075811000-memory.dmp

memory/1484-134-0x0000000000000000-mapping.dmp

memory/1312-135-0x0000000000000000-mapping.dmp

memory/1312-136-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1312-137-0x0000000075260000-0x0000000075811000-memory.dmp

memory/1724-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

memory/4132-141-0x0000000000000000-mapping.dmp

memory/1724-143-0x0000000075260000-0x0000000075811000-memory.dmp

memory/4592-142-0x0000000000000000-mapping.dmp

memory/1312-144-0x0000000075260000-0x0000000075811000-memory.dmp

memory/4460-145-0x0000000000000000-mapping.dmp

memory/4456-146-0x0000000000000000-mapping.dmp

memory/1724-147-0x0000000075260000-0x0000000075811000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

memory/2828-149-0x0000000000000000-mapping.dmp

memory/2780-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe

MD5 2b7b5d13885e9a78a307fb6682fed0a2
SHA1 2952700955f26433727807d5413faa08bf4d9d23
SHA256 596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131
SHA512 7f3785e6767b842c2ac2dcfbd2e80d84bcdac8c45278e0349572a9a7e627b9e87b30e434f68e57443785356677cfa03dcc45ef56caae4f2565a2de69c46393e2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\596078614be4defaea31d0c0e5b1582a6217a67c63b2ef429d4f080c93e27131.exe.log

MD5 da4fafeffe21b7cb3a8c170ca7911976
SHA1 50ef77e2451ab60f93f4db88325b897d215be5ad
SHA256 7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7
SHA512 0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

memory/2828-154-0x0000000075260000-0x0000000075811000-memory.dmp

memory/4416-155-0x0000000000000000-mapping.dmp

memory/3612-156-0x0000000000000000-mapping.dmp

memory/2828-157-0x0000000075260000-0x0000000075811000-memory.dmp