Malware Analysis Report

2024-11-15 08:09

Sample ID 220919-csyfyagcak
Target MT1893878746.PDF.IMG.exe
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

Threat Level: Known bad

The file MT1893878746.PDF.IMG.exe was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-19 02:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-19 02:20

Reported

2022-09-19 02:23

Platform

win7-20220812-en

Max time kernel

131s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

Signatures

Imminent RAT

trojan spyware imminent

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 780 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 780 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 780 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 780 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 780 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 780 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 780 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 780 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 780 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 780 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 780 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 780 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 780 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 780 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 780 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 780 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 780 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 1828 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1828 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1828 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1828 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1828 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1752 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1752 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1752 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1928 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1928 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1928 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1928 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1928 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1928 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1928 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1928 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1928 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1928 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1928 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1928 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1928 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB53C.tmp"

C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

"C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7ABC.tmp"

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

"C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

"C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 imminent.ddns.net udp
NG 105.112.146.2:9003 imminent.ddns.net tcp
NG 105.112.146.2:9003 imminent.ddns.net tcp

Files

memory/780-54-0x00000000008F0000-0x0000000000A1E000-memory.dmp

memory/780-55-0x0000000076321000-0x0000000076323000-memory.dmp

memory/780-56-0x0000000000860000-0x000000000087A000-memory.dmp

memory/780-57-0x00000000008B0000-0x00000000008BC000-memory.dmp

memory/780-58-0x0000000008010000-0x00000000080C6000-memory.dmp

memory/2008-59-0x0000000000000000-mapping.dmp

memory/2032-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB53C.tmp

MD5 b48ac4d505d31c9e88a30ce62689bf95
SHA1 ba71a0dc27de38add8c5a048396eb40afd097789
SHA256 de07e956fceb5c4d5e342e464061850cf2362ff1e502f8bde61fa90ed5f95a53
SHA512 b8fa5b85014198a6c8f7026167dbd31880c788d2f743bd1f71a41bd4a25076dfa9e019fd0b40a52d32e3e668036b87bfac9ee8e92c1e0d20cd1f26de017bd75a

memory/780-63-0x0000000005E20000-0x0000000005E80000-memory.dmp

memory/1828-64-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-65-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-67-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-70-0x000000000045A3DE-mapping.dmp

memory/1828-69-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-68-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-72-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-74-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-75-0x00000000002F0000-0x0000000000318000-memory.dmp

memory/1828-77-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-78-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-79-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-80-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-81-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-82-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-85-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-83-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-87-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-88-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-91-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-93-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-94-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-96-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2008-97-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

memory/1928-101-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

memory/1752-104-0x0000000000000000-mapping.dmp

memory/1928-105-0x00000000011F0000-0x000000000131E000-memory.dmp

memory/972-107-0x0000000000000000-mapping.dmp

memory/2008-108-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

memory/1620-109-0x0000000000000000-mapping.dmp

memory/1676-110-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7ABC.tmp

MD5 b48ac4d505d31c9e88a30ce62689bf95
SHA1 ba71a0dc27de38add8c5a048396eb40afd097789
SHA256 de07e956fceb5c4d5e342e464061850cf2362ff1e502f8bde61fa90ed5f95a53
SHA512 b8fa5b85014198a6c8f7026167dbd31880c788d2f743bd1f71a41bd4a25076dfa9e019fd0b40a52d32e3e668036b87bfac9ee8e92c1e0d20cd1f26de017bd75a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 12af4248e6dee809811282d00231fb2f
SHA1 a5837398bf295599c5c91f899fc095d6079e48ff
SHA256 b52c55d5a9497629f87973fc29e0e8af5acb02b5fdbcedf1d867fb3920ad6d69
SHA512 8a45dbd2e53d42b85b3f13ca5aa94f7765795fa432615030ac9228f34cea2eb17e26d50b18d4dbcfa12f06d5af89ad5b3fb6f49af4a109df3ae985cb52714426

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

memory/1360-123-0x000000000045A3DE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

memory/1620-150-0x00000000718A0000-0x0000000071E4B000-memory.dmp

memory/1360-152-0x0000000000300000-0x000000000030E000-memory.dmp

memory/1360-153-0x0000000000330000-0x0000000000346000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-19 02:20

Reported

2022-09-19 02:23

Platform

win10v2004-20220812-en

Max time kernel

146s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 1912 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 1912 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\schtasks.exe
PID 1912 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 1912 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 1912 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 1912 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 1912 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 1912 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 1912 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 1912 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
PID 1104 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1104 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1104 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 1104 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe C:\Windows\SysWOW64\cmd.exe
PID 3844 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3844 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3844 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3624 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 3624 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 3624 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Windows\SysWOW64\schtasks.exe
PID 3624 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3624 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3624 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3624 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3624 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3624 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3624 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
PID 3624 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D74.tmp"

C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe

"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

"C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB94.tmp"

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

"C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
NL 142.251.39.110:80 tcp
NL 142.251.36.22:443 tcp
NL 142.250.179.138:443 tcp
NL 172.217.168.237:443 tcp
US 93.184.221.240:80 tcp
NL 216.58.214.3:443 tcp
NL 142.251.36.3:443 tcp
NL 216.58.208.106:443 tcp
NL 142.250.179.132:443 tcp
NL 142.251.36.46:443 tcp
US 93.184.221.240:80 tcp
US 204.79.197.239:443 tcp
US 8.8.8.8:443 tcp
US 8.8.8.8:443 tcp
US 93.184.220.29:80 tcp
NL 142.251.39.110:443 tcp
US 8.8.8.8:53 imminent.ddns.net udp
NG 105.112.146.2:9003 imminent.ddns.net tcp
NG 105.112.146.2:9003 imminent.ddns.net tcp
NL 142.251.39.110:443 tcp
NG 105.112.146.2:9003 imminent.ddns.net tcp

Files

memory/1912-132-0x00000000001B0000-0x00000000002DE000-memory.dmp

memory/1912-133-0x00000000052C0000-0x0000000005864000-memory.dmp

memory/1912-134-0x0000000004D10000-0x0000000004DA2000-memory.dmp

memory/1912-135-0x0000000004C60000-0x0000000004C6A000-memory.dmp

memory/1912-136-0x0000000008C90000-0x0000000008D2C000-memory.dmp

memory/1912-137-0x0000000008E30000-0x0000000008E96000-memory.dmp

memory/4512-138-0x0000000000000000-mapping.dmp

memory/4476-139-0x0000000000000000-mapping.dmp

memory/4512-140-0x0000000002190000-0x00000000021C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4D74.tmp

MD5 c404ef61bb974e90226fed749a85be10
SHA1 a5fc044ed24a743355ca48546f716ade8015a975
SHA256 d3e125deee5f28a651cdc01a7d249decffaa0fcb13b42797f21011457f62b66c
SHA512 c6a64b6b2c5a8b534fd0f187d23c4171ed8e652c6d99458324414504f3053b34130581f00129804f04962c3bee0836984b0a924afe2f6c45a9fef0ab966ff894

memory/4512-142-0x0000000004CA0000-0x00000000052C8000-memory.dmp

memory/1104-144-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MT1893878746.PDF.IMG.exe.log

MD5 e08f822522c617a40840c62e4b0fb45e
SHA1 ae516dca4da5234be6676d3f234c19ec55725be7
SHA256 bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512 894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

memory/4512-146-0x00000000049D0000-0x00000000049F2000-memory.dmp

memory/4512-147-0x00000000052D0000-0x0000000005336000-memory.dmp

memory/1104-149-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-150-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-151-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-154-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-152-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-153-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-155-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-157-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-159-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-160-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-163-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-165-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-166-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-168-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

memory/3624-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

memory/4512-172-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

memory/3844-173-0x0000000000000000-mapping.dmp

memory/4128-174-0x0000000000000000-mapping.dmp

memory/4512-175-0x0000000006090000-0x00000000060C2000-memory.dmp

memory/4512-176-0x0000000070480000-0x00000000704CC000-memory.dmp

memory/4512-177-0x0000000006070000-0x000000000608E000-memory.dmp

memory/4512-178-0x0000000007410000-0x0000000007A8A000-memory.dmp

memory/4512-179-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

memory/4512-180-0x0000000006E30000-0x0000000006E3A000-memory.dmp

memory/4512-181-0x0000000007040000-0x00000000070D6000-memory.dmp

memory/4512-182-0x0000000006FF0000-0x0000000006FFE000-memory.dmp

memory/4512-183-0x0000000007100000-0x000000000711A000-memory.dmp

memory/4512-184-0x00000000070E0000-0x00000000070E8000-memory.dmp

memory/2036-185-0x0000000000000000-mapping.dmp

memory/3984-186-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Temp\tmpB94.tmp

MD5 c404ef61bb974e90226fed749a85be10
SHA1 a5fc044ed24a743355ca48546f716ade8015a975
SHA256 d3e125deee5f28a651cdc01a7d249decffaa0fcb13b42797f21011457f62b66c
SHA512 c6a64b6b2c5a8b534fd0f187d23c4171ed8e652c6d99458324414504f3053b34130581f00129804f04962c3bee0836984b0a924afe2f6c45a9fef0ab966ff894

memory/628-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

MD5 b7babb9f64a9ecd894d100ce02f132fe
SHA1 8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256 fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512 8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4453f1fdca9ea31e4c83c557ebfc9973
SHA1 e9ab3838564420c1c546dbec5a53cb4157792055
SHA256 376582de6a111e2fdcdd90df19ba1c2c2f21c5cfee933cce78e0273809ffcbf0
SHA512 9a69ea0ab78f3f93eeaf443a798b975fc55fd8f6e34a321437ca098fa1953bd0b1c232b396e46ad2e514e40a3f1971d86056d715d3bf62efa22f4fd56f5033b6

memory/2036-214-0x0000000072650000-0x000000007269C000-memory.dmp