Malware Analysis Report

2024-11-13 15:44

Sample ID 221029-lnn65sbhaj
Target 0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af
SHA256 0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af
Tags
persistence imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af

Threat Level: Known bad

The file 0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af was found to be: Known bad.

Malicious Activity Summary

persistence imminent spyware trojan

Modifies WinLogon for persistence

Imminent RAT

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-29 09:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-29 09:40

Reported

2022-10-29 14:17

Platform

win7-20220812-en

Max time kernel

41s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows.exe\\Syo2B3jb4lVH.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5200310000000000000000001000526f616d696e67003c0008000400efbe00000000000000002a0000000000000000000000000000000000000000000000000052006f0061006d0069006e006700000016000000 C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5e0031000000000000000000120077696e646f77732e65786500440008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000770069006e0064006f00770073002e0065007800650000001a000000 C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe
PID 1736 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe
PID 1736 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe
PID 1736 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe
PID 1736 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1736 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 1908 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe C:\Users\Admin\AppData\Local\TempCSGO Client.exe
PID 1908 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe C:\Users\Admin\AppData\Local\TempCSGO Client.exe
PID 1908 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe C:\Users\Admin\AppData\Local\TempCSGO Client.exe
PID 1908 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe C:\Users\Admin\AppData\Local\TempCSGO Client.exe
PID 1908 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe
PID 1908 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe
PID 1908 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe
PID 1908 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe
PID 388 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 576 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 576 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 576 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe

"C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"

C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe

"C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe"

C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe

"C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"

C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe

"C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"

C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe

"C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"

C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe

"C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"

C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe

"C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"

C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe

"C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"

C:\Users\Admin\AppData\Local\TempCSGO Client.exe

"C:\Users\Admin\AppData\Local\TempCSGO Client.exe"

C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe

"C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\892451" "C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\72.bat

C:\Windows\SysWOW64\PING.EXE

ping -n 0127.0.0.1

Network

N/A

Files

memory/1736-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

memory/1736-55-0x0000000074290000-0x000000007483B000-memory.dmp

\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/1908-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/1736-61-0x0000000074290000-0x000000007483B000-memory.dmp

\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

memory/1196-67-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

C:\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/388-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\e4UeAAcAuCLUdI2G.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

C:\Users\Admin\AppData\Local\Temp\892451

MD5 ba7ed704ea46ad6efe082e5ff4e373ee
SHA1 f77c50c318e5b65c06ef07b466fbf49fa477fc34
SHA256 b6725014e644232a901aa4bf9546fa02a77e163d32c15b6843d0147826d11b30
SHA512 b6e94cc31608bda8299285d6f58935ed2ccb817faad96d42a6e35db82fa11a97b6e6457ded75550aea7786f522f743b16028ee6723623e0b83fa94f2423859bb

memory/1196-70-0x000007FEF33F0000-0x000007FEF3E13000-memory.dmp

memory/1196-77-0x000007FEF2350000-0x000007FEF33E6000-memory.dmp

memory/388-78-0x0000000074201000-0x0000000074203000-memory.dmp

memory/1196-79-0x0000000000BD6000-0x0000000000BF5000-memory.dmp

memory/576-80-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\72.bat

MD5 08d6fee4b0f0fd3df863f9b74c44679d
SHA1 947c8b3c005864a81cd893e440e23022be5a8e6a
SHA256 47047cd6e7375b12b27c858f8a67de7a2ec2c918a1f7110067927e2cda3f8bb1
SHA512 9ac421abca61945d7aea7e5220d301490a2bce17c3b5e3f48cd864468399d914eefd30f6d67af08772fbefaaf54c277be9e89c34795b9c5ac5bde5a4a2adf294

memory/1376-82-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-29 09:40

Reported

2022-10-29 14:18

Platform

win10v2004-20220812-en

Max time kernel

188s

Max time network

190s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"

Signatures

Imminent RAT

trojan spyware imminent

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows.exe\\LfLQAXQdO57A.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows.exe\\Zx7zFSrGTyRJ.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4760 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe
PID 4760 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe
PID 4760 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe
PID 4760 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4760 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
PID 4176 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe C:\Users\Admin\AppData\Local\TempCSGO Client.exe
PID 4176 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe C:\Users\Admin\AppData\Local\TempCSGO Client.exe
PID 4176 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe
PID 4176 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe
PID 4176 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe
PID 3884 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3648 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3648 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe

"C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"

C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe

"C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe"

C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe

"C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"

C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe

"C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"

C:\Users\Admin\AppData\Local\TempCSGO Client.exe

"C:\Users\Admin\AppData\Local\TempCSGO Client.exe"

C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe

"C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\831626" "C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81.bat

C:\Windows\SysWOW64\PING.EXE

ping -n 0127.0.0.1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
NL 104.80.225.205:443 tcp
IE 13.69.239.73:443 tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp
US 8.8.8.8:53 aoaagold.no-ip.org udp

Files

memory/4760-132-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/4760-133-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/4176-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/4668-137-0x0000000000000000-mapping.dmp

memory/4668-138-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3896-139-0x0000000000000000-mapping.dmp

memory/4668-141-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/3896-142-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/3896-143-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/2540-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

C:\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

memory/2540-147-0x00007FF893090000-0x00007FF893AC6000-memory.dmp

memory/3884-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

C:\Users\Admin\AppData\Local\Temp\831626

MD5 ba7ed704ea46ad6efe082e5ff4e373ee
SHA1 f77c50c318e5b65c06ef07b466fbf49fa477fc34
SHA256 b6725014e644232a901aa4bf9546fa02a77e163d32c15b6843d0147826d11b30
SHA512 b6e94cc31608bda8299285d6f58935ed2ccb817faad96d42a6e35db82fa11a97b6e6457ded75550aea7786f522f743b16028ee6723623e0b83fa94f2423859bb

memory/3648-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\81.bat

MD5 af53a4743e592c6cee1e5e2151651890
SHA1 28bfc771c1c9678f07ddcf80509813fc6437d4e9
SHA256 cd99268267e660f69a13a4fdd1b90d89a5011a7a4a14f85050aa6cb9d081832f
SHA512 de14b10327a4d3dbe9cf0ba194ffa9d76b5a2ea731beaca8842e3cb319eed1fa88462160b0df45b0d1e30d630b201bef5497a632ac980e7f106f7bf0a82ab954

memory/2388-153-0x0000000000000000-mapping.dmp

memory/4668-154-0x0000000074C60000-0x0000000075211000-memory.dmp