Malware Analysis Report

2024-11-13 15:44

Sample ID 221029-pnh7nsgcfp
Target 71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a
SHA256 71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a
Tags
imminent persistence spyware trojan darkcomet rat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a

Threat Level: Known bad

The file 71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan darkcomet rat rat

Imminent RAT

Modifies WinLogon for persistence

Darkcomet

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-29 12:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-29 12:28

Reported

2022-10-29 17:47

Platform

win7-20220812-en

Max time kernel

171s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"

Signatures

Imminent RAT

trojan spyware imminent

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rundll.exe\\EqJbQm258We6.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer\\Explorer.exe" C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\windows.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe" C:\Users\Admin\AppData\Roaming\windows.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
PID 1728 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
PID 1728 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
PID 1728 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
PID 1728 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 1728 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 1728 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 1728 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 1728 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 1908 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Users\Admin\AppData\Local\TempCSGO Client.exe
PID 1908 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Users\Admin\AppData\Local\TempCSGO Client.exe
PID 1908 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Users\Admin\AppData\Local\TempCSGO Client.exe
PID 1908 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Users\Admin\AppData\Local\TempCSGO Client.exe
PID 1908 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
PID 1908 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
PID 1908 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
PID 1908 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
PID 1708 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 1708 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 1708 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 1708 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 1708 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1180 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1180 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1180 wrote to memory of 1384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1912 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 1912 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 1912 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 1912 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 1728 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 1728 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 1728 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 1728 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 524 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 524 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 524 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 524 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe

"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"

C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

"C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe"

C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe

"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"

C:\Users\Admin\AppData\Local\TempCSGO Client.exe

"C:\Users\Admin\AppData\Local\TempCSGO Client.exe"

C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

"C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\792399" "C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe"

C:\Users\Admin\AppData\Roaming\windows.exe

"C:\Users\Admin\AppData\Roaming\windows.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\55.bat

C:\Windows\SysWOW64\PING.EXE

ping -n 0127.0.0.1

C:\Users\Admin\AppData\Roaming\windows.exe

"C:\Users\Admin\AppData\Roaming\windows.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\712281" "C:\Users\Admin\AppData\Roaming\windows.exe"

C:\Users\Admin\AppData\Roaming\windows.exe

"C:\Users\Admin\AppData\Roaming\windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 camz.ddns.net udp

Files

memory/1728-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

memory/1728-55-0x0000000074290000-0x000000007483B000-memory.dmp

\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/1908-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/1312-59-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1312-60-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

memory/1116-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

C:\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

memory/1728-73-0x0000000074290000-0x000000007483B000-memory.dmp

memory/1116-72-0x000007FEF33F0000-0x000007FEF3E13000-memory.dmp

\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/1708-76-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\792399

MD5 ba7ed704ea46ad6efe082e5ff4e373ee
SHA1 f77c50c318e5b65c06ef07b466fbf49fa477fc34
SHA256 b6725014e644232a901aa4bf9546fa02a77e163d32c15b6843d0147826d11b30
SHA512 b6e94cc31608bda8299285d6f58935ed2ccb817faad96d42a6e35db82fa11a97b6e6457ded75550aea7786f522f743b16028ee6723623e0b83fa94f2423859bb

\Users\Admin\AppData\Roaming\windows.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

\Users\Admin\AppData\Roaming\windows.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

C:\Users\Admin\AppData\Roaming\windows.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/1912-84-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\windows.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

C:\Users\Admin\AppData\Roaming\windows.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

C:\Users\Admin\AppData\Local\Temp\BAQ7FbpK9clqyIXL9cJLxzmI9

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Roaming\windows.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/1180-90-0x0000000000000000-mapping.dmp

memory/1384-92-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\55.bat

MD5 69af552a021c6429c5f9000313a3ed79
SHA1 bb4f1f89c22a765d1d788e56927ba4bf4e8f6ecc
SHA256 08d85fc24cb4d70ec500c1507f6f7389cdcaf07082f6383b1aa72f9b8ca1f29c
SHA512 85a3c43fa90ab7d1462522762809e44ebdaafecda8dbd90d22bc6575bb9854f2691ee9da97bb1ddb9815a3c31905be5bdc1d50ac618501c637f220fa4477aed9

memory/1116-89-0x000007FEF2350000-0x000007FEF33E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\incl2

MD5 65372a6302983fc206e90a544c61c7c5
SHA1 2a9328477ec18ec759fc151e05ce083ccf3e858f
SHA256 f1bf06f9652893c9aa56e9f51045c80842b5d23b653a1c924b2a8b52b210048c
SHA512 384b16edf39ab2b47ef857c0d40a98ad485c285496a783faf45bca47bfd5d334f0083477fdfacf0f7dc562cdd82281f1ecdad2053a1dba245cf7e937bfc104b2

C:\Users\Admin\AppData\Local\Temp\incl1

MD5 b8f891833c18f882d28dca0d8bf1edf6
SHA1 fe2ba906a57c8011d74ed5ab63da5dda5db106d9
SHA256 99b15f7e814d394ce70ef6457f6ef67c9aa63d19626b31b9e2d54a0babf0d7a5
SHA512 a2e0d64a63241b1ec98e50211434af0185fad5486e8c1e2e6fe281779109308742746e5240e713074db77c9f401254bd4a4951bb5845f6738a922ce1dc567c18

C:\Users\Admin\AppData\Roaming\windows.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/1312-100-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1312-97-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\712281

MD5 ba7ed704ea46ad6efe082e5ff4e373ee
SHA1 f77c50c318e5b65c06ef07b466fbf49fa477fc34
SHA256 b6725014e644232a901aa4bf9546fa02a77e163d32c15b6843d0147826d11b30
SHA512 b6e94cc31608bda8299285d6f58935ed2ccb817faad96d42a6e35db82fa11a97b6e6457ded75550aea7786f522f743b16028ee6723623e0b83fa94f2423859bb

memory/1312-101-0x0000000000400000-0x000000000044A000-memory.dmp

memory/524-96-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\windows.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/1116-103-0x0000000000B36000-0x0000000000B55000-memory.dmp

memory/1312-104-0x0000000000444BFE-mapping.dmp

memory/1312-108-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1312-106-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\incl1

MD5 b8f891833c18f882d28dca0d8bf1edf6
SHA1 fe2ba906a57c8011d74ed5ab63da5dda5db106d9
SHA256 99b15f7e814d394ce70ef6457f6ef67c9aa63d19626b31b9e2d54a0babf0d7a5
SHA512 a2e0d64a63241b1ec98e50211434af0185fad5486e8c1e2e6fe281779109308742746e5240e713074db77c9f401254bd4a4951bb5845f6738a922ce1dc567c18

C:\Users\Admin\AppData\Roaming\windows.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/1312-112-0x0000000074290000-0x000000007483B000-memory.dmp

memory/1312-113-0x0000000074290000-0x000000007483B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-29 12:28

Reported

2022-10-29 17:48

Platform

win10v2004-20220812-en

Max time kernel

171s

Max time network

181s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"

Signatures

Darkcomet

trojan rat darkcomet

Imminent RAT

trojan spyware imminent

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rundll.exe\\ABANdvaOOBCm.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rundll.exe\\WZL4L4Tka7Ea.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\windows.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer\\Explorer.exe" C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\windows.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe" C:\Users\Admin\AppData\Roaming\windows.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Roaming\windows.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe
PID 3992 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe
PID 3992 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe
PID 3992 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 3992 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
PID 2828 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe C:\Users\Admin\AppData\Local\TempCSGO Client.exe
PID 2828 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe C:\Users\Admin\AppData\Local\TempCSGO Client.exe
PID 2828 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe
PID 2828 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe
PID 2828 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe
PID 1528 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 1528 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 1528 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 1528 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 1484 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 1484 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 3744 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 3744 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 3744 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 5112 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5112 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5112 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3744 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe
PID 3744 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\windows.exe C:\Users\Admin\AppData\Roaming\windows.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe

"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"

C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe

"C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe"

C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe

"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"

C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe

"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"

C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe

"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"

C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe

"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"

C:\Users\Admin\AppData\Local\TempCSGO Client.exe

"C:\Users\Admin\AppData\Local\TempCSGO Client.exe"

C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe

"C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\711566" "C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe"

C:\Users\Admin\AppData\Roaming\windows.exe

"C:\Users\Admin\AppData\Roaming\windows.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\93.bat

C:\Users\Admin\AppData\Roaming\windows.exe

"C:\Users\Admin\AppData\Roaming\windows.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\831808" "C:\Users\Admin\AppData\Roaming\windows.exe"

C:\Users\Admin\AppData\Roaming\windows.exe

"C:\Users\Admin\AppData\Roaming\windows.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 0127.0.0.1

Network

Country Destination Domain Proto
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
US 8.253.209.121:80 tcp
US 8.252.118.126:80 tcp
US 8.253.209.121:80 tcp
US 8.252.118.126:80 tcp
US 8.8.8.8:53 camz.ddns.net udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 camz.ddns.net udp
US 8.252.118.126:80 tcp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 aoaagoldsocial.no-ip.biz udp

Files

memory/3992-132-0x0000000075360000-0x0000000075911000-memory.dmp

memory/2828-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/3992-136-0x0000000075360000-0x0000000075911000-memory.dmp

memory/544-137-0x0000000000000000-mapping.dmp

memory/3704-138-0x0000000000000000-mapping.dmp

memory/2296-140-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2296-139-0x0000000000000000-mapping.dmp

memory/3844-141-0x0000000000000000-mapping.dmp

memory/1176-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

C:\Users\Admin\AppData\Local\TempCSGO Client.exe

MD5 5f05e7130bc6dc523faa9cf537157af1
SHA1 c63fe5480dbed5a2b0d40426160d5892a8c9130f
SHA256 ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa
SHA512 dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

memory/2296-146-0x0000000075360000-0x0000000075911000-memory.dmp

memory/3844-147-0x0000000075360000-0x0000000075911000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/3844-150-0x0000000075360000-0x0000000075911000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\711566

MD5 ba7ed704ea46ad6efe082e5ff4e373ee
SHA1 f77c50c318e5b65c06ef07b466fbf49fa477fc34
SHA256 b6725014e644232a901aa4bf9546fa02a77e163d32c15b6843d0147826d11b30
SHA512 b6e94cc31608bda8299285d6f58935ed2ccb817faad96d42a6e35db82fa11a97b6e6457ded75550aea7786f522f743b16028ee6723623e0b83fa94f2423859bb

memory/1528-148-0x0000000000000000-mapping.dmp

memory/1176-152-0x00007FFC983A0000-0x00007FFC98DD6000-memory.dmp

C:\Users\Admin\AppData\Roaming\windows.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/5112-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\windows.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/1484-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BAQ7FbpK9clqyIXL9cJLxzmI9

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\incl1

MD5 b8f891833c18f882d28dca0d8bf1edf6
SHA1 fe2ba906a57c8011d74ed5ab63da5dda5db106d9
SHA256 99b15f7e814d394ce70ef6457f6ef67c9aa63d19626b31b9e2d54a0babf0d7a5
SHA512 a2e0d64a63241b1ec98e50211434af0185fad5486e8c1e2e6fe281779109308742746e5240e713074db77c9f401254bd4a4951bb5845f6738a922ce1dc567c18

C:\Users\Admin\AppData\Local\Temp\incl2

MD5 65372a6302983fc206e90a544c61c7c5
SHA1 2a9328477ec18ec759fc151e05ce083ccf3e858f
SHA256 f1bf06f9652893c9aa56e9f51045c80842b5d23b653a1c924b2a8b52b210048c
SHA512 384b16edf39ab2b47ef857c0d40a98ad485c285496a783faf45bca47bfd5d334f0083477fdfacf0f7dc562cdd82281f1ecdad2053a1dba245cf7e937bfc104b2

memory/3744-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\windows.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

C:\Users\Admin\AppData\Local\Temp\831808

MD5 ba7ed704ea46ad6efe082e5ff4e373ee
SHA1 f77c50c318e5b65c06ef07b466fbf49fa477fc34
SHA256 b6725014e644232a901aa4bf9546fa02a77e163d32c15b6843d0147826d11b30
SHA512 b6e94cc31608bda8299285d6f58935ed2ccb817faad96d42a6e35db82fa11a97b6e6457ded75550aea7786f522f743b16028ee6723623e0b83fa94f2423859bb

C:\Users\Admin\AppData\Local\Temp\incl2

MD5 65372a6302983fc206e90a544c61c7c5
SHA1 2a9328477ec18ec759fc151e05ce083ccf3e858f
SHA256 f1bf06f9652893c9aa56e9f51045c80842b5d23b653a1c924b2a8b52b210048c
SHA512 384b16edf39ab2b47ef857c0d40a98ad485c285496a783faf45bca47bfd5d334f0083477fdfacf0f7dc562cdd82281f1ecdad2053a1dba245cf7e937bfc104b2

C:\Users\Admin\AppData\Local\Temp\incl1

MD5 b8f891833c18f882d28dca0d8bf1edf6
SHA1 fe2ba906a57c8011d74ed5ab63da5dda5db106d9
SHA256 99b15f7e814d394ce70ef6457f6ef67c9aa63d19626b31b9e2d54a0babf0d7a5
SHA512 a2e0d64a63241b1ec98e50211434af0185fad5486e8c1e2e6fe281779109308742746e5240e713074db77c9f401254bd4a4951bb5845f6738a922ce1dc567c18

memory/1932-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\93.bat

MD5 2fb5793b5692e48e0aebe6ac9dfbfdd8
SHA1 ae3337e63f6e2721221e4f4544f2f8ea3cf5d21d
SHA256 df0a892a9549f47d5910065cf6882fd6843b5582285b85285097fb2f060ee028
SHA512 dfd762734af28c2f7995b3b9f99fdefbb3fba8938b3a71ee4767eaa703fb0d5a5551a7cad07114d876d2df9be36b4b44867c8b16bda2df72c88190a93c9c6b66

memory/4500-167-0x0000000000000000-mapping.dmp

memory/2296-168-0x0000000075360000-0x0000000075911000-memory.dmp

memory/1932-169-0x00000000014B0000-0x0000000001565000-memory.dmp

C:\Users\Admin\AppData\Roaming\windows.exe

MD5 ca31b9b62cd0e6d2c306076283058574
SHA1 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927
SHA256 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b
SHA512 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

memory/1932-171-0x00000000014B0000-0x0000000001565000-memory.dmp

memory/1932-172-0x00000000014B0000-0x0000000001565000-memory.dmp

memory/1932-173-0x00000000014B0000-0x0000000001565000-memory.dmp

memory/1932-174-0x00000000014B0000-0x0000000001565000-memory.dmp