Analysis Overview
SHA256
71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a
Threat Level: Known bad
The file 71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Modifies WinLogon for persistence
Darkcomet
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops desktop.ini file(s)
Adds Run key to start application
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-29 12:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-29 12:28
Reported
2022-10-29 17:47
Platform
win7-20220812-en
Max time kernel
171s
Max time network
174s
Command Line
Signatures
Imminent RAT
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rundll.exe\\EqJbQm258We6.exe\",explorer.exe" | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempCSGO Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer\\Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe" | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1728 set thread context of 1312 | N/A | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"
C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
"C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe"
C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"
C:\Users\Admin\AppData\Local\TempCSGO Client.exe
"C:\Users\Admin\AppData\Local\TempCSGO Client.exe"
C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
"C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\792399" "C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe"
C:\Users\Admin\AppData\Roaming\windows.exe
"C:\Users\Admin\AppData\Roaming\windows.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\55.bat
C:\Windows\SysWOW64\PING.EXE
ping -n 0127.0.0.1
C:\Users\Admin\AppData\Roaming\windows.exe
"C:\Users\Admin\AppData\Roaming\windows.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\712281" "C:\Users\Admin\AppData\Roaming\windows.exe"
C:\Users\Admin\AppData\Roaming\windows.exe
"C:\Users\Admin\AppData\Roaming\windows.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
Files
memory/1728-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp
memory/1728-55-0x0000000074290000-0x000000007483B000-memory.dmp
\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
memory/1908-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
memory/1312-59-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1312-60-0x0000000000400000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
\Users\Admin\AppData\Local\TempCSGO Client.exe
| MD5 | 5f05e7130bc6dc523faa9cf537157af1 |
| SHA1 | c63fe5480dbed5a2b0d40426160d5892a8c9130f |
| SHA256 | ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa |
| SHA512 | dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac |
\Users\Admin\AppData\Local\TempCSGO Client.exe
| MD5 | 5f05e7130bc6dc523faa9cf537157af1 |
| SHA1 | c63fe5480dbed5a2b0d40426160d5892a8c9130f |
| SHA256 | ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa |
| SHA512 | dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac |
\Users\Admin\AppData\Local\TempCSGO Client.exe
| MD5 | 5f05e7130bc6dc523faa9cf537157af1 |
| SHA1 | c63fe5480dbed5a2b0d40426160d5892a8c9130f |
| SHA256 | ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa |
| SHA512 | dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac |
\Users\Admin\AppData\Local\TempCSGO Client.exe
| MD5 | 5f05e7130bc6dc523faa9cf537157af1 |
| SHA1 | c63fe5480dbed5a2b0d40426160d5892a8c9130f |
| SHA256 | ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa |
| SHA512 | dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac |
\Users\Admin\AppData\Local\TempCSGO Client.exe
| MD5 | 5f05e7130bc6dc523faa9cf537157af1 |
| SHA1 | c63fe5480dbed5a2b0d40426160d5892a8c9130f |
| SHA256 | ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa |
| SHA512 | dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac |
memory/1116-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\TempCSGO Client.exe
| MD5 | 5f05e7130bc6dc523faa9cf537157af1 |
| SHA1 | c63fe5480dbed5a2b0d40426160d5892a8c9130f |
| SHA256 | ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa |
| SHA512 | dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac |
C:\Users\Admin\AppData\Local\TempCSGO Client.exe
| MD5 | 5f05e7130bc6dc523faa9cf537157af1 |
| SHA1 | c63fe5480dbed5a2b0d40426160d5892a8c9130f |
| SHA256 | ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa |
| SHA512 | dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac |
memory/1728-73-0x0000000074290000-0x000000007483B000-memory.dmp
memory/1116-72-0x000007FEF33F0000-0x000007FEF3E13000-memory.dmp
\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
C:\Users\Admin\AppData\Local\Temp\EqJbQm258We6yBaM.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
memory/1708-76-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\792399
| MD5 | ba7ed704ea46ad6efe082e5ff4e373ee |
| SHA1 | f77c50c318e5b65c06ef07b466fbf49fa477fc34 |
| SHA256 | b6725014e644232a901aa4bf9546fa02a77e163d32c15b6843d0147826d11b30 |
| SHA512 | b6e94cc31608bda8299285d6f58935ed2ccb817faad96d42a6e35db82fa11a97b6e6457ded75550aea7786f522f743b16028ee6723623e0b83fa94f2423859bb |
\Users\Admin\AppData\Roaming\windows.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
\Users\Admin\AppData\Roaming\windows.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
C:\Users\Admin\AppData\Roaming\windows.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
memory/1912-84-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\windows.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
C:\Users\Admin\AppData\Roaming\windows.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
C:\Users\Admin\AppData\Local\Temp\BAQ7FbpK9clqyIXL9cJLxzmI9
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Roaming\windows.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
memory/1180-90-0x0000000000000000-mapping.dmp
memory/1384-92-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\55.bat
| MD5 | 69af552a021c6429c5f9000313a3ed79 |
| SHA1 | bb4f1f89c22a765d1d788e56927ba4bf4e8f6ecc |
| SHA256 | 08d85fc24cb4d70ec500c1507f6f7389cdcaf07082f6383b1aa72f9b8ca1f29c |
| SHA512 | 85a3c43fa90ab7d1462522762809e44ebdaafecda8dbd90d22bc6575bb9854f2691ee9da97bb1ddb9815a3c31905be5bdc1d50ac618501c637f220fa4477aed9 |
memory/1116-89-0x000007FEF2350000-0x000007FEF33E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\incl2
| MD5 | 65372a6302983fc206e90a544c61c7c5 |
| SHA1 | 2a9328477ec18ec759fc151e05ce083ccf3e858f |
| SHA256 | f1bf06f9652893c9aa56e9f51045c80842b5d23b653a1c924b2a8b52b210048c |
| SHA512 | 384b16edf39ab2b47ef857c0d40a98ad485c285496a783faf45bca47bfd5d334f0083477fdfacf0f7dc562cdd82281f1ecdad2053a1dba245cf7e937bfc104b2 |
C:\Users\Admin\AppData\Local\Temp\incl1
| MD5 | b8f891833c18f882d28dca0d8bf1edf6 |
| SHA1 | fe2ba906a57c8011d74ed5ab63da5dda5db106d9 |
| SHA256 | 99b15f7e814d394ce70ef6457f6ef67c9aa63d19626b31b9e2d54a0babf0d7a5 |
| SHA512 | a2e0d64a63241b1ec98e50211434af0185fad5486e8c1e2e6fe281779109308742746e5240e713074db77c9f401254bd4a4951bb5845f6738a922ce1dc567c18 |
C:\Users\Admin\AppData\Roaming\windows.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
memory/1312-100-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1312-97-0x0000000000400000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\712281
| MD5 | ba7ed704ea46ad6efe082e5ff4e373ee |
| SHA1 | f77c50c318e5b65c06ef07b466fbf49fa477fc34 |
| SHA256 | b6725014e644232a901aa4bf9546fa02a77e163d32c15b6843d0147826d11b30 |
| SHA512 | b6e94cc31608bda8299285d6f58935ed2ccb817faad96d42a6e35db82fa11a97b6e6457ded75550aea7786f522f743b16028ee6723623e0b83fa94f2423859bb |
memory/1312-101-0x0000000000400000-0x000000000044A000-memory.dmp
memory/524-96-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\windows.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
memory/1116-103-0x0000000000B36000-0x0000000000B55000-memory.dmp
memory/1312-104-0x0000000000444BFE-mapping.dmp
memory/1312-108-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1312-106-0x0000000000400000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\incl1
| MD5 | b8f891833c18f882d28dca0d8bf1edf6 |
| SHA1 | fe2ba906a57c8011d74ed5ab63da5dda5db106d9 |
| SHA256 | 99b15f7e814d394ce70ef6457f6ef67c9aa63d19626b31b9e2d54a0babf0d7a5 |
| SHA512 | a2e0d64a63241b1ec98e50211434af0185fad5486e8c1e2e6fe281779109308742746e5240e713074db77c9f401254bd4a4951bb5845f6738a922ce1dc567c18 |
C:\Users\Admin\AppData\Roaming\windows.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
memory/1312-112-0x0000000074290000-0x000000007483B000-memory.dmp
memory/1312-113-0x0000000074290000-0x000000007483B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-29 12:28
Reported
2022-10-29 17:48
Platform
win10v2004-20220812-en
Max time kernel
171s
Max time network
181s
Command Line
Signatures
Darkcomet
Imminent RAT
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rundll.exe\\ABANdvaOOBCm.exe\",explorer.exe" | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rundll.exe\\WZL4L4Tka7Ea.exe\",explorer.exe" | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempCSGO Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer\\Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe" | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3992 set thread context of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe |
| PID 3992 set thread context of 3844 | N/A | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe |
| PID 3744 set thread context of 1932 | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | C:\Users\Admin\AppData\Roaming\windows.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"
C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe
"C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe"
C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"
C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"
C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"
C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe
"C:\Users\Admin\AppData\Local\Temp\71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a.exe"
C:\Users\Admin\AppData\Local\TempCSGO Client.exe
"C:\Users\Admin\AppData\Local\TempCSGO Client.exe"
C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe
"C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\711566" "C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe"
C:\Users\Admin\AppData\Roaming\windows.exe
"C:\Users\Admin\AppData\Roaming\windows.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\93.bat
C:\Users\Admin\AppData\Roaming\windows.exe
"C:\Users\Admin\AppData\Roaming\windows.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\831808" "C:\Users\Admin\AppData\Roaming\windows.exe"
C:\Users\Admin\AppData\Roaming\windows.exe
"C:\Users\Admin\AppData\Roaming\windows.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 0127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.252.118.126:80 | tcp | |
| US | 8.252.118.126:80 | tcp | |
| US | 8.253.209.121:80 | tcp | |
| US | 8.252.118.126:80 | tcp | |
| US | 8.253.209.121:80 | tcp | |
| US | 8.252.118.126:80 | tcp | |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.252.118.126:80 | tcp | |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
| US | 8.8.8.8:53 | camz.ddns.net | udp |
| US | 8.8.8.8:53 | aoaagoldsocial.no-ip.biz | udp |
Files
memory/3992-132-0x0000000075360000-0x0000000075911000-memory.dmp
memory/2828-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
memory/3992-136-0x0000000075360000-0x0000000075911000-memory.dmp
memory/544-137-0x0000000000000000-mapping.dmp
memory/3704-138-0x0000000000000000-mapping.dmp
memory/2296-140-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2296-139-0x0000000000000000-mapping.dmp
memory/3844-141-0x0000000000000000-mapping.dmp
memory/1176-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\TempCSGO Client.exe
| MD5 | 5f05e7130bc6dc523faa9cf537157af1 |
| SHA1 | c63fe5480dbed5a2b0d40426160d5892a8c9130f |
| SHA256 | ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa |
| SHA512 | dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac |
C:\Users\Admin\AppData\Local\TempCSGO Client.exe
| MD5 | 5f05e7130bc6dc523faa9cf537157af1 |
| SHA1 | c63fe5480dbed5a2b0d40426160d5892a8c9130f |
| SHA256 | ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa |
| SHA512 | dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac |
memory/2296-146-0x0000000075360000-0x0000000075911000-memory.dmp
memory/3844-147-0x0000000075360000-0x0000000075911000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VrLmrukPN4yHtrxA.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
memory/3844-150-0x0000000075360000-0x0000000075911000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\711566
| MD5 | ba7ed704ea46ad6efe082e5ff4e373ee |
| SHA1 | f77c50c318e5b65c06ef07b466fbf49fa477fc34 |
| SHA256 | b6725014e644232a901aa4bf9546fa02a77e163d32c15b6843d0147826d11b30 |
| SHA512 | b6e94cc31608bda8299285d6f58935ed2ccb817faad96d42a6e35db82fa11a97b6e6457ded75550aea7786f522f743b16028ee6723623e0b83fa94f2423859bb |
memory/1528-148-0x0000000000000000-mapping.dmp
memory/1176-152-0x00007FFC983A0000-0x00007FFC98DD6000-memory.dmp
C:\Users\Admin\AppData\Roaming\windows.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
memory/5112-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\windows.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
memory/1484-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BAQ7FbpK9clqyIXL9cJLxzmI9
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\incl1
| MD5 | b8f891833c18f882d28dca0d8bf1edf6 |
| SHA1 | fe2ba906a57c8011d74ed5ab63da5dda5db106d9 |
| SHA256 | 99b15f7e814d394ce70ef6457f6ef67c9aa63d19626b31b9e2d54a0babf0d7a5 |
| SHA512 | a2e0d64a63241b1ec98e50211434af0185fad5486e8c1e2e6fe281779109308742746e5240e713074db77c9f401254bd4a4951bb5845f6738a922ce1dc567c18 |
C:\Users\Admin\AppData\Local\Temp\incl2
| MD5 | 65372a6302983fc206e90a544c61c7c5 |
| SHA1 | 2a9328477ec18ec759fc151e05ce083ccf3e858f |
| SHA256 | f1bf06f9652893c9aa56e9f51045c80842b5d23b653a1c924b2a8b52b210048c |
| SHA512 | 384b16edf39ab2b47ef857c0d40a98ad485c285496a783faf45bca47bfd5d334f0083477fdfacf0f7dc562cdd82281f1ecdad2053a1dba245cf7e937bfc104b2 |
memory/3744-160-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\windows.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
C:\Users\Admin\AppData\Local\Temp\831808
| MD5 | ba7ed704ea46ad6efe082e5ff4e373ee |
| SHA1 | f77c50c318e5b65c06ef07b466fbf49fa477fc34 |
| SHA256 | b6725014e644232a901aa4bf9546fa02a77e163d32c15b6843d0147826d11b30 |
| SHA512 | b6e94cc31608bda8299285d6f58935ed2ccb817faad96d42a6e35db82fa11a97b6e6457ded75550aea7786f522f743b16028ee6723623e0b83fa94f2423859bb |
C:\Users\Admin\AppData\Local\Temp\incl2
| MD5 | 65372a6302983fc206e90a544c61c7c5 |
| SHA1 | 2a9328477ec18ec759fc151e05ce083ccf3e858f |
| SHA256 | f1bf06f9652893c9aa56e9f51045c80842b5d23b653a1c924b2a8b52b210048c |
| SHA512 | 384b16edf39ab2b47ef857c0d40a98ad485c285496a783faf45bca47bfd5d334f0083477fdfacf0f7dc562cdd82281f1ecdad2053a1dba245cf7e937bfc104b2 |
C:\Users\Admin\AppData\Local\Temp\incl1
| MD5 | b8f891833c18f882d28dca0d8bf1edf6 |
| SHA1 | fe2ba906a57c8011d74ed5ab63da5dda5db106d9 |
| SHA256 | 99b15f7e814d394ce70ef6457f6ef67c9aa63d19626b31b9e2d54a0babf0d7a5 |
| SHA512 | a2e0d64a63241b1ec98e50211434af0185fad5486e8c1e2e6fe281779109308742746e5240e713074db77c9f401254bd4a4951bb5845f6738a922ce1dc567c18 |
memory/1932-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\93.bat
| MD5 | 2fb5793b5692e48e0aebe6ac9dfbfdd8 |
| SHA1 | ae3337e63f6e2721221e4f4544f2f8ea3cf5d21d |
| SHA256 | df0a892a9549f47d5910065cf6882fd6843b5582285b85285097fb2f060ee028 |
| SHA512 | dfd762734af28c2f7995b3b9f99fdefbb3fba8938b3a71ee4767eaa703fb0d5a5551a7cad07114d876d2df9be36b4b44867c8b16bda2df72c88190a93c9c6b66 |
memory/4500-167-0x0000000000000000-mapping.dmp
memory/2296-168-0x0000000075360000-0x0000000075911000-memory.dmp
memory/1932-169-0x00000000014B0000-0x0000000001565000-memory.dmp
C:\Users\Admin\AppData\Roaming\windows.exe
| MD5 | ca31b9b62cd0e6d2c306076283058574 |
| SHA1 | 9fb108cc95deff0ca4f75eac7ec4dfa3c363d927 |
| SHA256 | 21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b |
| SHA512 | 84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191 |
memory/1932-171-0x00000000014B0000-0x0000000001565000-memory.dmp
memory/1932-172-0x00000000014B0000-0x0000000001565000-memory.dmp
memory/1932-173-0x00000000014B0000-0x0000000001565000-memory.dmp
memory/1932-174-0x00000000014B0000-0x0000000001565000-memory.dmp