Malware Analysis Report

2024-11-13 15:44

Sample ID 221029-qqw2zshhfj
Target 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
SHA256 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951

Threat Level: Known bad

The file 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951 was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-29 13:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-29 13:28

Reported

2022-10-29 19:05

Platform

win7-20220812-en

Max time kernel

152s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe"

Signatures

Imminent RAT

trojan spyware imminent

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleAps = "C:\\Users\\Admin\\AppData\\Roaming\\Aplication\\setup.exe" C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleAps = "\\Aplication\\setup.exe" C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 364 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 364 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 364 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 364 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 364 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 364 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 364 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 364 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 364 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 364 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 364 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 364 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 364 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1528 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1528 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1528 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1528 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1528 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 904 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 904 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 904 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1120 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 1120 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 1120 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 1120 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 1120 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1120 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1120 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1120 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1120 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1120 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1120 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1120 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1120 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

"C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Google Update" /XML "C:\Users\Admin\AppData\Local\Temp\aDDDDD.xml"

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

"C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe"

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

"C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Google Update" /XML "C:\Users\Admin\AppData\Local\Temp\a_____.xml"

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

"C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dupa.duckdns.org udp
CZ 46.36.36.115:64156 dupa.duckdns.org tcp
CZ 46.36.36.115:64156 dupa.duckdns.org tcp
CZ 46.36.36.115:64156 dupa.duckdns.org tcp
US 8.8.8.8:53 dupa.duckdns.org udp
CZ 46.36.36.115:64156 dupa.duckdns.org tcp
CZ 46.36.36.115:64156 dupa.duckdns.org tcp

Files

memory/364-54-0x0000000076681000-0x0000000076683000-memory.dmp

memory/364-55-0x00000000748B0000-0x0000000074E5B000-memory.dmp

memory/1700-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aDDDDD.xml

MD5 51639e1cdd8c8d41b09763c05771d55a
SHA1 fa8657ed8f37cae14e69716e8e77a807c5584283
SHA256 c4f928098c6c22efc4d431e08d57e29297525864d96952df032cce1efeb98e3a
SHA512 0cbbbdcd4bc3d20452fbc2eaff7a714dfd6ea1433d5b0cca8c3d82dfa3a865591155893af6881245f88d0cb35551585d2377b0d7066957afbd8990d6e3149670

memory/1528-58-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1528-59-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1528-61-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1528-63-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1528-65-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1528-67-0x0000000000444BFE-mapping.dmp

memory/364-69-0x00000000748B0000-0x0000000074E5B000-memory.dmp

memory/1528-70-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1528-72-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1528-74-0x0000000074840000-0x0000000074DEB000-memory.dmp

\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

MD5 e7a8565db3b57e68f5fa8699c797c4e3
SHA1 9832f0de7c47f7de7b905f4fdf50fc3d5a2c3119
SHA256 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
SHA512 26df63c9dfe7cfdf2c7dd1412057ced7db22d11cf6f3c133055225b2481278615e4d3f649816836ae1d17abac5e2ded73d88402f51a2ddd97211fd185d9d1156

\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

MD5 e7a8565db3b57e68f5fa8699c797c4e3
SHA1 9832f0de7c47f7de7b905f4fdf50fc3d5a2c3119
SHA256 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
SHA512 26df63c9dfe7cfdf2c7dd1412057ced7db22d11cf6f3c133055225b2481278615e4d3f649816836ae1d17abac5e2ded73d88402f51a2ddd97211fd185d9d1156

memory/1120-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

MD5 e7a8565db3b57e68f5fa8699c797c4e3
SHA1 9832f0de7c47f7de7b905f4fdf50fc3d5a2c3119
SHA256 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
SHA512 26df63c9dfe7cfdf2c7dd1412057ced7db22d11cf6f3c133055225b2481278615e4d3f649816836ae1d17abac5e2ded73d88402f51a2ddd97211fd185d9d1156

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

MD5 e7a8565db3b57e68f5fa8699c797c4e3
SHA1 9832f0de7c47f7de7b905f4fdf50fc3d5a2c3119
SHA256 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
SHA512 26df63c9dfe7cfdf2c7dd1412057ced7db22d11cf6f3c133055225b2481278615e4d3f649816836ae1d17abac5e2ded73d88402f51a2ddd97211fd185d9d1156

memory/904-81-0x0000000000000000-mapping.dmp

memory/1528-82-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/1644-83-0x0000000000000000-mapping.dmp

memory/1120-84-0x0000000074840000-0x0000000074DEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome.exe

MD5 e7a8565db3b57e68f5fa8699c797c4e3
SHA1 9832f0de7c47f7de7b905f4fdf50fc3d5a2c3119
SHA256 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
SHA512 26df63c9dfe7cfdf2c7dd1412057ced7db22d11cf6f3c133055225b2481278615e4d3f649816836ae1d17abac5e2ded73d88402f51a2ddd97211fd185d9d1156

memory/1572-86-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\a_____.xml

MD5 51639e1cdd8c8d41b09763c05771d55a
SHA1 fa8657ed8f37cae14e69716e8e77a807c5584283
SHA256 c4f928098c6c22efc4d431e08d57e29297525864d96952df032cce1efeb98e3a
SHA512 0cbbbdcd4bc3d20452fbc2eaff7a714dfd6ea1433d5b0cca8c3d82dfa3a865591155893af6881245f88d0cb35551585d2377b0d7066957afbd8990d6e3149670

\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

MD5 e7a8565db3b57e68f5fa8699c797c4e3
SHA1 9832f0de7c47f7de7b905f4fdf50fc3d5a2c3119
SHA256 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
SHA512 26df63c9dfe7cfdf2c7dd1412057ced7db22d11cf6f3c133055225b2481278615e4d3f649816836ae1d17abac5e2ded73d88402f51a2ddd97211fd185d9d1156

memory/1736-98-0x0000000000444BFE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

MD5 e7a8565db3b57e68f5fa8699c797c4e3
SHA1 9832f0de7c47f7de7b905f4fdf50fc3d5a2c3119
SHA256 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
SHA512 26df63c9dfe7cfdf2c7dd1412057ced7db22d11cf6f3c133055225b2481278615e4d3f649816836ae1d17abac5e2ded73d88402f51a2ddd97211fd185d9d1156

memory/1120-101-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/1736-106-0x00000000748B0000-0x0000000074E5B000-memory.dmp

memory/1736-107-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-29 13:28

Reported

2022-10-29 19:05

Platform

win10v2004-20220812-en

Max time kernel

154s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleAps = "C:\\Users\\Admin\\AppData\\Roaming\\Aplication\\setup.exe" C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleAps = "\\Aplication\\setup.exe" C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 4284 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 4284 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 4284 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 4284 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 4284 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 4284 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 4284 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 4284 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 4284 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 4284 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 4412 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 4412 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 4412 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 4412 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1348 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1348 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1952 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1952 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1952 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1952 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1952 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1952 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1952 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1952 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1952 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1952 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe
PID 1952 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

"C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Google Update" /XML "C:\Users\Admin\AppData\Local\Temp\aFFFFF.xml"

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

"C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe"

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

"C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Google Update" /XML "C:\Users\Admin\AppData\Local\Temp\ajjjjj.xml"

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

"C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe"

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

"C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe"

Network

Country Destination Domain Proto
NL 95.101.78.82:80 tcp
US 209.197.3.8:80 tcp
US 20.42.65.85:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 dupa.duckdns.org udp
CZ 46.36.36.115:64156 dupa.duckdns.org tcp
CZ 46.36.36.115:64156 dupa.duckdns.org tcp
CZ 46.36.36.115:64156 dupa.duckdns.org tcp
US 8.8.8.8:53 dupa.duckdns.org udp
CZ 46.36.36.115:64156 dupa.duckdns.org tcp
CZ 46.36.36.115:64156 dupa.duckdns.org tcp

Files

memory/4284-132-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/4284-133-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/4332-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aFFFFF.xml

MD5 edf66591eebdc49a91897516ab9c7cc3
SHA1 d2f119368668a3604ebbd628d31fbef39499495c
SHA256 ac6c76420cb4d4f8501b22992b22a082f491dd886acdb67ee4b6caf101670680
SHA512 4c3c1729d3347fb9abf9f8e63beaab1faeff26cd130ee823dd26403efa3fc9072f0f86f5cae27e8db2761f32f525c43fa05875eea659209c2ea3826737568773

memory/4412-136-0x0000000000000000-mapping.dmp

memory/4412-137-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4412-139-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4412-138-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe.log

MD5 6dba4702b346903da02f7dd9e839a128
SHA1 d69f255866f30a87c9eca8312d425c47059bf15e
SHA256 29d145faac0201870c39b9119894f78694a776e03fc8f79349bdf92e56a65bcd
SHA512 33afef187e806838717238881aaaf41272f8b484fcfe97a85057fd43a7eeb119df813d6023d2ee770aa22a067f7e9d532dd1c30b512f9c48b76f838615863e1d

memory/4284-142-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/4412-143-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/1952-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

MD5 e7a8565db3b57e68f5fa8699c797c4e3
SHA1 9832f0de7c47f7de7b905f4fdf50fc3d5a2c3119
SHA256 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
SHA512 26df63c9dfe7cfdf2c7dd1412057ced7db22d11cf6f3c133055225b2481278615e4d3f649816836ae1d17abac5e2ded73d88402f51a2ddd97211fd185d9d1156

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

MD5 e7a8565db3b57e68f5fa8699c797c4e3
SHA1 9832f0de7c47f7de7b905f4fdf50fc3d5a2c3119
SHA256 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
SHA512 26df63c9dfe7cfdf2c7dd1412057ced7db22d11cf6f3c133055225b2481278615e4d3f649816836ae1d17abac5e2ded73d88402f51a2ddd97211fd185d9d1156

memory/1348-147-0x0000000000000000-mapping.dmp

memory/4412-148-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/4324-149-0x0000000000000000-mapping.dmp

memory/1952-150-0x0000000074880000-0x0000000074E31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome.exe

MD5 e7a8565db3b57e68f5fa8699c797c4e3
SHA1 9832f0de7c47f7de7b905f4fdf50fc3d5a2c3119
SHA256 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
SHA512 26df63c9dfe7cfdf2c7dd1412057ced7db22d11cf6f3c133055225b2481278615e4d3f649816836ae1d17abac5e2ded73d88402f51a2ddd97211fd185d9d1156

memory/4716-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ajjjjj.xml

MD5 edf66591eebdc49a91897516ab9c7cc3
SHA1 d2f119368668a3604ebbd628d31fbef39499495c
SHA256 ac6c76420cb4d4f8501b22992b22a082f491dd886acdb67ee4b6caf101670680
SHA512 4c3c1729d3347fb9abf9f8e63beaab1faeff26cd130ee823dd26403efa3fc9072f0f86f5cae27e8db2761f32f525c43fa05875eea659209c2ea3826737568773

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

MD5 e7a8565db3b57e68f5fa8699c797c4e3
SHA1 9832f0de7c47f7de7b905f4fdf50fc3d5a2c3119
SHA256 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
SHA512 26df63c9dfe7cfdf2c7dd1412057ced7db22d11cf6f3c133055225b2481278615e4d3f649816836ae1d17abac5e2ded73d88402f51a2ddd97211fd185d9d1156

memory/2628-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951\9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951.exe

MD5 e7a8565db3b57e68f5fa8699c797c4e3
SHA1 9832f0de7c47f7de7b905f4fdf50fc3d5a2c3119
SHA256 9c258f0efb5ecd82c2f7cb4580332ed9d90f6fcfc41556fc3ce634e1dfada951
SHA512 26df63c9dfe7cfdf2c7dd1412057ced7db22d11cf6f3c133055225b2481278615e4d3f649816836ae1d17abac5e2ded73d88402f51a2ddd97211fd185d9d1156

memory/1952-161-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/2628-162-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/2628-163-0x0000000074880000-0x0000000074E31000-memory.dmp