Malware Analysis Report

2024-10-18 23:12

Sample ID 231211-frm6csdgfk
Target 98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502
SHA256 98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502
Tags
eternity
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502

Threat Level: Known bad

The file 98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502 was found to be: Known bad.

Malicious Activity Summary

eternity

Eternity

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 05:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 05:06

Reported

2023-12-11 05:11

Platform

win7-20231130-en

Max time kernel

267s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe"

Signatures

Eternity

eternity

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1592 set thread context of 2856 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1592 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2856 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2932 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2932 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2932 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2932 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2932 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2932 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2932 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2932 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2932 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2932 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2932 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2932 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2932 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2932 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2932 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2932 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2932 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2932 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2932 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2932 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2580 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2580 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2580 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2580 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2580 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2580 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2580 wrote to memory of 2556 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2580 wrote to memory of 1924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2580 wrote to memory of 1924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 2580 wrote to memory of 1924 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe

"C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

"C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {6E3F2B18-516D-47AA-9ACE-49314C8732E6} S-1-5-21-2185821622-4133679102-1697169727-1000:QHCIVBOB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Network

N/A

Files

memory/2856-9-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2856-7-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2856-10-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2856-5-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2856-13-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2856-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2856-3-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2856-2-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2856-1-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2856-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

MD5 e2f9a535272624448b55d22e2b72807c
SHA1 315c8f99b76ef56516c7103911e41cc20cd3ea8c
SHA256 6b52dbed28ab00086be6e3689bd25707c51ce9db321b74936880a73d1d508262
SHA512 768c3091d5bf0aa36d98a61979a6f11a37556572aed136cff01b1afc54ccf9296105f2d223009d115394c95ef1d0fdc88adb1f4fe555627c0466d274e50ee4e6

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

MD5 8671e933e69cd86f974b94b4b509e843
SHA1 5ee42b668c9d8bcc03e1e62be37e5e19537a1f4c
SHA256 a79c48734b00c4288867d6ace73696ab84212242eca79c45ac449a3d2e9d980c
SHA512 5d7bd38a93aabb36d2b424ceadb0c68ff22eefac53881fde5c0b642a75d52c7af47faaab4f616b0deaf5ec3ab8fe88941c9dc1311b85fc2ae8845d6b05d854b4

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 05:06

Reported

2023-12-11 05:11

Platform

win10-20231129-en

Max time kernel

297s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe"

Signatures

Eternity

eternity

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2308 set thread context of 756 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2308 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2308 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2308 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2308 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2308 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2308 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2308 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 756 wrote to memory of 1264 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1264 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1264 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1264 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1264 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1264 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1264 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1264 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1264 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 1264 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
PID 1264 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe

"C:\Users\Admin\AppData\Local\Temp\98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

"C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

memory/756-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/756-4-0x0000000009DD0000-0x000000000A2CE000-memory.dmp

memory/756-3-0x0000000073830000-0x0000000073F1E000-memory.dmp

memory/756-13-0x0000000073830000-0x0000000073F1E000-memory.dmp

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

MD5 ed16817fec0f4d0be6e124524cf23147
SHA1 7922d0f21680a0ab51c87c0a9ed9082badccbb30
SHA256 048fa9794227c010cf6d685a834963409e3853e6a3d51356d8ea8df6ccdc2976
SHA512 e51e9168ae787a2698ceed22334b7e5e8965ef830273eca32bf72473f6365e89c52f17da03f38692edb13b83b6cf46ffdfa0ad63039c20780039b3356d41cae6

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

MD5 8671e933e69cd86f974b94b4b509e843
SHA1 5ee42b668c9d8bcc03e1e62be37e5e19537a1f4c
SHA256 a79c48734b00c4288867d6ace73696ab84212242eca79c45ac449a3d2e9d980c
SHA512 5d7bd38a93aabb36d2b424ceadb0c68ff22eefac53881fde5c0b642a75d52c7af47faaab4f616b0deaf5ec3ab8fe88941c9dc1311b85fc2ae8845d6b05d854b4

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4