Malware Analysis Report

2024-11-30 15:58

Sample ID 220707-jwj62sfheq
Target 46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095
SHA256 46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095

Threat Level: Known bad

The file 46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095 was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-07 08:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-07 08:01

Reported

2022-07-07 08:05

Platform

win7-20220414-en

Max time kernel

154s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe"

Signatures

Imminent RAT

trojan spyware imminent

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogioms = "C:\\Users\\Admin\\AppData\\Roaming\\wcindowsdefeninic\\wimadefem.exe" C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1904 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1904 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1904 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1904 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1904 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1904 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1904 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1904 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1048 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1048 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1048 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1048 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1048 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 976 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 976 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 976 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1036 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1036 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1036 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1036 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1036 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1036 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1036 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1036 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1036 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

Processes

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

"C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe"

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

"C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe"

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

"C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

"C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ceosas.linkpc.net udp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp

Files

memory/1904-54-0x00000000763B1000-0x00000000763B3000-memory.dmp

memory/1904-55-0x0000000074FF0000-0x000000007559B000-memory.dmp

memory/1904-56-0x0000000074FF0000-0x000000007559B000-memory.dmp

memory/1048-57-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1048-58-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1048-60-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1048-61-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1048-62-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1048-63-0x0000000000451D0E-mapping.dmp

memory/1048-65-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1048-67-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1904-69-0x0000000074FF0000-0x000000007559B000-memory.dmp

memory/1048-70-0x0000000074FF0000-0x000000007559B000-memory.dmp

\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

MD5 16d748352329dd9038fd1d562be4e56e
SHA1 f66fb78ebe6a1f0314d82c7b2e59e4d2932e21b3
SHA256 46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095
SHA512 104f981bc02d9ea7893bd6910497c8c7fb18d618c6a786c6c470472b2f7584fad4b5adceb2c83ae87def8f7e63bb4b11a1027aa66be1d887171d2a2f57c4b64a

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

MD5 16d748352329dd9038fd1d562be4e56e
SHA1 f66fb78ebe6a1f0314d82c7b2e59e4d2932e21b3
SHA256 46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095
SHA512 104f981bc02d9ea7893bd6910497c8c7fb18d618c6a786c6c470472b2f7584fad4b5adceb2c83ae87def8f7e63bb4b11a1027aa66be1d887171d2a2f57c4b64a

memory/1036-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

MD5 16d748352329dd9038fd1d562be4e56e
SHA1 f66fb78ebe6a1f0314d82c7b2e59e4d2932e21b3
SHA256 46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095
SHA512 104f981bc02d9ea7893bd6910497c8c7fb18d618c6a786c6c470472b2f7584fad4b5adceb2c83ae87def8f7e63bb4b11a1027aa66be1d887171d2a2f57c4b64a

memory/976-76-0x0000000000000000-mapping.dmp

memory/1048-78-0x0000000074FF0000-0x000000007559B000-memory.dmp

memory/1616-77-0x0000000000000000-mapping.dmp

memory/1036-79-0x0000000074FF0000-0x000000007559B000-memory.dmp

memory/1036-80-0x0000000074FF0000-0x000000007559B000-memory.dmp

\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

MD5 16d748352329dd9038fd1d562be4e56e
SHA1 f66fb78ebe6a1f0314d82c7b2e59e4d2932e21b3
SHA256 46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095
SHA512 104f981bc02d9ea7893bd6910497c8c7fb18d618c6a786c6c470472b2f7584fad4b5adceb2c83ae87def8f7e63bb4b11a1027aa66be1d887171d2a2f57c4b64a

memory/1160-88-0x0000000000451D0E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

MD5 16d748352329dd9038fd1d562be4e56e
SHA1 f66fb78ebe6a1f0314d82c7b2e59e4d2932e21b3
SHA256 46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095
SHA512 104f981bc02d9ea7893bd6910497c8c7fb18d618c6a786c6c470472b2f7584fad4b5adceb2c83ae87def8f7e63bb4b11a1027aa66be1d887171d2a2f57c4b64a

memory/1036-95-0x0000000074FF0000-0x000000007559B000-memory.dmp

memory/1160-96-0x0000000074FF0000-0x000000007559B000-memory.dmp

memory/1160-97-0x0000000074FF0000-0x000000007559B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-07 08:01

Reported

2022-07-07 08:05

Platform

win10v2004-20220414-en

Max time kernel

154s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogioms = "C:\\Users\\Admin\\AppData\\Roaming\\wcindowsdefeninic\\wimadefem.exe" C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4728 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4728 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4728 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4728 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4728 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4728 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4728 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1700 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1700 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1700 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 1700 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3900 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3900 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4496 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4496 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4496 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4496 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4496 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4496 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4496 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe
PID 4496 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

Processes

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

"C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe"

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

"C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe"

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

"C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

"C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
NL 104.110.191.140:80 tcp
US 52.168.117.170:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
FR 2.18.109.224:443 tcp
US 104.18.25.243:80 tcp
US 8.8.8.8:53 ceosas.linkpc.net udp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp

Files

memory/4728-130-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/4728-131-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/1700-132-0x0000000000000000-mapping.dmp

memory/4728-134-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/1700-135-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/4496-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

MD5 16d748352329dd9038fd1d562be4e56e
SHA1 f66fb78ebe6a1f0314d82c7b2e59e4d2932e21b3
SHA256 46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095
SHA512 104f981bc02d9ea7893bd6910497c8c7fb18d618c6a786c6c470472b2f7584fad4b5adceb2c83ae87def8f7e63bb4b11a1027aa66be1d887171d2a2f57c4b64a

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

MD5 16d748352329dd9038fd1d562be4e56e
SHA1 f66fb78ebe6a1f0314d82c7b2e59e4d2932e21b3
SHA256 46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095
SHA512 104f981bc02d9ea7893bd6910497c8c7fb18d618c6a786c6c470472b2f7584fad4b5adceb2c83ae87def8f7e63bb4b11a1027aa66be1d887171d2a2f57c4b64a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe.log

MD5 3d2a3a481b7b5c27d792fa53189326e8
SHA1 2cbfd0dc21266826b3a07f19793fb0ee52115243
SHA256 12391de09526c63e91ad7657387cfe3db9c1ce254fc664cfded3a060455a7d8d
SHA512 3161ac3ade3cdb8c5d7310e587afe6b637b444e9918dea927170cf198eb4e2683059c1291e4690b5caa12ba25725888cf508b41effd814bb9ba21b559b31cf9a

memory/3900-140-0x0000000000000000-mapping.dmp

memory/3896-142-0x0000000000000000-mapping.dmp

memory/1700-141-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/4496-143-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/4496-144-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/3516-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095\46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095.exe

MD5 16d748352329dd9038fd1d562be4e56e
SHA1 f66fb78ebe6a1f0314d82c7b2e59e4d2932e21b3
SHA256 46af351d0685f27032ecfb403db30cbf3a866422426255ed9180210846c7d095
SHA512 104f981bc02d9ea7893bd6910497c8c7fb18d618c6a786c6c470472b2f7584fad4b5adceb2c83ae87def8f7e63bb4b11a1027aa66be1d887171d2a2f57c4b64a

memory/4496-148-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/3516-149-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/3516-150-0x0000000074AF0000-0x00000000750A1000-memory.dmp