Malware Analysis Report

2024-11-30 16:02

Sample ID 220712-dae3baach5
Target 4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56
SHA256 4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56

Threat Level: Known bad

The file 4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56 was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-12 02:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-12 02:48

Reported

2022-07-12 03:12

Platform

win7-20220414-en

Max time kernel

150s

Max time network

75s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe"

Signatures

Imminent RAT

trojan spyware imminent

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Proxies = "C:\\Users\\Admin\\AppData\\Roaming\\Proxies\\Assembly.exe" C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1080 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1080 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1080 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1080 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1080 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1080 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1080 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1080 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 900 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 900 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 900 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 900 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 900 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1976 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1976 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1976 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 916 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 916 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 916 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 916 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 916 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 916 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 916 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 916 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 916 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

"C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe"

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

"C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe"

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

"C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

"C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
DE 185.235.236.197:80 tcp
DE 185.235.236.201:443 tcp
US 13.107.5.80:80 tcp
DE 185.235.236.197:80 tcp
DE 185.235.236.197:443 tcp
DE 185.235.236.201:443 tcp
DE 185.235.236.201:443 tcp
DE 185.235.236.201:443 tcp
US 8.8.8.8:53 jihanekama.ddns.net udp

Files

memory/1080-54-0x00000000755C1000-0x00000000755C3000-memory.dmp

memory/1080-55-0x0000000074800000-0x0000000074DAB000-memory.dmp

memory/1080-56-0x0000000074800000-0x0000000074DAB000-memory.dmp

memory/900-57-0x0000000000080000-0x00000000000D8000-memory.dmp

memory/900-58-0x0000000000080000-0x00000000000D8000-memory.dmp

memory/900-60-0x0000000000080000-0x00000000000D8000-memory.dmp

memory/900-61-0x0000000000080000-0x00000000000D8000-memory.dmp

memory/900-62-0x0000000000400000-0x0000000000458000-memory.dmp

memory/900-63-0x000000000045201E-mapping.dmp

memory/900-64-0x0000000000080000-0x00000000000D8000-memory.dmp

memory/1080-66-0x0000000074800000-0x0000000074DAB000-memory.dmp

memory/900-65-0x0000000000080000-0x00000000000D8000-memory.dmp

memory/900-70-0x0000000000080000-0x00000000000D8000-memory.dmp

memory/900-73-0x0000000000080000-0x00000000000D8000-memory.dmp

memory/900-75-0x0000000074790000-0x0000000074D3B000-memory.dmp

\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

MD5 e3760fd9c58c8a0db6f3e56726cb870a
SHA1 4abb50e2126c6c001a715f2cb5b365c72a89fe76
SHA256 4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56
SHA512 ab39a5953f9bf6292140256cd91028ec2538f4d07cad979c5bdb43a6a1b0c95ef5fc0a16dac7f0ab27bb983765b004e54fe9742c9e295aa5853b6f961960771b

memory/916-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

MD5 e3760fd9c58c8a0db6f3e56726cb870a
SHA1 4abb50e2126c6c001a715f2cb5b365c72a89fe76
SHA256 4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56
SHA512 ab39a5953f9bf6292140256cd91028ec2538f4d07cad979c5bdb43a6a1b0c95ef5fc0a16dac7f0ab27bb983765b004e54fe9742c9e295aa5853b6f961960771b

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

MD5 e3760fd9c58c8a0db6f3e56726cb870a
SHA1 4abb50e2126c6c001a715f2cb5b365c72a89fe76
SHA256 4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56
SHA512 ab39a5953f9bf6292140256cd91028ec2538f4d07cad979c5bdb43a6a1b0c95ef5fc0a16dac7f0ab27bb983765b004e54fe9742c9e295aa5853b6f961960771b

memory/1976-81-0x0000000000000000-mapping.dmp

memory/900-83-0x0000000074790000-0x0000000074D3B000-memory.dmp

memory/1152-82-0x0000000000000000-mapping.dmp

memory/916-84-0x0000000074790000-0x0000000074D3B000-memory.dmp

\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

MD5 e3760fd9c58c8a0db6f3e56726cb870a
SHA1 4abb50e2126c6c001a715f2cb5b365c72a89fe76
SHA256 4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56
SHA512 ab39a5953f9bf6292140256cd91028ec2538f4d07cad979c5bdb43a6a1b0c95ef5fc0a16dac7f0ab27bb983765b004e54fe9742c9e295aa5853b6f961960771b

memory/916-86-0x0000000074790000-0x0000000074D3B000-memory.dmp

memory/1168-93-0x000000000045201E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

MD5 e3760fd9c58c8a0db6f3e56726cb870a
SHA1 4abb50e2126c6c001a715f2cb5b365c72a89fe76
SHA256 4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56
SHA512 ab39a5953f9bf6292140256cd91028ec2538f4d07cad979c5bdb43a6a1b0c95ef5fc0a16dac7f0ab27bb983765b004e54fe9742c9e295aa5853b6f961960771b

memory/916-105-0x0000000074790000-0x0000000074D3B000-memory.dmp

memory/1168-106-0x0000000074790000-0x0000000074D3B000-memory.dmp

memory/1168-107-0x0000000074790000-0x0000000074D3B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-12 02:48

Reported

2022-07-12 03:12

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Proxies = "C:\\Users\\Admin\\AppData\\Roaming\\Proxies\\Assembly.exe" C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3456 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 3456 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 3456 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 3456 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 3456 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 3456 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 3456 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 3456 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 3832 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 3832 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 3832 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 3832 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Windows\SysWOW64\cmd.exe
PID 3832 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Windows\SysWOW64\cmd.exe
PID 3832 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4980 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4980 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1992 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1992 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1992 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1992 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1992 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1992 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1992 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe
PID 1992 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

"C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe"

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

"C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe"

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

"C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

"C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 20.189.173.9:443 tcp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
NL 104.97.14.81:80 tcp
NL 104.97.14.81:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp
US 8.8.8.8:53 jihanekama.ddns.net udp

Files

memory/3456-130-0x0000000074AC0000-0x0000000075071000-memory.dmp

memory/3456-131-0x0000000074AC0000-0x0000000075071000-memory.dmp

memory/3832-132-0x0000000000000000-mapping.dmp

memory/3832-133-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3456-134-0x0000000074AC0000-0x0000000075071000-memory.dmp

memory/3832-135-0x0000000074AC0000-0x0000000075071000-memory.dmp

memory/1992-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

MD5 e3760fd9c58c8a0db6f3e56726cb870a
SHA1 4abb50e2126c6c001a715f2cb5b365c72a89fe76
SHA256 4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56
SHA512 ab39a5953f9bf6292140256cd91028ec2538f4d07cad979c5bdb43a6a1b0c95ef5fc0a16dac7f0ab27bb983765b004e54fe9742c9e295aa5853b6f961960771b

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

MD5 e3760fd9c58c8a0db6f3e56726cb870a
SHA1 4abb50e2126c6c001a715f2cb5b365c72a89fe76
SHA256 4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56
SHA512 ab39a5953f9bf6292140256cd91028ec2538f4d07cad979c5bdb43a6a1b0c95ef5fc0a16dac7f0ab27bb983765b004e54fe9742c9e295aa5853b6f961960771b

memory/4980-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe.log

MD5 3d2a3a481b7b5c27d792fa53189326e8
SHA1 2cbfd0dc21266826b3a07f19793fb0ee52115243
SHA256 12391de09526c63e91ad7657387cfe3db9c1ce254fc664cfded3a060455a7d8d
SHA512 3161ac3ade3cdb8c5d7310e587afe6b637b444e9918dea927170cf198eb4e2683059c1291e4690b5caa12ba25725888cf508b41effd814bb9ba21b559b31cf9a

memory/4952-141-0x0000000000000000-mapping.dmp

memory/3832-142-0x0000000074AC0000-0x0000000075071000-memory.dmp

memory/1992-143-0x0000000074AC0000-0x0000000075071000-memory.dmp

memory/4804-144-0x0000000000000000-mapping.dmp

memory/1992-145-0x0000000074AC0000-0x0000000075071000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56\4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56.exe

MD5 e3760fd9c58c8a0db6f3e56726cb870a
SHA1 4abb50e2126c6c001a715f2cb5b365c72a89fe76
SHA256 4d823e5e6f2c1cbc25cf8c8c601d90f393e9d97da807b208f8afd0bed6e1cb56
SHA512 ab39a5953f9bf6292140256cd91028ec2538f4d07cad979c5bdb43a6a1b0c95ef5fc0a16dac7f0ab27bb983765b004e54fe9742c9e295aa5853b6f961960771b

memory/1992-148-0x0000000074AC0000-0x0000000075071000-memory.dmp

memory/4804-149-0x0000000074AC0000-0x0000000075071000-memory.dmp

memory/4804-150-0x0000000074AC0000-0x0000000075071000-memory.dmp