Malware Analysis Report

2024-11-15 08:09

Sample ID 220802-bnc4rschg6
Target 5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75
SHA256 5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75

Threat Level: Known bad

The file 5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75 was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Executes dropped EXE

Loads dropped DLL

Deletes itself

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-02 01:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-02 01:17

Reported

2022-08-02 02:18

Platform

win7-20220715-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"

Signatures

Imminent RAT

trojan spyware imminent

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogiomsf = "C:\\Users\\Admin\\AppData\\Roaming\\wcindowsdefeninif\\winlogomn.exe" C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1432 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1432 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1432 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1432 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1432 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1432 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1432 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1432 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1892 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1892 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1892 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1892 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1892 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1484 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1484 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1484 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1324 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1324 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1324 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1324 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1324 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1324 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1324 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1324 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1324 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

"C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"

C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

"C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"

C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

"C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

"C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ceosas.linkpc.net udp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp

Files

memory/1432-54-0x0000000076031000-0x0000000076033000-memory.dmp

memory/1432-55-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/1432-56-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/1892-57-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1892-58-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1892-60-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1892-61-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1892-62-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1892-63-0x0000000000451CBE-mapping.dmp

memory/1892-65-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1892-67-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1432-69-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/1892-70-0x0000000074840000-0x0000000074DEB000-memory.dmp

\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

MD5 7fe3d321806c1604e3e3908538bc8aa6
SHA1 571b55a5a0b478fd635b64bb12b20b64611fb2e3
SHA256 5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75
SHA512 7ad253c5851b689d564808ab39ea5de4919de0721040c3aad7355012e72184c934ec0aa1ac77f10f3fb03277b0f9c2f363cf026932b12798cbb5d017598086b8

memory/1324-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

MD5 7fe3d321806c1604e3e3908538bc8aa6
SHA1 571b55a5a0b478fd635b64bb12b20b64611fb2e3
SHA256 5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75
SHA512 7ad253c5851b689d564808ab39ea5de4919de0721040c3aad7355012e72184c934ec0aa1ac77f10f3fb03277b0f9c2f363cf026932b12798cbb5d017598086b8

C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

MD5 7fe3d321806c1604e3e3908538bc8aa6
SHA1 571b55a5a0b478fd635b64bb12b20b64611fb2e3
SHA256 5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75
SHA512 7ad253c5851b689d564808ab39ea5de4919de0721040c3aad7355012e72184c934ec0aa1ac77f10f3fb03277b0f9c2f363cf026932b12798cbb5d017598086b8

memory/1484-76-0x0000000000000000-mapping.dmp

memory/1892-77-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/1936-78-0x0000000000000000-mapping.dmp

memory/1324-79-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/1324-80-0x0000000074840000-0x0000000074DEB000-memory.dmp

\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

MD5 7fe3d321806c1604e3e3908538bc8aa6
SHA1 571b55a5a0b478fd635b64bb12b20b64611fb2e3
SHA256 5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75
SHA512 7ad253c5851b689d564808ab39ea5de4919de0721040c3aad7355012e72184c934ec0aa1ac77f10f3fb03277b0f9c2f363cf026932b12798cbb5d017598086b8

memory/968-88-0x0000000000451CBE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

MD5 7fe3d321806c1604e3e3908538bc8aa6
SHA1 571b55a5a0b478fd635b64bb12b20b64611fb2e3
SHA256 5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75
SHA512 7ad253c5851b689d564808ab39ea5de4919de0721040c3aad7355012e72184c934ec0aa1ac77f10f3fb03277b0f9c2f363cf026932b12798cbb5d017598086b8

memory/968-91-0x0000000000080000-0x00000000000D6000-memory.dmp

memory/968-95-0x0000000000080000-0x00000000000D6000-memory.dmp

memory/968-98-0x0000000000080000-0x00000000000D6000-memory.dmp

memory/1324-100-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/968-101-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/968-102-0x0000000074840000-0x0000000074DEB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-02 01:17

Reported

2022-08-02 02:18

Platform

win10v2004-20220721-en

Max time kernel

187s

Max time network

191s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1808 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1808 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1808 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1808 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1808 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1808 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 1808 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 3536 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 3536 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 3536 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
PID 3536 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Windows\SysWOW64\cmd.exe
PID 3536 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3084 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3084 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

"C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"

C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

"C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"

C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

"C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
LT 93.115.28.104:80 tcp
US 52.168.112.67:443 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 40.77.2.164:443 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
US 8.8.8.8:53 d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

memory/1808-130-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/1808-131-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/3536-132-0x0000000000000000-mapping.dmp

memory/3536-133-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1808-134-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/3536-135-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/3536-136-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/1220-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

MD5 7fe3d321806c1604e3e3908538bc8aa6
SHA1 571b55a5a0b478fd635b64bb12b20b64611fb2e3
SHA256 5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75
SHA512 7ad253c5851b689d564808ab39ea5de4919de0721040c3aad7355012e72184c934ec0aa1ac77f10f3fb03277b0f9c2f363cf026932b12798cbb5d017598086b8

C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

MD5 7fe3d321806c1604e3e3908538bc8aa6
SHA1 571b55a5a0b478fd635b64bb12b20b64611fb2e3
SHA256 5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75
SHA512 7ad253c5851b689d564808ab39ea5de4919de0721040c3aad7355012e72184c934ec0aa1ac77f10f3fb03277b0f9c2f363cf026932b12798cbb5d017598086b8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe.log

MD5 3d2a3a481b7b5c27d792fa53189326e8
SHA1 2cbfd0dc21266826b3a07f19793fb0ee52115243
SHA256 12391de09526c63e91ad7657387cfe3db9c1ce254fc664cfded3a060455a7d8d
SHA512 3161ac3ade3cdb8c5d7310e587afe6b637b444e9918dea927170cf198eb4e2683059c1291e4690b5caa12ba25725888cf508b41effd814bb9ba21b559b31cf9a

memory/3084-141-0x0000000000000000-mapping.dmp

memory/3536-142-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/2472-143-0x0000000000000000-mapping.dmp

memory/1220-144-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/1220-145-0x0000000074D40000-0x00000000752F1000-memory.dmp