Malware Analysis Report

2024-11-13 15:44

Sample ID 221122-wakxnsfb8v
Target f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239
SHA256 f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239

Threat Level: Known bad

The file f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239 was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-22 17:43

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-22 17:43

Reported

2022-11-22 17:45

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com N/A
N/A N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cvtres = "C:\\Users\\Admin\\AppData\\Roaming\\soawf\\ewnkp.com C:\\Users\\Admin\\AppData\\Roaming\\soawf\\irrdb.txl" C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4320 set thread context of 4748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com N/A
N/A N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 1496 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 1496 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 3040 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 3040 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 3040 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 4320 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 628 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 628 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 628 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 4320 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2328 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2328 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4320 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4320 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4320 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4320 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4320 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4320 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4320 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4320 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe

"C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe"

C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

"C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com" irrdb.txl

C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\JVNSK

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C taskkill /f /IM mshta.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /IM mshta.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

Network

Country Destination Domain Proto
N/A 104.46.162.226:443 tcp
N/A 8.8.8.8:53 www.meropost.publicvm.com udp
N/A 38.79.142.66:1076 www.meropost.publicvm.com tcp
N/A 67.24.171.254:80 tcp
N/A 67.24.171.254:80 tcp
N/A 67.24.171.254:80 tcp
N/A 38.79.142.66:1076 www.meropost.publicvm.com tcp
N/A 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
N/A 8.8.8.8:53 www.meropost.publicvm.com udp
N/A 38.79.142.66:1076 www.meropost.publicvm.com tcp
N/A 38.79.142.66:1076 www.meropost.publicvm.com tcp
N/A 38.79.142.66:1076 www.meropost.publicvm.com tcp

Files

memory/3040-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

MD5 a3f4db4d9a13413af1a172eb61dfa83a
SHA1 900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9
SHA256 0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448
SHA512 3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

MD5 a3f4db4d9a13413af1a172eb61dfa83a
SHA1 900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9
SHA256 0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448
SHA512 3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

C:\Users\Admin\AppData\Roaming\soawf\irrdb.txl

MD5 320133077eb8365d0a35a6c8bf1078c5
SHA1 31bf50ca151ee596b2fa04db5f748c2799b16b26
SHA256 a18eb74dc95cd8df63dd06561ade96d97efe753153f7e679f118be9cc3b2aad6
SHA512 f6cf82316f2562d6910690064fcb1681d1136ce902cac2f6dd8daa1b5b8877b8ebf6be8b5bd48ea00a522971fa85929340268ea69cf1f3003ebfa4af9e26da38

C:\Users\Admin\AppData\Roaming\soawf\YMQGIX

MD5 8411942151d844067bc637c35ac2847e
SHA1 0fae54a9b04ab15ce4acff346224d88195300b23
SHA256 96a2341f1bc8f3a31ca774b76f0c441d54f4f9e270d7aeeafac68e2ccf9e3506
SHA512 a3fb1441cd29300abdaa889e4c6cec9dba4e12d21459eada361117a2a64f163051af8bc0c942e56b2b932df7428c259d8dcc5d6c5d3c260be799050bb0ccd610

C:\Users\Admin\AppData\Roaming\soawf\citax.ojb

MD5 3a6730dd1fd8c9a8a316dcc6d4c6510c
SHA1 2d1d23733c1e34143b85575418b0d7fb39c30a78
SHA256 b5f108cffa82e6bd972d548139ef07d2024db58f0657b1cce60d1d1ca27958e5
SHA512 e5280425ea75d2429bc3795aa8352a687910fc3b43c533ae31afb7d6dafaa1f7bdac3698b94fd4ef7f0bfc49eccdd371cc83727b377baec2c9a974d4a4206310

memory/4320-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

MD5 a3f4db4d9a13413af1a172eb61dfa83a
SHA1 900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9
SHA256 0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448
SHA512 3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

C:\Users\Admin\AppData\Roaming\soawf\JVNSK

MD5 3384979a23fbe4de79286b1901121b19
SHA1 5e69f43dcc8ed992ab17c233271712bb0bf60f13
SHA256 ae2427d833c91c213875fe7e70b05c88e949859da91b33681d598e3fd6b4f740
SHA512 0f98ff4b4c631dfc388e515dcaa3e858ed2c9581a63d9ab3ec588ea9ef17a593dc632c6f9093c13944812f273153ea0f0b37a1ca8aaa30a23d1199dcdf832fa3

memory/4676-141-0x0000000000000000-mapping.dmp

memory/3884-142-0x0000000000000000-mapping.dmp

memory/628-143-0x0000000000000000-mapping.dmp

memory/1108-144-0x0000000000000000-mapping.dmp

memory/3392-145-0x0000000000000000-mapping.dmp

memory/2392-146-0x0000000000000000-mapping.dmp

memory/3896-147-0x0000000000000000-mapping.dmp

memory/2328-148-0x0000000000000000-mapping.dmp

memory/1640-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\soawf\nbwul

MD5 b6ea1cbbe3f6599f3992c1b0eacfa171
SHA1 2844c4ea48876886757a24b05c72473594a8cb4e
SHA256 87d170c56ef26f9bb8f46151a61d56be62ecac3847c33145e3c8501fad778c4d
SHA512 01fa6e5a8dcc661c0e8a037de9476920ea0d87370e0b895c7d5c2dfd17db1b2ef9dca7c29dc43b6223c0a77cefb889b1ad2cf7cdeff997647e358e6c147823ef

memory/4748-151-0x0000000000000000-mapping.dmp

memory/4748-152-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4748-153-0x0000000072720000-0x0000000072CD1000-memory.dmp

memory/4748-154-0x0000000072720000-0x0000000072CD1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-22 17:43

Reported

2022-11-22 17:45

Platform

win7-20221111-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com N/A
N/A N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cvtres = "C:\\Users\\Admin\\AppData\\Roaming\\soawf\\ewnkp.com C:\\Users\\Admin\\AppData\\Roaming\\soawf\\irrdb.txl" C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1960 set thread context of 520 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 1284 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 1284 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 1284 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 1284 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 1284 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 1284 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 112 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 112 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 112 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 112 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 112 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 112 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 112 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
PID 1960 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\mshta.exe
PID 1960 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe

"C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe"

C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

"C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com" irrdb.txl

C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\ZEWKL

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C taskkill /f /IM mshta.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /IM mshta.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.meropost.publicvm.com udp
N/A 38.79.142.66:1076 www.meropost.publicvm.com tcp
N/A 38.79.142.66:1076 www.meropost.publicvm.com tcp
N/A 38.79.142.66:1076 www.meropost.publicvm.com tcp
N/A 38.79.142.66:1076 www.meropost.publicvm.com tcp
N/A 38.79.142.66:1076 www.meropost.publicvm.com tcp

Files

memory/1284-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

\Users\Admin\AppData\Roaming\soawf\ewnkp.com

MD5 a3f4db4d9a13413af1a172eb61dfa83a
SHA1 900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9
SHA256 0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448
SHA512 3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

\Users\Admin\AppData\Roaming\soawf\ewnkp.com

MD5 a3f4db4d9a13413af1a172eb61dfa83a
SHA1 900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9
SHA256 0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448
SHA512 3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

\Users\Admin\AppData\Roaming\soawf\ewnkp.com

MD5 a3f4db4d9a13413af1a172eb61dfa83a
SHA1 900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9
SHA256 0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448
SHA512 3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

\Users\Admin\AppData\Roaming\soawf\ewnkp.com

MD5 a3f4db4d9a13413af1a172eb61dfa83a
SHA1 900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9
SHA256 0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448
SHA512 3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

\Users\Admin\AppData\Roaming\soawf\ewnkp.com

MD5 a3f4db4d9a13413af1a172eb61dfa83a
SHA1 900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9
SHA256 0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448
SHA512 3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

memory/112-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

MD5 a3f4db4d9a13413af1a172eb61dfa83a
SHA1 900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9
SHA256 0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448
SHA512 3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

C:\Users\Admin\AppData\Roaming\soawf\irrdb.txl

MD5 320133077eb8365d0a35a6c8bf1078c5
SHA1 31bf50ca151ee596b2fa04db5f748c2799b16b26
SHA256 a18eb74dc95cd8df63dd06561ade96d97efe753153f7e679f118be9cc3b2aad6
SHA512 f6cf82316f2562d6910690064fcb1681d1136ce902cac2f6dd8daa1b5b8877b8ebf6be8b5bd48ea00a522971fa85929340268ea69cf1f3003ebfa4af9e26da38

C:\Users\Admin\AppData\Roaming\soawf\citax.ojb

MD5 3a6730dd1fd8c9a8a316dcc6d4c6510c
SHA1 2d1d23733c1e34143b85575418b0d7fb39c30a78
SHA256 b5f108cffa82e6bd972d548139ef07d2024db58f0657b1cce60d1d1ca27958e5
SHA512 e5280425ea75d2429bc3795aa8352a687910fc3b43c533ae31afb7d6dafaa1f7bdac3698b94fd4ef7f0bfc49eccdd371cc83727b377baec2c9a974d4a4206310

C:\Users\Admin\AppData\Roaming\soawf\YMQGIX

MD5 8411942151d844067bc637c35ac2847e
SHA1 0fae54a9b04ab15ce4acff346224d88195300b23
SHA256 96a2341f1bc8f3a31ca774b76f0c441d54f4f9e270d7aeeafac68e2ccf9e3506
SHA512 a3fb1441cd29300abdaa889e4c6cec9dba4e12d21459eada361117a2a64f163051af8bc0c942e56b2b932df7428c259d8dcc5d6c5d3c260be799050bb0ccd610

\Users\Admin\AppData\Roaming\soawf\ewnkp.com

MD5 a3f4db4d9a13413af1a172eb61dfa83a
SHA1 900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9
SHA256 0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448
SHA512 3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

MD5 a3f4db4d9a13413af1a172eb61dfa83a
SHA1 900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9
SHA256 0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448
SHA512 3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

MD5 a3f4db4d9a13413af1a172eb61dfa83a
SHA1 900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9
SHA256 0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448
SHA512 3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

memory/1960-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\soawf\ZEWKL

MD5 3384979a23fbe4de79286b1901121b19
SHA1 5e69f43dcc8ed992ab17c233271712bb0bf60f13
SHA256 ae2427d833c91c213875fe7e70b05c88e949859da91b33681d598e3fd6b4f740
SHA512 0f98ff4b4c631dfc388e515dcaa3e858ed2c9581a63d9ab3ec588ea9ef17a593dc632c6f9093c13944812f273153ea0f0b37a1ca8aaa30a23d1199dcdf832fa3

memory/1748-72-0x0000000000000000-mapping.dmp

memory/1568-74-0x0000000000000000-mapping.dmp

memory/2024-76-0x0000000000000000-mapping.dmp

memory/1964-78-0x0000000000000000-mapping.dmp

memory/1084-80-0x0000000000000000-mapping.dmp

memory/1900-82-0x0000000000000000-mapping.dmp

memory/1740-84-0x0000000000000000-mapping.dmp

memory/876-86-0x0000000000000000-mapping.dmp

memory/624-88-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\soawf\nbwul

MD5 b6ea1cbbe3f6599f3992c1b0eacfa171
SHA1 2844c4ea48876886757a24b05c72473594a8cb4e
SHA256 87d170c56ef26f9bb8f46151a61d56be62ecac3847c33145e3c8501fad778c4d
SHA512 01fa6e5a8dcc661c0e8a037de9476920ea0d87370e0b895c7d5c2dfd17db1b2ef9dca7c29dc43b6223c0a77cefb889b1ad2cf7cdeff997647e358e6c147823ef

memory/520-91-0x0000000000400000-0x000000000044A000-memory.dmp

memory/520-92-0x0000000000400000-0x000000000044A000-memory.dmp

memory/520-94-0x0000000000400000-0x000000000044A000-memory.dmp

memory/520-95-0x0000000000400000-0x000000000044A000-memory.dmp

memory/520-96-0x0000000000400000-0x000000000044A000-memory.dmp

memory/520-97-0x000000000044528E-mapping.dmp

memory/520-99-0x0000000000400000-0x000000000044A000-memory.dmp

memory/520-101-0x0000000000400000-0x000000000044A000-memory.dmp

memory/520-103-0x0000000074980000-0x0000000074F2B000-memory.dmp

memory/520-104-0x0000000074980000-0x0000000074F2B000-memory.dmp