Malware Analysis Report

2025-05-05 21:53

Sample ID 220122-bjfn4agcc7
Target a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814
SHA256 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814

Threat Level: Known bad

The file a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814 was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Maps connected drives based on registry

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-22 01:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-22 01:10

Reported

2022-01-22 06:01

Platform

win7-en-20211208

Max time kernel

152s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1704 set thread context of 340 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 960 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 960 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 960 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 960 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 960 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 960 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 960 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 960 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1160 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1160 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1160 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1704 wrote to memory of 340 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1704 wrote to memory of 340 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1704 wrote to memory of 340 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1704 wrote to memory of 340 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1704 wrote to memory of 340 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 340 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe

"C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\60887b4d-0a73-4b81-9ce8-a6c9d424b9cc" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\60887b4d-0a73-4b81-9ce8-a6c9d424b9cc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp799550281.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /K "C:\Users\Admin\AppData\Roaming\Wfantaw.exe"

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.github.com udp
US 185.199.109.133:443 raw.github.com tcp
US 185.199.109.133:443 raw.github.com tcp
US 185.199.109.133:443 raw.github.com tcp
US 185.199.109.133:443 raw.github.com tcp
US 185.199.109.133:443 raw.github.com tcp
US 185.199.109.133:443 raw.github.com tcp
US 185.199.109.133:443 raw.github.com tcp
US 185.199.109.133:443 raw.github.com tcp
US 8.8.8.8:53 immy.galaxygiveaways.com udp

Files

memory/960-55-0x0000000076921000-0x0000000076923000-memory.dmp

memory/960-56-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

memory/960-57-0x0000000000DB1000-0x0000000000DB2000-memory.dmp

memory/960-58-0x0000000000DB6000-0x0000000000DC7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp799550281.tmp

MD5 8aebd1bfc6dc1a618eb992a7b63d17a7
SHA1 070e341e4334c3e0ac1f575c4e258e5c8ea44052
SHA256 a02625f9ec05a7d1d46c34718084e5a263e80f90cabf26888d096538352094da
SHA512 f652932c6a7ee85fa361c96fc20e8b9f95dbf9bae945a75b4529e99ebd3b80fe7d7d1e6917864eaef55bfa7d5c8e6e20a085259de08b5281235e972224582482

\Users\Admin\AppData\Roaming\Wfantaw.exe

MD5 a87401f7224a349d9e93ffb98ba77f14
SHA1 9b72bb09f33e4f58329bbd30289615f73283ca41
SHA256 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814
SHA512 dd0c898d77366ad0bc26e75486874c1987e6a21ec655c1a5d71b693b46c1ea8ade5143cc1637217bdd826f2d2fbd4e952fbbd8a830ab493b7e1b9f3c8d652290

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

MD5 a87401f7224a349d9e93ffb98ba77f14
SHA1 9b72bb09f33e4f58329bbd30289615f73283ca41
SHA256 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814
SHA512 dd0c898d77366ad0bc26e75486874c1987e6a21ec655c1a5d71b693b46c1ea8ade5143cc1637217bdd826f2d2fbd4e952fbbd8a830ab493b7e1b9f3c8d652290

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

MD5 a87401f7224a349d9e93ffb98ba77f14
SHA1 9b72bb09f33e4f58329bbd30289615f73283ca41
SHA256 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814
SHA512 dd0c898d77366ad0bc26e75486874c1987e6a21ec655c1a5d71b693b46c1ea8ade5143cc1637217bdd826f2d2fbd4e952fbbd8a830ab493b7e1b9f3c8d652290

memory/1704-65-0x00000000005E1000-0x00000000005E2000-memory.dmp

memory/1704-64-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/1704-66-0x00000000005E6000-0x00000000005F7000-memory.dmp

memory/1704-67-0x0000000005110000-0x0000000005113000-memory.dmp

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

MD5 a87401f7224a349d9e93ffb98ba77f14
SHA1 9b72bb09f33e4f58329bbd30289615f73283ca41
SHA256 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814
SHA512 dd0c898d77366ad0bc26e75486874c1987e6a21ec655c1a5d71b693b46c1ea8ade5143cc1637217bdd826f2d2fbd4e952fbbd8a830ab493b7e1b9f3c8d652290

memory/340-70-0x0000000002080000-0x0000000002081000-memory.dmp

memory/1160-71-0x0000000000160000-0x0000000000161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp35D0.tmp

MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA512 8c290919e456a80d87dd6d243e4713945432b9a2bc158bfa5b81ae9fed1a8dd693da51914fa4014c5b8596e36186a9c891741c3b9011958c7ac240b7d818f815

memory/1160-75-0x0000000000130000-0x0000000000146000-memory.dmp

memory/1160-76-0x0000000000130000-0x0000000000146000-memory.dmp

memory/1160-77-0x0000000000130000-0x0000000000146000-memory.dmp

memory/1160-79-0x0000000000130000-0x0000000000146000-memory.dmp

memory/1160-81-0x0000000000130000-0x0000000000146000-memory.dmp

memory/1160-83-0x0000000000130000-0x0000000000146000-memory.dmp

memory/1160-85-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1160-86-0x0000000000150000-0x0000000000151000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-22 01:10

Reported

2022-01-22 06:01

Platform

win10-en-20211208

Max time kernel

153s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1448 set thread context of 2196 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 1016 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 1016 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 1016 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 1016 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 1016 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\schtasks.exe
PID 1016 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1212 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1212 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1448 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1448 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1448 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 1448 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Users\Admin\AppData\Roaming\Wfantaw.exe
PID 2196 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Roaming\Wfantaw.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe

"C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\60887b4d-0a73-4b81-9ce8-a6c9d424b9cc" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\60887b4d-0a73-4b81-9ce8-a6c9d424b9cc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp409242927.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /K "C:\Users\Admin\AppData\Roaming\Wfantaw.exe"

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.github.com udp
US 185.199.108.133:443 raw.github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.github.com udp
US 185.199.110.133:443 raw.github.com tcp
US 185.199.108.133:443 raw.github.com tcp
US 8.8.8.8:53 immy.galaxygiveaways.com udp
US 8.8.8.8:53 immy.galaxygiveaways.com udp
US 8.8.8.8:53 immy.galaxygiveaways.com udp
US 8.8.8.8:53 immy.galaxygiveaways.com udp

Files

memory/1016-115-0x0000000002540000-0x0000000002541000-memory.dmp

memory/1016-116-0x0000000002541000-0x0000000002542000-memory.dmp

memory/1016-117-0x0000000002544000-0x0000000002546000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp409242927.tmp

MD5 2ef2e774c8600b9d1745406e4f17cd23
SHA1 e8535dae766cfe162441b6bb370c29ed2d96bc85
SHA256 16a463623c79752a57547fa74f934aee6117db0621c8a613e11ecda5f2ed7293
SHA512 0c36cc812515039c26d30724176a12249ff3e745de12f0f92f7aaa73cf3f0cf373e4d4dac55741c02a997dabb61867925a0b400d09ca01e7c28de7a1245bc0d7

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

MD5 a87401f7224a349d9e93ffb98ba77f14
SHA1 9b72bb09f33e4f58329bbd30289615f73283ca41
SHA256 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814
SHA512 dd0c898d77366ad0bc26e75486874c1987e6a21ec655c1a5d71b693b46c1ea8ade5143cc1637217bdd826f2d2fbd4e952fbbd8a830ab493b7e1b9f3c8d652290

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

MD5 a87401f7224a349d9e93ffb98ba77f14
SHA1 9b72bb09f33e4f58329bbd30289615f73283ca41
SHA256 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814
SHA512 dd0c898d77366ad0bc26e75486874c1987e6a21ec655c1a5d71b693b46c1ea8ade5143cc1637217bdd826f2d2fbd4e952fbbd8a830ab493b7e1b9f3c8d652290

memory/1448-121-0x0000000000DE0000-0x0000000000E8E000-memory.dmp

memory/1448-122-0x0000000000DE0000-0x0000000000E8E000-memory.dmp

memory/1448-123-0x0000000000DE0000-0x0000000000E8E000-memory.dmp

memory/1448-124-0x000000000AAE0000-0x000000000AAE3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Wfantaw.exe

MD5 a87401f7224a349d9e93ffb98ba77f14
SHA1 9b72bb09f33e4f58329bbd30289615f73283ca41
SHA256 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814
SHA512 dd0c898d77366ad0bc26e75486874c1987e6a21ec655c1a5d71b693b46c1ea8ade5143cc1637217bdd826f2d2fbd4e952fbbd8a830ab493b7e1b9f3c8d652290

memory/2196-126-0x0000000000D00000-0x0000000000E4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB5BA.tmp

MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA512 8c290919e456a80d87dd6d243e4713945432b9a2bc158bfa5b81ae9fed1a8dd693da51914fa4014c5b8596e36186a9c891741c3b9011958c7ac240b7d818f815

memory/1212-129-0x0000000000D50000-0x0000000000D66000-memory.dmp

memory/1212-128-0x0000000000D50000-0x0000000000D66000-memory.dmp

memory/1212-130-0x0000000000D50000-0x0000000000D66000-memory.dmp

memory/1212-131-0x0000000000D50000-0x0000000000D66000-memory.dmp

memory/1212-132-0x0000000000B50000-0x0000000000B51000-memory.dmp

memory/1212-133-0x0000000000B50000-0x0000000000B51000-memory.dmp