Malware Analysis Report

2024-10-24 16:30

Sample ID 220415-llc14afghj
Target 93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd
SHA256 93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd
Tags
hiverat rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd

Threat Level: Known bad

The file 93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd was found to be: Known bad.

Malicious Activity Summary

hiverat rat stealer

HiveRAT

HiveRAT Payload

Beds Protector Packer

Drops startup file

Suspicious use of SetThreadContext

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-04-15 09:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-15 09:36

Reported

2022-04-15 12:31

Platform

win7-20220414-en

Max time kernel

150s

Max time network

75s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"

Signatures

HiveRAT

rat stealer hiverat

Beds Protector Packer

Description Indicator Process Target
N/A N/A N/A N/A

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 892 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Windows\SysWOW64\cmd.exe
PID 892 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Windows\SysWOW64\cmd.exe
PID 892 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Windows\SysWOW64\cmd.exe
PID 892 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1712 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1712 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1712 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1712 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 664 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2036 wrote to memory of 664 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2036 wrote to memory of 664 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2036 wrote to memory of 664 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 2036 wrote to memory of 1532 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 2036 wrote to memory of 1532 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 2036 wrote to memory of 1532 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 2036 wrote to memory of 1532 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 1532 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 1532 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 1532 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 1532 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 1532 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 1532 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 1532 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 1532 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 1532 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 1532 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe

"C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\89574.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe'

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\89574.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe'

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89574.js"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 holis.plumfixa.com udp

Files

memory/892-54-0x00000000002D0000-0x0000000000328000-memory.dmp

memory/892-55-0x0000000001F30000-0x0000000001F80000-memory.dmp

memory/1712-56-0x0000000000000000-mapping.dmp

memory/2024-57-0x0000000000000000-mapping.dmp

memory/2036-58-0x0000000000000000-mapping.dmp

memory/2036-59-0x00000000755C1000-0x00000000755C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\89574.js

MD5 60c472e8bf90cafd98f3d298652cdd50
SHA1 371bd260da522a1b4f893965cce08fa5d69618fa
SHA256 b4f1fb692ecf9f619a45c28459c38a66f2b9ce923a181d7892c13f040806b634
SHA512 d5733e56ac0011bda134c7c61d0090a031f778805c539b89930d5a97673bfc52e3424fc4c6b374625a2a43c7ea7cc751e968aff84b3cde0015e117eaffe20b92

memory/664-61-0x0000000000000000-mapping.dmp

memory/2036-63-0x0000000073D00000-0x00000000742AB000-memory.dmp

memory/2036-64-0x00000000023F0000-0x000000000303A000-memory.dmp

memory/1532-65-0x0000000000000000-mapping.dmp

memory/1532-66-0x0000000000E40000-0x0000000000E98000-memory.dmp

memory/1196-67-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-68-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-70-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-71-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-72-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-73-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-74-0x000000000044C8DE-mapping.dmp

memory/1196-76-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-78-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-80-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-81-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-82-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-83-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-87-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-90-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-91-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1196-92-0x0000000000400000-0x0000000000454000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-15 09:36

Reported

2022-04-15 12:30

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3956 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3956 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3956 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3956 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3956 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3864 wrote to memory of 2136 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 3864 wrote to memory of 2136 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 3864 wrote to memory of 2136 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WScript.exe
PID 3864 wrote to memory of 4312 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 3864 wrote to memory of 4312 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 3864 wrote to memory of 4312 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 4312 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 4312 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 4312 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 4312 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 4312 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 4312 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 4312 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 4312 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 4312 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 4312 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 4312 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
PID 4312 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe

"C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\429731.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe'

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\429731.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe'

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\429731.js"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 20.189.173.9:443 tcp
NL 104.97.14.81:80 tcp
NL 104.97.14.81:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp
US 8.8.8.8:53 holis.plumfixa.com udp

Files

memory/2540-130-0x0000000000440000-0x0000000000498000-memory.dmp

memory/2540-131-0x0000000005400000-0x00000000059A4000-memory.dmp

memory/2540-132-0x0000000004E50000-0x0000000004EE2000-memory.dmp

memory/2540-133-0x0000000004F70000-0x0000000004FE6000-memory.dmp

memory/2540-134-0x0000000004F30000-0x0000000004F4E000-memory.dmp

memory/2540-135-0x0000000005260000-0x00000000052FC000-memory.dmp

memory/2540-136-0x0000000005BB0000-0x0000000005C16000-memory.dmp

memory/3956-137-0x0000000000000000-mapping.dmp

memory/3128-138-0x0000000000000000-mapping.dmp

memory/3864-139-0x0000000000000000-mapping.dmp

memory/3864-140-0x0000000002D40000-0x0000000002D76000-memory.dmp

memory/3864-141-0x0000000005530000-0x0000000005B58000-memory.dmp

memory/3864-142-0x0000000005460000-0x0000000005482000-memory.dmp

memory/3864-143-0x0000000005C50000-0x0000000005CB6000-memory.dmp

memory/3864-144-0x0000000006310000-0x000000000632E000-memory.dmp

memory/3864-145-0x0000000002E95000-0x0000000002E97000-memory.dmp

memory/3864-146-0x0000000006870000-0x0000000006906000-memory.dmp

memory/3864-147-0x00000000067F0000-0x000000000680A000-memory.dmp

memory/3864-148-0x0000000006840000-0x0000000006862000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\429731.js

MD5 60c472e8bf90cafd98f3d298652cdd50
SHA1 371bd260da522a1b4f893965cce08fa5d69618fa
SHA256 b4f1fb692ecf9f619a45c28459c38a66f2b9ce923a181d7892c13f040806b634
SHA512 d5733e56ac0011bda134c7c61d0090a031f778805c539b89930d5a97673bfc52e3424fc4c6b374625a2a43c7ea7cc751e968aff84b3cde0015e117eaffe20b92

memory/2136-150-0x0000000000000000-mapping.dmp

memory/3864-151-0x00000000086E0000-0x0000000008D5A000-memory.dmp

memory/4312-152-0x0000000000000000-mapping.dmp

memory/2076-153-0x0000000000000000-mapping.dmp

memory/3964-154-0x0000000000000000-mapping.dmp

memory/3964-155-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3964-157-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3964-160-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3964-161-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3964-162-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3964-159-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3964-166-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3964-169-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3964-170-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3964-171-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4312-174-0x0000000006A70000-0x0000000006A7A000-memory.dmp