Malware Analysis Report

2024-10-24 16:30

Sample ID 220512-n4qq1sdee9
Target 9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1
SHA256 9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1
Tags
hiverat rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1

Threat Level: Known bad

The file 9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1 was found to be: Known bad.

Malicious Activity Summary

hiverat rat stealer

HiveRAT

HiveRAT Payload

Beds Protector Packer

Drops startup file

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-12 11:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-12 11:57

Reported

2022-05-12 12:25

Platform

win7-20220414-en

Max time kernel

152s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe"

Signatures

HiveRAT

rat stealer hiverat

Beds Protector Packer

Description Indicator Process Target
N/A N/A N/A N/A

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updates_.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updates_.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 1880 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

"C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe"

C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

"C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 jrandjcpa.org udp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp

Files

memory/1880-54-0x0000000000E40000-0x0000000000E90000-memory.dmp

memory/1880-55-0x00000000007B0000-0x00000000007FA000-memory.dmp

memory/1880-56-0x00000000758D1000-0x00000000758D3000-memory.dmp

memory/2020-57-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-58-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-60-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-61-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-62-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-63-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-64-0x000000000044C90E-mapping.dmp

memory/2020-66-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-68-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-70-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-71-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-72-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-73-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-77-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-80-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-81-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2020-82-0x0000000000400000-0x0000000000454000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-12 11:57

Reported

2022-05-12 12:26

Platform

win10v2004-20220414-en

Max time kernel

153s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updates_.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updates_.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 2576 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 2576 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 2576 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 2576 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 2576 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 2576 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 2576 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe
PID 2576 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

"C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe"

C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe

"C:\Users\Admin\AppData\Local\Temp\9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1.exe"

Network

Country Destination Domain Proto
US 52.182.141.63:443 tcp
US 8.8.8.8:53 jrandjcpa.org udp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp
CA 178.128.239.245:1656 jrandjcpa.org tcp

Files

memory/2576-130-0x0000000000760000-0x00000000007B0000-memory.dmp

memory/2576-131-0x00000000057B0000-0x0000000005D54000-memory.dmp

memory/2576-132-0x0000000005150000-0x00000000051E2000-memory.dmp

memory/2576-133-0x00000000056F0000-0x000000000578C000-memory.dmp

memory/3980-134-0x0000000000000000-mapping.dmp

memory/3980-135-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3980-137-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3980-139-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3980-140-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3980-141-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3980-142-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3980-146-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3980-149-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3980-151-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3980-150-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3980-157-0x0000000005300000-0x0000000005366000-memory.dmp

memory/2576-158-0x0000000005790000-0x000000000579A000-memory.dmp