Malware Analysis Report

2024-11-15 08:09

Sample ID 221001-3dl3gadabj
Target fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b
SHA256 fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b
Tags
evasion persistence imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b

Threat Level: Known bad

The file fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b was found to be: Known bad.

Malicious Activity Summary

evasion persistence imminent spyware trojan

Imminent RAT

Executes dropped EXE

Disables Task Manager via registry modification

Checks computer location settings

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-01 23:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-01 23:23

Reported

2022-10-02 01:46

Platform

win7-20220812-en

Max time kernel

37s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe"

Signatures

Disables Task Manager via registry modification

evasion

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\Teba\\Teba\\1.0.0.0\\WindowsUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\REG.exe N/A
N/A N/A C:\Windows\SysWOW64\REG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 364 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 364 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 364 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 364 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 364 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 364 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 364 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 364 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 364 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 364 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 364 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 364 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

"C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe"

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Network

N/A

Files

memory/364-54-0x0000000075131000-0x0000000075133000-memory.dmp

memory/364-55-0x0000000073FA0000-0x000000007454B000-memory.dmp

memory/2032-56-0x0000000000000000-mapping.dmp

memory/2044-57-0x0000000000000000-mapping.dmp

memory/364-58-0x0000000073FA0000-0x000000007454B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-01 23:23

Reported

2022-10-02 01:46

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe"

Signatures

Imminent RAT

trojan spyware imminent

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\Teba\\Teba\\1.0.0.0\\WindowsUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\Teba\\Teba\\1.0.0.0\\WindowsUpdate.exe\"" C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\Default File.exe" C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Local\\Default Folder\\Default File.exe" C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\REG.exe N/A
N/A N/A C:\Windows\SysWOW64\REG.exe N/A
N/A N/A C:\Windows\SysWOW64\REG.exe N/A
N/A N/A C:\Windows\SysWOW64\REG.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2628 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 2628 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 2628 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 2628 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 2628 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 2628 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 2628 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2628 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2628 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2628 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2628 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2628 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2628 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2628 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 5008 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 5008 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 5008 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 5008 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 2284 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 2284 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 2284 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 2284 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 2284 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\REG.exe
PID 2284 wrote to memory of 176 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2284 wrote to memory of 176 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2284 wrote to memory of 176 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2284 wrote to memory of 176 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2284 wrote to memory of 176 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2284 wrote to memory of 176 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2284 wrote to memory of 176 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 2284 wrote to memory of 176 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
PID 176 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe
PID 176 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe C:\Windows\SysWOW64\Taskmgr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

"C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe"

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

"C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe"

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 imminent.zapto.org udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 imminent.zapto.org udp
US 20.189.173.10:443 tcp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.253.208.113:80 tcp
US 8.253.208.113:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp
US 8.8.8.8:53 imminent.zapto.org udp

Files

memory/2628-132-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/2908-133-0x0000000000000000-mapping.dmp

memory/1108-134-0x0000000000000000-mapping.dmp

memory/5008-135-0x0000000000000000-mapping.dmp

memory/5008-136-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2628-137-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/5008-138-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/5008-139-0x0000000074880000-0x0000000074E31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

MD5 51f6ccf656904d48cd90444417611fc0
SHA1 877814a4b088e1ea7530c6ca883804bc392c1f49
SHA256 fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b
SHA512 5996a3597b4131c1532c31599556ea9c836a8505275fc8153fdb1ffe45646eb7d54c7bbb405d51729f66d974867f391840aac39c8e2436eb7f7f50cc3cea9430

memory/2284-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

MD5 51f6ccf656904d48cd90444417611fc0
SHA1 877814a4b088e1ea7530c6ca883804bc392c1f49
SHA256 fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b
SHA512 5996a3597b4131c1532c31599556ea9c836a8505275fc8153fdb1ffe45646eb7d54c7bbb405d51729f66d974867f391840aac39c8e2436eb7f7f50cc3cea9430

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe.log

MD5 8d62bbabdf7b4f0f60cd9eae79236ed5
SHA1 d6477264febcf5bd26ad44b6e9c60a3567e48967
SHA256 f352c1aa1d93ee66e12948e5e3add72d7c25dda070df9b6a5040cb60e289ddd4
SHA512 96949b062c1a99094453e4c76175aecf10a9b2c89e102e6a63d8c13e58a56076d5f5e1d41cdcd147738b17574c42c1f8d01253f7d3ed953cad7b6537ed162afd

memory/2424-144-0x0000000000000000-mapping.dmp

memory/396-146-0x0000000000000000-mapping.dmp

memory/5008-145-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/2620-147-0x0000000000000000-mapping.dmp

memory/176-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

MD5 51f6ccf656904d48cd90444417611fc0
SHA1 877814a4b088e1ea7530c6ca883804bc392c1f49
SHA256 fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b
SHA512 5996a3597b4131c1532c31599556ea9c836a8505275fc8153fdb1ffe45646eb7d54c7bbb405d51729f66d974867f391840aac39c8e2436eb7f7f50cc3cea9430

memory/2284-151-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/176-152-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/2756-153-0x0000000000000000-mapping.dmp

memory/2136-154-0x0000000000000000-mapping.dmp

memory/176-155-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/4352-156-0x0000000000000000-mapping.dmp

memory/4300-157-0x0000000000000000-mapping.dmp

memory/984-158-0x0000000000000000-mapping.dmp

memory/4080-159-0x0000000000000000-mapping.dmp

memory/4508-160-0x0000000000000000-mapping.dmp

memory/4660-161-0x0000000000000000-mapping.dmp

memory/400-162-0x0000000000000000-mapping.dmp

memory/3584-163-0x0000000000000000-mapping.dmp

memory/4744-164-0x0000000000000000-mapping.dmp

memory/1476-165-0x0000000000000000-mapping.dmp

memory/3148-166-0x0000000000000000-mapping.dmp

memory/4796-167-0x0000000000000000-mapping.dmp

memory/2476-168-0x0000000000000000-mapping.dmp

memory/380-169-0x0000000000000000-mapping.dmp

memory/1332-170-0x0000000000000000-mapping.dmp

memory/4584-171-0x0000000000000000-mapping.dmp

memory/3372-172-0x0000000000000000-mapping.dmp

memory/4632-173-0x0000000000000000-mapping.dmp

memory/5008-174-0x0000000000000000-mapping.dmp

memory/4372-175-0x0000000000000000-mapping.dmp