Malware Analysis Report

2024-11-13 15:44

Sample ID 221029-l2zj2acder
Target 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df
SHA256 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df

Threat Level: Known bad

The file 1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Modifies WinLogon for persistence

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-29 10:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-29 10:02

Reported

2022-10-29 14:43

Platform

win7-20220812-en

Max time kernel

151s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe"

Signatures

Imminent RAT

trojan spyware imminent

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\XqQGfoEYUveg.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\eHSlRWmUQJ5T.exe" C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Microsoft.exe" C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Windows\\Windows.exe" C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1848 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1848 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1848 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1848 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 1848 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 1848 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 1848 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 1848 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 1848 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 1848 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 1848 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 1848 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 1108 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe
PID 1108 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe
PID 1108 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe
PID 1108 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe
PID 1108 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1108 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1108 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1108 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1108 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1108 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1108 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1108 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1108 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1108 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1108 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1108 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe
PID 1108 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe

"C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe"

C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

"C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe"

C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe

"C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe" Windows

C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe

"C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe"

C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

"C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe" Microsoft

C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

"C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe" Microsoft

Network

Country Destination Domain Proto
US 8.8.8.8:53 camz.ddns.net udp

Files

memory/1848-54-0x0000000075241000-0x0000000075243000-memory.dmp

memory/1848-55-0x0000000074740000-0x0000000074CEB000-memory.dmp

memory/1108-57-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

MD5 5e8c019883c1c5bd0fdac3663a863e94
SHA1 ad53d21c86af70b7fc791f5879f578758aa04525
SHA256 06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA512 1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

MD5 5e8c019883c1c5bd0fdac3663a863e94
SHA1 ad53d21c86af70b7fc791f5879f578758aa04525
SHA256 06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA512 1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

MD5 5e8c019883c1c5bd0fdac3663a863e94
SHA1 ad53d21c86af70b7fc791f5879f578758aa04525
SHA256 06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA512 1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

memory/1976-61-0x0000000000400000-0x0000000000494000-memory.dmp

memory/1976-62-0x0000000000400000-0x0000000000494000-memory.dmp

memory/1108-65-0x0000000074740000-0x0000000074CEB000-memory.dmp

memory/1976-64-0x0000000000400000-0x0000000000494000-memory.dmp

memory/1976-67-0x0000000000400000-0x0000000000494000-memory.dmp

memory/1976-69-0x000000000044C38E-mapping.dmp

memory/1976-68-0x0000000000400000-0x0000000000494000-memory.dmp

memory/1976-71-0x0000000000400000-0x0000000000494000-memory.dmp

memory/1976-73-0x0000000000400000-0x0000000000494000-memory.dmp

memory/1848-75-0x0000000074740000-0x0000000074CEB000-memory.dmp

memory/1976-76-0x0000000074740000-0x0000000074CEB000-memory.dmp

\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe

MD5 af9e24849dec91baa236d309b6fc54df
SHA1 6effffed3f777e7fe33396430cde07752b50bae6
SHA256 82c13bcdcf40d251835cf5792b75f919c8c90e88755beeacd0769cad798cebce
SHA512 1318f8ea1ff63fcd20d10b62a1a33fa77f1625eab6c18d39942e8536e3857fdc001d50fd3e30810cb85bdce77364a9c2b82a8260e0ee7b3650e5b50b262e804c

C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

MD5 5e8c019883c1c5bd0fdac3663a863e94
SHA1 ad53d21c86af70b7fc791f5879f578758aa04525
SHA256 06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA512 1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

MD5 5e8c019883c1c5bd0fdac3663a863e94
SHA1 ad53d21c86af70b7fc791f5879f578758aa04525
SHA256 06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA512 1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

MD5 5e8c019883c1c5bd0fdac3663a863e94
SHA1 ad53d21c86af70b7fc791f5879f578758aa04525
SHA256 06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA512 1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe

MD5 af9e24849dec91baa236d309b6fc54df
SHA1 6effffed3f777e7fe33396430cde07752b50bae6
SHA256 82c13bcdcf40d251835cf5792b75f919c8c90e88755beeacd0769cad798cebce
SHA512 1318f8ea1ff63fcd20d10b62a1a33fa77f1625eab6c18d39942e8536e3857fdc001d50fd3e30810cb85bdce77364a9c2b82a8260e0ee7b3650e5b50b262e804c

C:\Users\Admin\AppData\Local\Temp\hOQgxZXr8DVXNG3f.exe

MD5 af9e24849dec91baa236d309b6fc54df
SHA1 6effffed3f777e7fe33396430cde07752b50bae6
SHA256 82c13bcdcf40d251835cf5792b75f919c8c90e88755beeacd0769cad798cebce
SHA512 1318f8ea1ff63fcd20d10b62a1a33fa77f1625eab6c18d39942e8536e3857fdc001d50fd3e30810cb85bdce77364a9c2b82a8260e0ee7b3650e5b50b262e804c

memory/1180-78-0x0000000000000000-mapping.dmp

memory/928-85-0x0000000000400000-0x0000000000494000-memory.dmp

memory/928-87-0x0000000000400000-0x0000000000494000-memory.dmp

memory/928-89-0x0000000000400000-0x0000000000494000-memory.dmp

memory/928-90-0x0000000000400000-0x0000000000494000-memory.dmp

memory/928-91-0x000000000044C6AE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tXbgtnOaTpRBuhE5.exe

MD5 5e8c019883c1c5bd0fdac3663a863e94
SHA1 ad53d21c86af70b7fc791f5879f578758aa04525
SHA256 06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA512 1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

memory/928-95-0x0000000000400000-0x0000000000494000-memory.dmp

memory/928-97-0x0000000000400000-0x0000000000494000-memory.dmp

memory/928-99-0x0000000074740000-0x0000000074CEB000-memory.dmp

memory/1180-93-0x000007FEF44C0000-0x000007FEF4EE3000-memory.dmp

memory/1180-100-0x000007FEF2FD0000-0x000007FEF4066000-memory.dmp

memory/1180-101-0x0000000000B26000-0x0000000000B45000-memory.dmp

C:\Users\Admin\AppData\Roaming\Imminent\Logs\29-10-2022

MD5 dde407053cdc227c356ae66057f6e504
SHA1 37a4ca31e740dcd1f5123a07204a6fed6129d06e
SHA256 2fa2b2e2f851fed61c02226e2ad61cbf59e9a22a40957f2c08979ef63aed6804
SHA512 056bbe44690a39a47e2800a487ce7aa680a317b2d5b597dd4a82261d522cb466013125bf79217eef2b75b6eac0e2fd3c947552561bfddc33dacf0fdbb0a8434b

C:\Users\Admin\AppData\Roaming\Imminent\Logs\29-10-2022

MD5 0e2f41946322391a5eea51b31ff9d4a0
SHA1 01697c4201d9f5d6f9b95456a53cb32e238b1cea
SHA256 f98fec983593f98ba6c41e21134bc563ea199886646640ad11874cbcf5f69d97
SHA512 3972b0f9a0e1a98e7873b0a1a615b74af93b4bf7cb62ab7c6959094a547f61ea00a5e8854b909d5c1ae8e609259324422567685f8a8c21db54968f1a0cb29366

memory/1108-104-0x0000000074740000-0x0000000074CEB000-memory.dmp

memory/1976-105-0x0000000074740000-0x0000000074CEB000-memory.dmp

memory/928-106-0x0000000074740000-0x0000000074CEB000-memory.dmp

memory/1180-107-0x0000000000B26000-0x0000000000B45000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-29 10:02

Reported

2022-10-29 14:43

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe"

Signatures

Imminent RAT

trojan spyware imminent

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\qw2U3Y2assS1.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\XUWHKI88wrjq.exe\" \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\qw2U3Y2assS1.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\3OcpUoMxERay.exe" C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftDC = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\DCy5Qgkhtytg.exe" C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Microsoft.exe" C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Windows\\Windows.exe" C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 376 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe
PID 376 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe
PID 376 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe
PID 376 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 376 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe
PID 3424 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe C:\Users\Admin\AppData\Local\Temp\3OcpUoMxERayVv5a.exe
PID 3424 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe C:\Users\Admin\AppData\Local\Temp\3OcpUoMxERayVv5a.exe
PID 3424 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe
PID 3424 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe
PID 3424 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe
PID 3424 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe
PID 3424 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe
PID 3424 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe
PID 3424 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe
PID 3424 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe

"C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe"

C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe

"C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe"

C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe

"C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe" Windows

C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe

"C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe" Windows

C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe

"C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe" Windows

C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe

"C:\Users\Admin\AppData\Local\Temp\1285e6795ba5bfce053f06ef0294d905b8232a49949f6d5e0f54767b0aa3c7df.exe" Windows

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 376 -ip 376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1696

C:\Users\Admin\AppData\Local\Temp\3OcpUoMxERayVv5a.exe

"C:\Users\Admin\AppData\Local\Temp\3OcpUoMxERayVv5a.exe"

C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe

"C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe" Microsoft

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1688

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 camz.ddns.net udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 52.182.143.210:443 tcp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp
US 8.8.8.8:53 camz.ddns.net udp

Files

memory/376-132-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/376-133-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/3424-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe

MD5 5e8c019883c1c5bd0fdac3663a863e94
SHA1 ad53d21c86af70b7fc791f5879f578758aa04525
SHA256 06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA512 1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

memory/1764-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe

MD5 5e8c019883c1c5bd0fdac3663a863e94
SHA1 ad53d21c86af70b7fc791f5879f578758aa04525
SHA256 06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA512 1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

memory/1836-139-0x0000000000000000-mapping.dmp

memory/2792-138-0x0000000000000000-mapping.dmp

memory/4356-140-0x0000000000000000-mapping.dmp

memory/4356-141-0x0000000000400000-0x0000000000494000-memory.dmp

memory/3424-142-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/4356-143-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/376-144-0x000000007EFB0000-0x000000007F044000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3OcpUoMxERayVv5a.exe

MD5 af9e24849dec91baa236d309b6fc54df
SHA1 6effffed3f777e7fe33396430cde07752b50bae6
SHA256 82c13bcdcf40d251835cf5792b75f919c8c90e88755beeacd0769cad798cebce
SHA512 1318f8ea1ff63fcd20d10b62a1a33fa77f1625eab6c18d39942e8536e3857fdc001d50fd3e30810cb85bdce77364a9c2b82a8260e0ee7b3650e5b50b262e804c

C:\Users\Admin\AppData\Local\Temp\3OcpUoMxERayVv5a.exe

MD5 af9e24849dec91baa236d309b6fc54df
SHA1 6effffed3f777e7fe33396430cde07752b50bae6
SHA256 82c13bcdcf40d251835cf5792b75f919c8c90e88755beeacd0769cad798cebce
SHA512 1318f8ea1ff63fcd20d10b62a1a33fa77f1625eab6c18d39942e8536e3857fdc001d50fd3e30810cb85bdce77364a9c2b82a8260e0ee7b3650e5b50b262e804c

memory/3756-145-0x0000000000000000-mapping.dmp

memory/4572-148-0x0000000000000000-mapping.dmp

memory/4572-149-0x0000000000400000-0x0000000000494000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZLQJVWNeqg20OMaX.exe

MD5 5e8c019883c1c5bd0fdac3663a863e94
SHA1 ad53d21c86af70b7fc791f5879f578758aa04525
SHA256 06eb77201d9df4c1cec9da72cd23f8d29fd624a9cc8c47da8ddc8098f5937676
SHA512 1a4281712e500276cb1b8d0f336bb2804de24d6fcc6eeb9ac4bda535613423639176e5cc870110e70d78bcf81c64594be8b87ce20755d4af9afd5e1d66fd3716

memory/3424-152-0x000000007F590000-0x000000007F624000-memory.dmp

memory/4572-151-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/3756-153-0x00007FF854ED0000-0x00007FF855906000-memory.dmp

memory/376-154-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/3424-155-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/4356-156-0x00000000748E0000-0x0000000074E91000-memory.dmp

C:\Users\Admin\AppData\Roaming\Imminent\Logs\29-10-2022

MD5 656fce74b4983c534f96b89fb03d2dcb
SHA1 3cdb281c6c3a35a09a856ee154c8d8e3193283e1
SHA256 98d1b971f24099222dd5aaded3cfefce19a825dfee0bbcd460d4904fe318d56c
SHA512 1c66110aca02268b6f7e0c59bd3baaa41f6c3db83a8b5fc32c5adcbdbbdb167adf534bd8b26ace659d047547cff36f495b1c8db6393b9f7a6ed7733ab9ad564f

memory/4572-158-0x00000000748E0000-0x0000000074E91000-memory.dmp