Malware Analysis Report

2025-03-15 03:54

Sample ID 230728-md19dsde3y
Target 6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad
SHA256 6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad
Tags
fatalrat infostealer rat gh0strat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad

Threat Level: Known bad

The file 6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad was found to be: Known bad.

Malicious Activity Summary

fatalrat infostealer rat gh0strat upx

FatalRat

Gh0strat

Gh0st RAT payload

Fatal Rat payload

Deletes itself

Checks computer location settings

UPX packed file

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-28 10:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-28 10:21

Reported

2023-07-28 10:24

Platform

win7-20230712-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe

"C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c del /q C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe

Network

Country Destination Domain Proto
CN 211.101.247.114:21569 211.101.247.114 tcp
US 8.8.8.8:53 shopiping.cn udp
CN 211.101.247.114:21680 shopiping.cn tcp

Files

C:\ProgramData\iokwindsns.jpg

MD5 ba64147912c84f30017e1b70ad640629
SHA1 385be170b2ca3987a1899b8916083642958fbfd2
SHA256 7b1be6f5defcf082846bdcaa1dc23f9d10b40ad97eac2d428e068b0e3687dc4a
SHA512 3f7633d715d5dde98017dffc8af502bc37f74deb6e5013e8ab1cea36413b7e5abc4c2774994a5ac43637833ef9c83126c1e308965630533b0ea739d322333aef

memory/1808-59-0x0000000000670000-0x000000000068F000-memory.dmp

memory/1808-60-0x0000000000670000-0x000000000068F000-memory.dmp

memory/1808-61-0x0000000010000000-0x0000000010020000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-28 10:21

Reported

2023-07-28 10:24

Platform

win10v2004-20230703-en

Max time kernel

144s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe"

Signatures

FatalRat

infostealer rat fatalrat

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe

"C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c del /q C:\Users\Admin\AppData\Local\Temp\6fdebd27218d820aab768426215e50628db26dacb9cf992ba9212581f18706ad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
CN 211.101.247.114:21569 211.101.247.114 tcp
US 8.8.8.8:53 114.247.101.211.in-addr.arpa udp
US 8.8.8.8:53 shopiping.cn udp
CN 211.101.247.114:21680 shopiping.cn tcp
CN 211.101.247.114:21680 shopiping.cn tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 shopiping.cn udp
CN 211.101.247.114:21680 shopiping.cn tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

memory/2648-138-0x0000000004260000-0x000000000427F000-memory.dmp

C:\ProgramData\iokwindsns.jpg

MD5 ba64147912c84f30017e1b70ad640629
SHA1 385be170b2ca3987a1899b8916083642958fbfd2
SHA256 7b1be6f5defcf082846bdcaa1dc23f9d10b40ad97eac2d428e068b0e3687dc4a
SHA512 3f7633d715d5dde98017dffc8af502bc37f74deb6e5013e8ab1cea36413b7e5abc4c2774994a5ac43637833ef9c83126c1e308965630533b0ea739d322333aef

memory/2648-139-0x0000000004260000-0x000000000427F000-memory.dmp

memory/2648-140-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2648-144-0x0000000004750000-0x000000000489D000-memory.dmp

memory/2648-148-0x0000000004750000-0x000000000489D000-memory.dmp

memory/2648-149-0x0000000004750000-0x000000000489D000-memory.dmp

memory/2648-150-0x0000000004750000-0x000000000489D000-memory.dmp

memory/2648-155-0x0000000004750000-0x000000000489D000-memory.dmp