Malware Analysis Report

2025-03-15 06:28

Sample ID 240129-zssl1scbhr
Target 80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66
SHA256 80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66

Threat Level: Known bad

The file 80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Warzone RAT payload

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-29 20:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-29 20:59

Reported

2024-01-29 21:01

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\vimages.exe N/A
N/A N/A C:\ProgramData\vimages.exe N/A
N/A N/A C:\ProgramData\vimages.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vimages = "C:\\ProgramData\\vimages.exe" C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\vimages.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 5064 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 3440 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\ProgramData\vimages.exe
PID 3440 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\ProgramData\vimages.exe
PID 3440 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4660 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4660 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4660 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4660 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4660 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4660 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4660 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4660 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4660 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4660 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4660 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4472 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4472 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4472 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4472 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4472 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4472 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4472 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4472 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4472 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4472 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2856 wrote to memory of 4472 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe

"C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe"

C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe

C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe

C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe

C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 80

C:\ProgramData\vimages.exe

"C:\ProgramData\vimages.exe"

C:\ProgramData\vimages.exe

C:\ProgramData\vimages.exe

C:\ProgramData\vimages.exe

C:\ProgramData\vimages.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 satgobleien.jumpingcrab.com udp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 16.160.77.104.in-addr.arpa udp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
US 8.8.8.8:53 203.178.17.96.in-addr.arpa udp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 satgobleien.jumpingcrab.com udp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
US 8.8.8.8:53 141.166.122.92.in-addr.arpa udp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 satgobleien.jumpingcrab.com udp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp

Files

memory/5064-0-0x0000000075030000-0x00000000757E0000-memory.dmp

memory/5064-1-0x0000000000730000-0x00000000007CA000-memory.dmp

memory/5064-2-0x0000000002B50000-0x0000000002B56000-memory.dmp

memory/5064-3-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/5064-4-0x00000000052D0000-0x0000000005362000-memory.dmp

memory/5064-5-0x000000000DE40000-0x000000000DEDC000-memory.dmp

memory/5064-6-0x000000000E490000-0x000000000EA34000-memory.dmp

memory/5064-7-0x000000000DF80000-0x000000000E012000-memory.dmp

memory/5064-8-0x0000000002B00000-0x0000000002B06000-memory.dmp

memory/3440-9-0x0000000000400000-0x0000000000554000-memory.dmp

memory/3440-13-0x0000000000400000-0x0000000000554000-memory.dmp

memory/5064-14-0x0000000075030000-0x00000000757E0000-memory.dmp

memory/3440-15-0x0000000000400000-0x0000000000554000-memory.dmp

C:\ProgramData\vimages.exe

MD5 6c6b4b50258f73741044e91698ff2254
SHA1 2c5878b20138b1d6844633cd63c40ecc14fa8315
SHA256 80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66
SHA512 5c1b811a904ba1bd4ee825505b2ecb82bacfb31096174f429c05b5f4d8bd9984438167a27bfd75e9bb0330954616d010fde63c1491578fdf2417b17d0851cc30

memory/3440-20-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2856-21-0x00000000744F0000-0x0000000074CA0000-memory.dmp

memory/2856-22-0x0000000005640000-0x0000000005650000-memory.dmp

memory/4660-29-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4660-32-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2856-33-0x00000000744F0000-0x0000000074CA0000-memory.dmp

memory/4472-34-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4472-35-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4660-36-0x0000000000400000-0x0000000000554000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-29 20:59

Reported

2024-01-29 21:01

Platform

win7-20231215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\vimages.exe N/A
N/A N/A C:\ProgramData\vimages.exe N/A
N/A N/A C:\ProgramData\vimages.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vimages = "C:\\ProgramData\\vimages.exe" C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\vimages.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2284 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe
PID 2668 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\ProgramData\vimages.exe
PID 2668 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\ProgramData\vimages.exe
PID 2668 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\ProgramData\vimages.exe
PID 2668 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2640 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2640 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2640 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2640 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2640 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2640 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2640 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2640 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2640 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2640 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2640 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2640 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2704 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2704 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2704 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2704 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2704 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2704 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2704 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2704 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2704 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2704 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2704 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe
PID 2888 wrote to memory of 2704 N/A C:\ProgramData\vimages.exe C:\ProgramData\vimages.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe

"C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe"

C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe

C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe

C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe

C:\Users\Admin\AppData\Local\Temp\80da1b7360c8d9aa99ae826402e7232f5b2b1112a81bd29765596a60c8502c66.exe

C:\ProgramData\vimages.exe

"C:\ProgramData\vimages.exe"

C:\ProgramData\vimages.exe

C:\ProgramData\vimages.exe

C:\ProgramData\vimages.exe

C:\ProgramData\vimages.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 satgobleien.jumpingcrab.com udp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
US 8.8.8.8:53 satgobleien.jumpingcrab.com udp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
US 8.8.8.8:53 satgobleien.jumpingcrab.com udp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp
UA 194.147.140.222:5201 satgobleien.jumpingcrab.com tcp

Files

memory/2284-0-0x0000000001370000-0x000000000140A000-memory.dmp

memory/2284-2-0x00000000742A0000-0x000000007498E000-memory.dmp

memory/2284-1-0x0000000000480000-0x0000000000486000-memory.dmp

memory/2284-3-0x0000000004B00000-0x0000000004B40000-memory.dmp

memory/2284-4-0x0000000000D10000-0x0000000000DA2000-memory.dmp

memory/2284-5-0x0000000000560000-0x0000000000566000-memory.dmp

memory/2668-6-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2668-9-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2732-13-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2284-14-0x00000000742A0000-0x000000007498E000-memory.dmp

memory/2668-11-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2732-15-0x0000000000400000-0x0000000000554000-memory.dmp

C:\ProgramData\vimages.exe

MD5 7a185a76455dd5d325a3cd3aef277cfe
SHA1 46b743e5e1030393e6b0557b131e423913af8f41
SHA256 684a787b4538d0540044e22f08a62d01f28c0ee006a169162eb7a1f617b2bc75
SHA512 bb36a9930b3ed538c9685526df43642a6e3e537fbf8e56d77c8ba06059c4155855ffa6805cb1ae6b79e31a916414bd67654fb4e2484c628ff2a1c55f0b591ce1

memory/2888-24-0x0000000072FA0000-0x000000007368E000-memory.dmp

memory/2888-23-0x0000000000A80000-0x0000000000B1A000-memory.dmp

memory/2668-22-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2888-25-0x0000000004950000-0x0000000004990000-memory.dmp

C:\ProgramData\vimages.exe

MD5 67b23b0abf5e81c4500ccaed89e4c5dd
SHA1 6fd4af5c9350712c930b9f9dc2706fb6449d4153
SHA256 a1643eb8bab4573e8326c65501762202119b9c43a8b227bd39ce3b2df4a9ed3f
SHA512 d21eba31a0b4e284036a8ea2444e6562257bd3845110ea21d2345a4f9a1cd75ad20038aeb9cd9754d78b83bc4bdc6e0861a30670fe273187d9c8a0cc56f6756e

memory/2888-26-0x00000000048C0000-0x0000000004952000-memory.dmp

\ProgramData\vimages.exe

MD5 51ea2b2c43082710f89ed8c88e7498bc
SHA1 3af8de955054acda4aa92d2abbfcf009fcff1d49
SHA256 63c4df0bb00ae1be891b75e25e40c2fcefbac647f62bf31abcdefebc7477c2a7
SHA512 a81d1ff4f448c24dc6c0b104ab650e5196b1bcb9739d646798f97ffc0d422a3894711fb80582409aa695674f2e1529874f640ccb0a7843b08ba4ebf17ee4c276

\ProgramData\vimages.exe

MD5 089ddf5d4e9a6a6544c7bf681f220341
SHA1 a0549cd0b1eabc8b8cfc5f183f764eceb930758a
SHA256 3f310f1bf01cebd18798d2f0fb73f243327d55b37e5b19212e5214738a6899bc
SHA512 44b8b15384c23c4a77f24809c3d0e49dbd407011fa4f6ef155a7a4f65fe667e2d93e656da60fe6d5b53bdfb420db4c3de7b9104c1499cd505dcae0cd5dcac111

C:\ProgramData\vimages.exe

MD5 9ee6e0b718fbe68af008418fc87f1428
SHA1 cb14ad9cd98f27f658b76c2677fe6fcf7f6c838e
SHA256 3deef8ad6c5939ba8e027b83f158746e57b66f57c5ed563a5d3f0d2e830a7082
SHA512 0f5bcc817bacb455ce1a44cbc10d91a28fb39aebea40a73bfc6733079c9011ec92edc25731553d394ad45429ebfe28ec90aab78154efbce98eae66cee77925d2

C:\ProgramData\vimages.exe

MD5 4270649d2735b9d34f0ea9266a46973b
SHA1 cbfcdd92dca8d1493d711d02f0849e2ee1d3e492
SHA256 34ae73f68b44da0c34a9d20c8c838c4b85f477b21ebd2dbe73d4162daf412a5a
SHA512 be5645f40adb178572bbb9fc7bd4fb07900bd218bcbb8d654afe7c730d6fd6c59309475cc5955aa2b4e1d5cb38c3a9d67a36e807d8199382a72bf2762c8ad51a

memory/2888-37-0x0000000072FA0000-0x000000007368E000-memory.dmp

memory/2640-38-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2704-39-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2640-33-0x0000000000400000-0x0000000000554000-memory.dmp

\ProgramData\vimages.exe

MD5 602dee27bd922a1fd8fb3249836ac2d1
SHA1 57f2e9ef8439f5fe4b1336b3b6c1f2f370afaace
SHA256 f656d4cd66ccf0198ddf1ff5d6b44b7f9f701c0bbb46c135d7d69289c514d384
SHA512 78b9a26f20a277020c216dbcb3813a2f313a391e25dcb58b0a59d5d68253165456b1caf87d96e97a7272b91e5259bfbb3a281758079fffe4dfac246a89c3aa49

memory/2704-40-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2640-41-0x0000000000400000-0x0000000000554000-memory.dmp