imminent | hxxps://mega[.]nz/file/ci1WVBAS#yjhc3CCCH3LG9_ZYRRH1khyYl9l4loXt5XEBiKlkjG4

Analysis

max time kernel
44s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 20:44

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://mega.nz/file/ci1WVBAS#yjhc3CCCH3LG9_ZYRRH1khyYl9l4loXt5XEBiKlkjG4

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	IMServer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	IMServer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	IMServer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	IMServer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	IMServer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	IMServer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	IMServer.exe

Executes dropped EXE 16 IoCs

pid	Process
344	IMServer.exe
4472	IMServer.exe
3220	msedge.exe
5116	IMServer.exe
2092	imserver.exe
4676	imserver.exe
1352	IMServer.exe
3928	imserver.exe
1944	IMServer.exe
3464	IMServer.exe
4528	IMServer.exe
5128	IMServer.exe
5408	imserver.exe
5444	imserver.exe
5504	imserver.exe
5512	imserver.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "\\Windows\\WindowsStart.exe"	IMServer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\WindowsStart.exe"	IMServer.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	IMServer.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	IMServer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsStart.exe	IMServer.exe
File created	C:\Windows\WindowsStart.exe\:SmartScreen:$DATA	IMServer.exe
File opened for modification	C:\Windows\assembly	IMServer.exe
File created	C:\Windows\assembly\Desktop.ini	IMServer.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	IMServer.exe
File created	C:\Windows\WindowsStart.exe	IMServer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "231"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

NTFS ADS 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 57102.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe\:SmartScreen:$DATA	IMServer.exe
File created	C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe\:SmartScreen:$DATA	IMServer.exe
File created	C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe\:SmartScreen:$DATA	IMServer.exe
File created	C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe\:SmartScreen:$DATA	IMServer.exe
File created	C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe\:SmartScreen:$DATA	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Windows\WindowsStart.exe\:SmartScreen:$DATA	IMServer.exe
File created	C:\Windows\WindowsStart.exe\:SmartScreen:$DATA	IMServer.exe
File created	C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe\:SmartScreen:$DATA	IMServer.exe
File created	C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe\:SmartScreen:$DATA	IMServer.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
5944	PING.EXE
5936	PING.EXE
5276	PING.EXE
5312	PING.EXE
5372	PING.EXE
5972	PING.EXE
5964	PING.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1848	msedge.exe
1848	msedge.exe
3852	msedge.exe
3852	msedge.exe
1040	identity_helper.exe
1040	identity_helper.exe
3116	msedge.exe
3116	msedge.exe
5116	IMServer.exe
5116	IMServer.exe
5116	IMServer.exe
5116	IMServer.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: 33	872	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	872	AUDIODG.EXE
Token: SeDebugPrivilege	4472	IMServer.exe
Token: SeDebugPrivilege	344	IMServer.exe
Token: SeDebugPrivilege	3220	msedge.exe
Token: SeDebugPrivilege	5116	IMServer.exe
Token: SeDebugPrivilege	3144	Taskmgr.exe
Token: SeSystemProfilePrivilege	3144	Taskmgr.exe
Token: SeCreateGlobalPrivilege	3144	Taskmgr.exe
Token: SeDebugPrivilege	1944	IMServer.exe
Token: SeDebugPrivilege	3464	IMServer.exe
Token: SeDebugPrivilege	5128	IMServer.exe
Token: SeDebugPrivilege	4528	IMServer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3852	msedge.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe
3144	Taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5116	IMServer.exe
5284	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 1956	3852	msedge.exe	84
PID 3852 wrote to memory of 1956	3852	msedge.exe	84
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1292	3852	msedge.exe	87
PID 3852 wrote to memory of 1848	3852	msedge.exe	86
PID 3852 wrote to memory of 1848	3852	msedge.exe	86
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88
PID 3852 wrote to memory of 1992	3852	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/ci1WVBAS#yjhc3CCCH3LG9_ZYRRH1khyYl9l4loXt5XEBiKlkjG4
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff972a846f8,0x7ff972a84708,0x7ff972a84718
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3116
- C:\Users\Admin\Downloads\IMServer.exe
  "C:\Users\Admin\Downloads\IMServer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:344
- - C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe
    "C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe"
    3⤵
    - Executes dropped EXE
    PID:4676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Downloads\IMServer.exe"
    3⤵
    PID:1964
- C:\Users\Admin\Downloads\IMServer.exe
  "C:\Users\Admin\Downloads\IMServer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Downloads\IMServer.exe"
    3⤵
    PID:3512
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:5312
- - C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe
    "C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe"
    3⤵
    - Executes dropped EXE
    PID:2092
- C:\Users\Admin\Downloads\IMServer.exe
  "C:\Users\Admin\Downloads\IMServer.exe"
  2⤵
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe
    "C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe"
    3⤵
    - Executes dropped EXE
    PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Downloads\IMServer.exe"
    3⤵
    PID:1684
- C:\Users\Admin\Downloads\IMServer.exe
  "C:\Users\Admin\Downloads\IMServer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5116
- - C:\Windows\SysWOW64\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3144
- C:\Users\Admin\Downloads\IMServer.exe
  "C:\Users\Admin\Downloads\IMServer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe
    "C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe"
    3⤵
    - Executes dropped EXE
    PID:5408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Downloads\IMServer.exe"
    3⤵
    PID:5432
- C:\Users\Admin\Downloads\IMServer.exe
  "C:\Users\Admin\Downloads\IMServer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Downloads\IMServer.exe"
    3⤵
    PID:5524
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:5936
- - C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe
    "C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe"
    3⤵
    - Executes dropped EXE
    PID:5444
- C:\Users\Admin\Downloads\IMServer.exe
  "C:\Users\Admin\Downloads\IMServer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Downloads\IMServer.exe"
    3⤵
    PID:5592
- - C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe
    "C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe"
    3⤵
    - Executes dropped EXE
    PID:5512
- C:\Users\Admin\Downloads\IMServer.exe
  "C:\Users\Admin\Downloads\IMServer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:5128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Downloads\IMServer.exe"
    3⤵
    PID:5604
- - C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe
    "C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe"
    3⤵
    - Executes dropped EXE
    PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:6124
- C:\Users\Admin\Downloads\IMServer.exe
  "C:\Users\Admin\Downloads\IMServer.exe"
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,205069970150088111,16135747320475156912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:3220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x46c 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
1⤵
- Runs ping.exe
PID:5276

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
1⤵
- Runs ping.exe
PID:5372

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
1⤵
- Runs ping.exe
PID:5972

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
1⤵
- Runs ping.exe
PID:5964

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
1⤵
- Runs ping.exe
PID:5944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5952

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa391f855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\IMServer.exe.log

Filesize
319B

MD5
824ba7b7eed8b900a98dd25129c4cd83

SHA1
54478770b2158000ef365591d42977cb854453a1

SHA256
d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03

SHA512
ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a65ab4f620efd5ba6c5e3cba8713e711

SHA1
f79ff4397a980106300bb447ab9cd764af47db08

SHA256
3964e81a3b4b582e570836837b90a0539e820886a35281b416e428e9bf25fd76

SHA512
90330661b0f38ca44d6bd13a7ea2ab08a4065ec4801695e5e7e0dea154b13ac8d9b2737e36ebe9a314d2501b5ef498d03c5617c87e36986e294c701182db41b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
854f73d7b3f85bf181d2f2002afd17db

SHA1
53e5e04c78d1b81b5e6c400ce226e6be25e0dea8

SHA256
54c176976e1c56f13af90be9b8b678f17f36a943210a30274be6a777cf9a8dc4

SHA512
de14899cfaad4c312804a7fe4dcb3e9221f430088cb8bf5a9b941ac392a0bbad4e6ca974e258e34617bbffff3bf6490fa90d8c6921616f44186e267ddaa02971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
2a2e622f36d584f41357237d8f8352c6

SHA1
63d0120d4e4f2a8deb4ccdf644434cd98bdd0da4

SHA256
d7fa3c82fbb73374b81b7b0c8552267f4abab32e0369e6976d9d9bc22faa30f5

SHA512
23a8237d9d849eb1d39d73fdb4cac8e80f9ce4e8b6defc756bb8b5aaace858c935d660153f3dc95b11114f88676f3f7108b80305c89a347fb21dfcbc3c2fe5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
336cfa1ee91e331a5e5291e8abc6f2aa

SHA1
bae552137618389c10a9fbb9c3eedac431a54ae3

SHA256
449e4cecbc6e91afcbf35468ace7351052284b8f33c272ae6d4822ca7ebd70cd

SHA512
294887afef4fbb20e35abc4bf23fd1f34d27d41e467ec6872712db249f4a0a941983a16de345c914c81561abcd3f59f582864ad4c9d4f5bc04ea620bffd496e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e4eb33b39bf3f2552a18666d1f6b30d

SHA1
aded21bbd652c16d8db45db88d19c7ab05f0b6e6

SHA256
bd2383c12a4c7ce2fac423ca084839a39f9c44b8b9a86f5fb91b5f61c9b100f7

SHA512
12ce99aeb9bfdd4dc8368aeb9d115e960605b1e238a817eac9343454bbf8c6b9aba9f7a0c95f799afaf2b3387c43efd0a7cf12bd185e99244eadc3c63409667e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db1164c01e72badf26eba7a694288ac4

SHA1
066e8175262b1735e70610eb5d0eaf85798b829d

SHA256
898749278c462b8591b8cbcea53a5babc299ebd1aea8dee961092b72f894fd81

SHA512
91e8ff1a41cf8fd46b5e0af3ba8fb72dc0b5348f81f4036bab2d61c95b19e62ca0d87cf2f9d06163d85b8733d0544fbd4c08e724995464f31e4a836c2e0f57b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2ac7517b2867e169a2932db1d8ab79a0

SHA1
1ec4bd2838bb9aaaf85cd21aea58b879f444002d

SHA256
c2d397dee1a4b2106b375d8cd7e299e9bad5f7a3b071c7d92d067699bc032972

SHA512
384ce2ebd58bdf2f86afc0f5417ea3759b3f3a232629c082beb99781803a49a36b198c11f665cf71edfdbb95c46f1fbf93b3ae98130793543479cd87fdcb2239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5790d6.TMP

Filesize
48B

MD5
c9fe8c48e9f940f76031d0b3d9bd9186

SHA1
d8d4472d6a004e25740c51ee64a6d50c5ed48d1a

SHA256
7b5bff402049dc9ace5513f83976da33eafa54d9f90a6d8d0eb0d644d994d681

SHA512
47079f509ef6609470b6248c9fe68bd6065fb923e86319520c1bb2286a5a0dcc428aa85eaeec63d6af4e6d631897f1bafe44ff1faf22f1e7e446bc6ab5a63ce9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3c62f2c0b56d95d3402a7de03214e378

SHA1
6e8773727a5b143406efa605e9d8c2ab2102a483

SHA256
c6860dbb849aa86abbcc45f29645b95d04f1e01477e36081d2c2d0801b85a90f

SHA512
144cabfbf357c3f00d2d4e2f12987cb7b129f36009ad6ee7ad6ccad5195e20340d1a9d9eed97867232753e0653f95c59ca6755ccbfd16b0c1a6e960721a36e4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5ad57c0bbb80210df79ab1cb9641d308

SHA1
cf4356e6886a68a64b1924a66048db2eadae7abb

SHA256
4abeda0432250c91d6814f2dc24c42bcaac7f672bcc454aa80b98718a804d8a0

SHA512
957940e55e6191aad339d69f59d28e3268827c7fb76ea115f686309b9e0f000857e41aedf803e14d14a99925814276d58388e239377d96849ad25caa3da516fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cb6d990178c7abca830d4256a9ea730e

SHA1
7d31c53f7b65c2083d728f596c9f6cf8ba69f553

SHA256
648b0caf14d197c8bef4bd9a6be4b96bde36a63729d43b3bf4d0683d041734a0

SHA512
dd7930d94a3d6036ca59d4c454aa639c100496c6bd0ac9c6ecb11ea0fd5ec4423b4bf8fd85419fdbf623dfc31ce60ff72751fd311d1b9455b31ff935b38a138c

Download Submit
C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe

Filesize
64KB

MD5
15e9f392861db04537363e8bbb0c3924

SHA1
7ececeafff8d1eaacff4345698fcc912a578a7fc

SHA256
ce879cbff9c021cc2fd192ebd6b9a6f451108f838dc4b1ba6947f544bb6f44f6

SHA512
5663eaccc9a3296916233a5555402677f182df414ae4c659167180d86505af5b855ee1161022d40396085b2bb1508885f0f384fab66dcebc20d10e53186d9049

Download Submit
C:\Users\Admin\AppData\Local\Temp\imserver\imserver.exe

Filesize
320KB

MD5
8854f4065ebf804740b230c3934c3c8f

SHA1
b4babce80b0a055393e191a9b8c5ab3bd01dcbaa

SHA256
b4ab5e8544cc88dd0804cc4018ff700738fe8326b6d351a39fdec35e4c2170e8

SHA512
a341d6efa2cb5fc6e06c6b15b96940a12e32c8cfaf6b38e6b088f301a99f2a6e1369cdae3b3fe44c5cf2a249da1705e8937267be3214c0cf24caa227d9ca27b1

Download Submit
C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
55B

MD5
cc37033713f4e382e86411b2138f7472

SHA1
9db1e7bb7b1f970f973234cfd7be76c962771481

SHA256
9db7f70be8edccc2c79cc1c8c42daaf04e86127a89f662790edc3704d61fceac

SHA512
aba2ace2257fd99bbbace1133234b37044d8e26aa2cfc9bed6cd3305dc3131ff579baeada5fc981970fe27132229a90fb2ef423ea66eb346969b53dda490a08a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\WindowsStart.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\IMServer.exe

Filesize
354KB

MD5
e5f21533e3de3864f48ac1de3c6c12fb

SHA1
c6b5cd51f11b9676c3c2bb074aa9c12a05ec1557

SHA256
b1e92fefcda6e3558d888b2d78a79f4f71444ed597da1140b0939eb31e6228a6

SHA512
03a8495d9b24ef544a67fbcb79df1469bddd0b782477f10f470f6aaed6cbaabd39eee0d6668a43be131c86cf74e4050264cb309353b28ec11f567bce402b2488

Download Submit
C:\Users\Admin\Downloads\IMServer.exe

Filesize
128KB

MD5
6021be25cf66008c989c8482a7accd16

SHA1
fdc844e47827b612f23260a8a589fe88e4fc8250

SHA256
f15cf611d198c156c87f4b6cb32aff91395168df537f2058d648d51910fb86f3

SHA512
762dea98270835ce229d3b5dd92826843626f3c09b89f1af1fbf3f7a0ed84b160c0bd51a15efc656db961886c088da4389232eb97123dfe400eaa796a4c15790

Download Submit
memory/344-196-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/344-168-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/344-166-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/344-167-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/1352-212-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/1352-213-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/1352-208-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/1352-211-0x00000000013E0000-0x00000000013F0000-memory.dmp

Filesize
64KB

Download
memory/1944-244-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/1944-219-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/1944-220-0x00000000013A0000-0x00000000013B0000-memory.dmp

Filesize
64KB

Download
memory/1944-223-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2092-198-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2092-210-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2092-197-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/3144-283-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3144-284-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3144-281-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3144-280-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3144-279-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3144-278-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3144-282-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3144-272-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3144-273-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3144-274-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3220-179-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3220-182-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3220-180-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/3220-209-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3464-250-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3464-229-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3928-215-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3928-216-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4472-170-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4472-173-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/4472-174-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4472-195-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4528-251-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4528-234-0x0000000001230000-0x0000000001240000-memory.dmp

Filesize
64KB

Download
memory/4528-233-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4676-207-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4676-200-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/4676-199-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5116-194-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5116-333-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5116-387-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5116-190-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5116-339-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5128-240-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5128-253-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5128-238-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5408-249-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5408-245-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5408-246-0x0000000001420000-0x0000000001430000-memory.dmp

Filesize
64KB

Download
memory/5408-257-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5444-252-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5444-255-0x00000000013A0000-0x00000000013B0000-memory.dmp

Filesize
64KB

Download
memory/5444-259-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5444-256-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5504-263-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5504-261-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5512-262-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5512-260-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/5512-258-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads