This repository contains the findings from a memory analysis conducted on a Windows 10 system suspected of being compromised. The analysis was performed using Volatility and other forensic tools.
- Introduction
- Process Analysis
- Suspicious IP Connections
- Malware Identification
- Urgent Findings
- Conclusion
- Recommendations
- 74.125.206.188:5228 (static IP, datacenter)
- 142.251.168.188:5228 (static IP, datacenter)
- 192.229.221.95:80
- Hash: 00D4A7FF3FFE03712CF3C62D695D1E19975881313A0E702CB4BB39A112B42E2F
- Path: C:\Program Files (x86)\Common Files\iMyFone\Components\Resident\MFResident.exe
- Installed by: iMyFone
- https://accountapi.imyfone.com
- UserDetail.json
- /v2/reside-message
- /v2/reside-uninstall-message
MFResident.exe VirusTotal Report
- Parent Process ID: LocalService.exe
- Hash: FDB9FEC2A2809B72C4897955EAA4B960BBC46C183EE15ED706F66DB4E3D46484
vol -f DESKTOP-C5IQLQB-20240710-110534.dmp windows.handles | grep "SearchTextHarvester"
This memory analysis has revealed several suspicious activities and potential indicators of compromise on the system. The identified suspicious IP connections, potentially malicious files, and other findings warrant further investigation to confirm any malicious intent and to take appropriate remediation actions.