Malware Analysis Report

2024-11-15 06:31

Sample ID 210317-hv4pd7mepx
Target c481259ad199b773339f168902cc7437.exe
SHA256 1da5a6aac7197d1fcadef018775831885b715d5c37a3115777dc5c717ce6e0da
Tags
spyware stealer echelon
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1da5a6aac7197d1fcadef018775831885b715d5c37a3115777dc5c717ce6e0da

Threat Level: Known bad

The file c481259ad199b773339f168902cc7437.exe was found to be: Known bad.

Malicious Activity Summary

spyware stealer echelon

Echelon

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-03-17 08:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-03-17 08:21

Reported

2021-03-17 08:23

Platform

win7v20201028

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1616 set thread context of 316 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1616 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 1616 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Windows\SysWOW64\WerFault.exe
PID 1616 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Windows\SysWOW64\WerFault.exe
PID 1616 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Windows\SysWOW64\WerFault.exe
PID 1616 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe

"C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe

"C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe"

C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe

"C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe"

C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe

"C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 1808

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 liverpooldabestteamoftheworld.com udp
N/A 104.21.52.98:80 liverpooldabestteamoftheworld.com tcp
N/A 104.21.52.98:443 liverpooldabestteamoftheworld.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.129.141:443 api.ipify.org tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp

Files

memory/1616-2-0x0000000074640000-0x0000000074D2E000-memory.dmp

memory/1616-3-0x0000000001280000-0x0000000001281000-memory.dmp

memory/1616-5-0x00000000011B0000-0x00000000011B1000-memory.dmp

memory/1616-6-0x00000000058E0000-0x0000000005A36000-memory.dmp

memory/1368-7-0x0000000000000000-mapping.dmp

memory/1600-8-0x0000000000000000-mapping.dmp

memory/316-10-0x000000000054706E-mapping.dmp

memory/316-9-0x0000000000400000-0x000000000054C000-memory.dmp

memory/316-11-0x0000000074640000-0x0000000074D2E000-memory.dmp

memory/1532-12-0x0000000000000000-mapping.dmp

memory/316-13-0x0000000000400000-0x000000000054C000-memory.dmp

memory/1532-15-0x0000000001E90000-0x0000000001EA1000-memory.dmp

memory/316-16-0x0000000005510000-0x0000000005581000-memory.dmp

memory/1532-17-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/316-18-0x00000000011E0000-0x00000000011E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-03-17 08:21

Reported

2021-03-17 08:23

Platform

win10v20201028

Max time kernel

16s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe"

Signatures

Echelon

stealer spyware echelon

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 648 set thread context of 3304 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 648 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 744 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 744 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 648 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 648 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 648 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 648 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 648 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 648 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 648 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe
PID 648 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe

"C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout 1

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe

"C:\Users\Admin\AppData\Local\Temp\c481259ad199b773339f168902cc7437.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 2088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1888

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 liverpooldabestteamoftheworld.com udp
N/A 104.21.52.98:80 liverpooldabestteamoftheworld.com tcp
N/A 104.21.52.98:443 liverpooldabestteamoftheworld.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.48.44:443 api.ipify.org tcp
N/A 8.8.8.8:53 www.msftconnecttest.com udp
N/A 13.107.4.52:80 www.msftconnecttest.com tcp
N/A 13.107.4.52:80 www.msftconnecttest.com tcp

Files

memory/648-2-0x0000000073FF0000-0x00000000746DE000-memory.dmp

memory/648-3-0x0000000000550000-0x0000000000551000-memory.dmp

memory/648-5-0x00000000050D0000-0x00000000050D1000-memory.dmp

memory/648-6-0x00000000099A0000-0x00000000099A1000-memory.dmp

memory/648-9-0x0000000009A40000-0x0000000009B96000-memory.dmp

memory/744-10-0x0000000000000000-mapping.dmp

memory/3328-11-0x0000000000000000-mapping.dmp

memory/648-12-0x000000000A2F0000-0x000000000A2F1000-memory.dmp

memory/3304-13-0x0000000000400000-0x000000000054C000-memory.dmp

memory/3304-14-0x000000000054706E-mapping.dmp

memory/3304-15-0x0000000073FF0000-0x00000000746DE000-memory.dmp

memory/3304-18-0x00000000052F0000-0x00000000052F1000-memory.dmp

memory/416-19-0x0000000004C50000-0x0000000004C51000-memory.dmp

memory/3304-20-0x0000000005BE0000-0x0000000005C51000-memory.dmp

memory/3304-21-0x0000000005270000-0x0000000005271000-memory.dmp

memory/188-23-0x00000000040D0000-0x00000000040D1000-memory.dmp