Malware Analysis Report

2024-10-24 16:30

Sample ID 220511-c5yx8sdhb8
Target 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712
SHA256 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712
Tags
hiverat warzonerat infostealer rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712

Threat Level: Known bad

The file 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712 was found to be: Known bad.

Malicious Activity Summary

hiverat warzonerat infostealer rat stealer

WarzoneRat, AveMaria

HiveRAT

Warzone RAT Payload

HiveRAT Payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops startup file

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-11 02:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-11 02:40

Reported

2022-05-11 04:00

Platform

win7-20220414-en

Max time kernel

151s

Max time network

43s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"

Signatures

HiveRAT

rat stealer hiverat

WarzoneRat, AveMaria

rat infostealer warzonerat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe C:\Users\Admin\AppData\Local\Temp\2.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe C:\Users\Admin\AppData\Local\Temp\2.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe C:\Users\Admin\AppData\Local\Temp\3.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1472 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1472 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1712 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1712 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1712 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1712 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 1712 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1712 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1712 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1712 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1712 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 1712 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 1712 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 1712 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 888 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 888 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 888 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 888 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 888 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 888 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 888 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 888 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 888 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 888 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 940 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 940 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 428 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 428 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 428 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 428 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 428 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 428 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 428 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 428 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 428 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 428 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 428 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 428 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 428 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\3.exe

"C:\Users\Admin\AppData\Local\Temp\3.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\3.exe

"C:\Users\Admin\AppData\Local\Temp\3.exe"

C:\Users\Admin\AppData\Local\Temp\3.exe

"C:\Users\Admin\AppData\Local\Temp\3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 532

Network

Country Destination Domain Proto
US 8.8.8.8:53 hive01.duckdns.org udp

Files

memory/1472-54-0x0000000000060000-0x0000000000236000-memory.dmp

memory/1472-55-0x0000000074F21000-0x0000000074F23000-memory.dmp

memory/1472-56-0x0000000004DC0000-0x0000000004F90000-memory.dmp

\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

MD5 31431004556597a633f858c122c85b60
SHA1 fea5847bb6a5daae2688e349c827e30c51b4485f
SHA256 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712
SHA512 7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd

memory/1712-58-0x0000000000400000-0x0000000000590000-memory.dmp

memory/1712-59-0x0000000000400000-0x0000000000590000-memory.dmp

memory/1712-61-0x0000000000400000-0x0000000000590000-memory.dmp

memory/1712-62-0x0000000000400000-0x0000000000590000-memory.dmp

memory/1712-63-0x0000000000400000-0x0000000000590000-memory.dmp

memory/1712-64-0x000000000058B57E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

MD5 31431004556597a633f858c122c85b60
SHA1 fea5847bb6a5daae2688e349c827e30c51b4485f
SHA256 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712
SHA512 7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd

memory/1712-67-0x0000000000400000-0x0000000000590000-memory.dmp

memory/1712-69-0x0000000000400000-0x0000000000590000-memory.dmp

memory/1712-70-0x00000000006D0000-0x00000000006D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\1.exe

MD5 36c32cd064db3a4769d8b8bd99c8500e
SHA1 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e
SHA256 fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f
SHA512 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

memory/940-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 36c32cd064db3a4769d8b8bd99c8500e
SHA1 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e
SHA256 fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f
SHA512 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 36c32cd064db3a4769d8b8bd99c8500e
SHA1 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e
SHA256 fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f
SHA512 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

memory/940-76-0x0000000000F10000-0x0000000000F7A000-memory.dmp

\Users\Admin\AppData\Local\Temp\2.exe

MD5 e1dd367f1baa8889afca69a79dd43abd
SHA1 786dc0378d1008490c9110cc30bcc6a11f6c3c3e
SHA256 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9
SHA512 b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a

memory/888-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 e1dd367f1baa8889afca69a79dd43abd
SHA1 786dc0378d1008490c9110cc30bcc6a11f6c3c3e
SHA256 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9
SHA512 b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a

memory/940-81-0x0000000000CD0000-0x0000000000D32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 e1dd367f1baa8889afca69a79dd43abd
SHA1 786dc0378d1008490c9110cc30bcc6a11f6c3c3e
SHA256 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9
SHA512 b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a

memory/888-83-0x0000000000080000-0x0000000000118000-memory.dmp

memory/428-86-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

C:\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

memory/428-89-0x0000000000BD0000-0x0000000000C68000-memory.dmp

memory/888-91-0x0000000000830000-0x00000000008C2000-memory.dmp

memory/428-92-0x0000000004710000-0x00000000047A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

\Users\Admin\AppData\Local\Temp\2.exe

MD5 e1dd367f1baa8889afca69a79dd43abd
SHA1 786dc0378d1008490c9110cc30bcc6a11f6c3c3e
SHA256 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9
SHA512 b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a

memory/1264-95-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1264-96-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1264-98-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1264-99-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1264-101-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1264-100-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1264-102-0x000000000044C85E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 e1dd367f1baa8889afca69a79dd43abd
SHA1 786dc0378d1008490c9110cc30bcc6a11f6c3c3e
SHA256 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9
SHA512 b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a

memory/1264-105-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1264-107-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1264-110-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1264-109-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1264-111-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 36c32cd064db3a4769d8b8bd99c8500e
SHA1 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e
SHA256 fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f
SHA512 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

\Users\Admin\AppData\Local\Temp\1.exe

MD5 36c32cd064db3a4769d8b8bd99c8500e
SHA1 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e
SHA256 fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f
SHA512 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

memory/1264-112-0x0000000000400000-0x0000000000454000-memory.dmp

\Users\Admin\AppData\Local\Temp\1.exe

MD5 36c32cd064db3a4769d8b8bd99c8500e
SHA1 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e
SHA256 fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f
SHA512 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

\Users\Admin\AppData\Local\Temp\1.exe

MD5 36c32cd064db3a4769d8b8bd99c8500e
SHA1 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e
SHA256 fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f
SHA512 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

memory/112-119-0x0000000000400000-0x0000000000554000-memory.dmp

memory/112-122-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1264-123-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 36c32cd064db3a4769d8b8bd99c8500e
SHA1 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e
SHA256 fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f
SHA512 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

memory/112-126-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1264-129-0x0000000000400000-0x0000000000454000-memory.dmp

memory/112-130-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1264-131-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1264-133-0x0000000000400000-0x0000000000454000-memory.dmp

memory/112-132-0x0000000000400000-0x0000000000554000-memory.dmp

memory/112-136-0x0000000000400000-0x0000000000554000-memory.dmp

memory/112-138-0x0000000000400000-0x0000000000554000-memory.dmp

memory/112-140-0x0000000000400000-0x0000000000554000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 36c32cd064db3a4769d8b8bd99c8500e
SHA1 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e
SHA256 fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f
SHA512 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

memory/112-142-0x0000000000405CE2-mapping.dmp

memory/112-147-0x0000000000400000-0x0000000000554000-memory.dmp

\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

C:\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

memory/852-153-0x0000000000400000-0x0000000000454000-memory.dmp

memory/852-155-0x0000000000400000-0x0000000000454000-memory.dmp

memory/852-159-0x000000000044CB3E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

memory/852-165-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1296-166-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

memory/112-172-0x0000000000400000-0x0000000000554000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-11 02:40

Reported

2022-05-11 04:01

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"

Signatures

HiveRAT

rat stealer hiverat

WarzoneRat, AveMaria

rat infostealer warzonerat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe C:\Users\Admin\AppData\Local\Temp\2.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe C:\Users\Admin\AppData\Local\Temp\2.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe C:\Users\Admin\AppData\Local\Temp\3.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 1484 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 2080 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 2080 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 2080 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 2080 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 2080 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 2080 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 2080 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 2080 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 2080 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 3588 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3588 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3588 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3588 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3588 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3588 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3588 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3588 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3588 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3588 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3588 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4184 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4184 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4184 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4368 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 4368 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 4368 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 4184 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4184 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4184 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4184 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4184 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4184 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 4368 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 4368 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 4368 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 4368 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 4368 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 4368 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Users\Admin\AppData\Local\Temp\2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\3.exe

"C:\Users\Admin\AppData\Local\Temp\3.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\3.exe

"C:\Users\Admin\AppData\Local\Temp\3.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4716 -ip 4716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 772

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 20.42.73.26:443 tcp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
NL 8.238.21.126:80 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp

Files

memory/1484-130-0x0000000000C70000-0x0000000000E46000-memory.dmp

memory/1484-131-0x0000000005E90000-0x0000000006434000-memory.dmp

memory/1484-132-0x00000000057E0000-0x0000000005872000-memory.dmp

memory/1484-133-0x00000000058A0000-0x00000000058AA000-memory.dmp

memory/1484-134-0x0000000005D10000-0x0000000005DAC000-memory.dmp

memory/1168-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

MD5 31431004556597a633f858c122c85b60
SHA1 fea5847bb6a5daae2688e349c827e30c51b4485f
SHA256 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712
SHA512 7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd

memory/3540-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

MD5 31431004556597a633f858c122c85b60
SHA1 fea5847bb6a5daae2688e349c827e30c51b4485f
SHA256 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712
SHA512 7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd

memory/992-139-0x0000000000000000-mapping.dmp

memory/2080-141-0x0000000000000000-mapping.dmp

memory/2080-142-0x0000000000400000-0x0000000000590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

MD5 31431004556597a633f858c122c85b60
SHA1 fea5847bb6a5daae2688e349c827e30c51b4485f
SHA256 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712
SHA512 7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd

C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe

MD5 31431004556597a633f858c122c85b60
SHA1 fea5847bb6a5daae2688e349c827e30c51b4485f
SHA256 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712
SHA512 7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/3588-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 36c32cd064db3a4769d8b8bd99c8500e
SHA1 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e
SHA256 fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f
SHA512 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 36c32cd064db3a4769d8b8bd99c8500e
SHA1 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e
SHA256 fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f
SHA512 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

memory/4368-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 e1dd367f1baa8889afca69a79dd43abd
SHA1 786dc0378d1008490c9110cc30bcc6a11f6c3c3e
SHA256 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9
SHA512 b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a

memory/4184-152-0x0000000000000000-mapping.dmp

memory/4368-153-0x00000000000F0000-0x0000000000188000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

memory/3588-151-0x0000000000DE0000-0x0000000000E4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 e1dd367f1baa8889afca69a79dd43abd
SHA1 786dc0378d1008490c9110cc30bcc6a11f6c3c3e
SHA256 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9
SHA512 b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a

C:\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

memory/4184-156-0x0000000000F70000-0x0000000001008000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

memory/4924-158-0x0000000000000000-mapping.dmp

memory/4924-159-0x0000000000400000-0x0000000000554000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 36c32cd064db3a4769d8b8bd99c8500e
SHA1 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e
SHA256 fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f
SHA512 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e

memory/4924-162-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4716-163-0x0000000000000000-mapping.dmp

memory/1712-165-0x0000000000000000-mapping.dmp

memory/1712-168-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 e1dd367f1baa8889afca69a79dd43abd
SHA1 786dc0378d1008490c9110cc30bcc6a11f6c3c3e
SHA256 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9
SHA512 b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a

memory/4716-169-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3.exe

MD5 d03c9c3cef97ff26426d84a056fbd5f6
SHA1 37bb280fd041626ff9b6ecdda4f323b91fa8445a
SHA256 d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816
SHA512 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb

memory/4716-164-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/1712-173-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/1712-176-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1712-177-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1712-179-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1712-178-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1712-183-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1712-186-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1712-187-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1712-188-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4924-189-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1712-195-0x0000000004F90000-0x0000000004FF6000-memory.dmp