Analysis Overview
SHA256
93672fe5c7a31c3ec7781d80ddd3104032dda555446444be8e1fc547bdaf5fd9
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
SmokeLoader
Detects Healer an antivirus disabler dropper
Healer
Amadey
RedLine
RedLine payload
Downloads MZ/PE file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Windows security modification
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-10 20:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-10 20:34
Reported
2023-10-10 20:38
Platform
win10v2004-20230915-en
Max time kernel
93s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe | N/A |
Executes dropped EXE
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\D349.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4940 set thread context of 3680 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3384 set thread context of 1376 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2876 set thread context of 3136 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4940 -ip 4940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3680 -ip 3680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3384 -ip 3384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 576
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2876 -ip 2876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 592
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AED9.tmp\AEDA.tmp\AEDB.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff06fe46f8,0x7fff06fe4708,0x7fff06fe4718
C:\Users\Admin\AppData\Local\Temp\D349.exe
C:\Users\Admin\AppData\Local\Temp\D349.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7fff06fe46f8,0x7fff06fe4708,0x7fff06fe4718
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
C:\Users\Admin\AppData\Local\Temp\D444.exe
C:\Users\Admin\AppData\Local\Temp\D444.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe
C:\Users\Admin\AppData\Local\Temp\D743.exe
C:\Users\Admin\AppData\Local\Temp\D743.exe
C:\Users\Admin\AppData\Local\Temp\D85E.exe
C:\Users\Admin\AppData\Local\Temp\D85E.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
C:\Users\Admin\AppData\Local\Temp\D54E.bat
"C:\Users\Admin\AppData\Local\Temp\D54E.bat"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\D9B6.exe
C:\Users\Admin\AppData\Local\Temp\D9B6.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D646.tmp\D647.tmp\D648.bat C:\Users\Admin\AppData\Local\Temp\D54E.bat"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2572 -ip 2572
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1440 -ip 1440
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4348 -ip 4348
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,10990625094037870264,357714927967416598,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,10990625094037870264,357714927967416598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1648 -ip 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 588
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,4400216658913091199,6484555172671505920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,4400216658913091199,6484555172671505920,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,4400216658913091199,6484555172671505920,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 412
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
| MD5 | a435fbc1e4e361f61a211d6cac3a4260 |
| SHA1 | 3cb3d775bb552f7756705eeffa4f980bb65d79b3 |
| SHA256 | d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c |
| SHA512 | 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
| MD5 | a435fbc1e4e361f61a211d6cac3a4260 |
| SHA1 | 3cb3d775bb552f7756705eeffa4f980bb65d79b3 |
| SHA256 | d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c |
| SHA512 | 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
| MD5 | 2b96a89e9ca635edafdb9682afa0d7a2 |
| SHA1 | 669c1d1ba10291b7bff1378ae803acaf9e0d12d2 |
| SHA256 | 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2 |
| SHA512 | e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
| MD5 | 2b96a89e9ca635edafdb9682afa0d7a2 |
| SHA1 | 669c1d1ba10291b7bff1378ae803acaf9e0d12d2 |
| SHA256 | 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2 |
| SHA512 | e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
| MD5 | aae355668362de272191fdfd215753b2 |
| SHA1 | 4de07034358734227c371008fd7ffa3062c4041e |
| SHA256 | 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f |
| SHA512 | 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
| MD5 | aae355668362de272191fdfd215753b2 |
| SHA1 | 4de07034358734227c371008fd7ffa3062c4041e |
| SHA256 | 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f |
| SHA512 | 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
memory/2612-28-0x00000000021E0000-0x00000000021FE000-memory.dmp
memory/2612-29-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/2612-30-0x0000000004C20000-0x0000000004C30000-memory.dmp
memory/2612-31-0x0000000004C20000-0x0000000004C30000-memory.dmp
memory/2612-32-0x0000000004C20000-0x0000000004C30000-memory.dmp
memory/2612-33-0x0000000004C30000-0x00000000051D4000-memory.dmp
memory/2612-34-0x00000000024F0000-0x000000000250C000-memory.dmp
memory/2612-35-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-36-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-38-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-40-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-42-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-44-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-46-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-50-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-48-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-52-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-54-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-56-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-58-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-60-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-62-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/2612-63-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/2612-64-0x0000000004C20000-0x0000000004C30000-memory.dmp
memory/2612-65-0x0000000004C20000-0x0000000004C30000-memory.dmp
memory/2612-66-0x0000000004C20000-0x0000000004C30000-memory.dmp
memory/2612-68-0x0000000074650000-0x0000000074E00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
memory/3680-72-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3680-73-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3680-74-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3680-76-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe
| MD5 | 9be5cd3bbae0796b0b26397e43efe2db |
| SHA1 | 19bd46f9af0d71ffcf319450f33cd7ae9e69bb69 |
| SHA256 | 51a81b8f93d1e06c070341d3f8efb02e50a95bf94e1b0759614e43e193fd9b3b |
| SHA512 | c9f7c339b60bd8461af4230b51ae6fd7eac9af5ed952d46161bbb601e5b53d84d829e464a8273020ba14eacd7213294e502c24985f86041a1ff637c01c0488c6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3TQ78QB.exe
| MD5 | 9be5cd3bbae0796b0b26397e43efe2db |
| SHA1 | 19bd46f9af0d71ffcf319450f33cd7ae9e69bb69 |
| SHA256 | 51a81b8f93d1e06c070341d3f8efb02e50a95bf94e1b0759614e43e193fd9b3b |
| SHA512 | c9f7c339b60bd8461af4230b51ae6fd7eac9af5ed952d46161bbb601e5b53d84d829e464a8273020ba14eacd7213294e502c24985f86041a1ff637c01c0488c6 |
memory/1376-80-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1376-81-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1376-84-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3176-82-0x0000000002B40000-0x0000000002B56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe
| MD5 | 2000cabba8fad76b97a656addb1b04cf |
| SHA1 | 8a27b78abb76eb6d27962fc47d189332ab053d9f |
| SHA256 | 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8 |
| SHA512 | eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iG636EF.exe
| MD5 | 2000cabba8fad76b97a656addb1b04cf |
| SHA1 | 8a27b78abb76eb6d27962fc47d189332ab053d9f |
| SHA256 | 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8 |
| SHA512 | eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d |
memory/3136-89-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3136-90-0x00000000741C0000-0x0000000074970000-memory.dmp
memory/3136-91-0x0000000007BF0000-0x0000000007C82000-memory.dmp
memory/3136-92-0x0000000007D70000-0x0000000007D80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe
| MD5 | 0630fe57fb907366325a62a4e78c5951 |
| SHA1 | 4ba0c8d92a5d9a6f89902614932aad35b1203682 |
| SHA256 | 7319a06694543b7cba2d3d59d0c3f9b48a1ba93423e4f78fb1eea3c0a063809f |
| SHA512 | ec4400e9b19b3666317aff59bb5b941ea557873cc23ab0ca20f56633eb749f55806381ed7d074bc0ce5733b77726f433180f7a183d0a9f707b72d5421b1c1114 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5fd4vF9.exe
| MD5 | 0630fe57fb907366325a62a4e78c5951 |
| SHA1 | 4ba0c8d92a5d9a6f89902614932aad35b1203682 |
| SHA256 | 7319a06694543b7cba2d3d59d0c3f9b48a1ba93423e4f78fb1eea3c0a063809f |
| SHA512 | ec4400e9b19b3666317aff59bb5b941ea557873cc23ab0ca20f56633eb749f55806381ed7d074bc0ce5733b77726f433180f7a183d0a9f707b72d5421b1c1114 |
memory/3136-97-0x0000000007CB0000-0x0000000007CBA000-memory.dmp
memory/3136-98-0x00000000741C0000-0x0000000074970000-memory.dmp
memory/3136-99-0x0000000008CC0000-0x00000000092D8000-memory.dmp
memory/3136-100-0x00000000086A0000-0x00000000087AA000-memory.dmp
memory/3136-101-0x0000000007E90000-0x0000000007EA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AED9.tmp\AEDA.tmp\AEDB.bat
| MD5 | 0ec04fde104330459c151848382806e8 |
| SHA1 | 3b0b78d467f2db035a03e378f7b3a3823fa3d156 |
| SHA256 | 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f |
| SHA512 | 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40 |
memory/3136-103-0x0000000007F10000-0x0000000007F4C000-memory.dmp
memory/3136-107-0x0000000007EB0000-0x0000000007EFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D349.exe
| MD5 | 4dc84b5df7ee95cdeb77587551f275bf |
| SHA1 | 842473aaf295afd6deda1bcc20de2b51cc8df41f |
| SHA256 | aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a |
| SHA512 | 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\6hY51zJ.exe
| MD5 | 6959dfd09b1c15b9dbb99741e0281ab5 |
| SHA1 | 131bbc5364a52fe48c2608da808c127a10dc5f2a |
| SHA256 | ae071c049d783e6ec8b4512c0b6bf941f8343a2dcda180fe13734aa87a74fb48 |
| SHA512 | 7487546bd5ec3a1966087fadd4b6c7b53d3a703cd096930b9873fedde5620dcbedd8d760088e93b6bb8fd4eac5d29d1d4b09f9b121b3333f1a3cb8e9bba29cc2 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
| MD5 | 8899beca899dfb63b0ef64c806172f0d |
| SHA1 | 77c23735a2bdc850c9307c6453ba40b6060ddf68 |
| SHA256 | 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c |
| SHA512 | f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c126b33f65b7fc4ece66e42d6802b02e |
| SHA1 | 2a169a1c15e5d3dab708344661ec04d7339bcb58 |
| SHA256 | ca9d2a9ab8047067c8a78be0a7e7af94af34957875de8e640cf2f98b994f52d8 |
| SHA512 | eecbe3f0017e902639e0ecb8256ae62bf681bb5f80a7cddc9008d2571fe34d91828dfaee9a8df5a7166f337154232b9ea966c83561ace45d1e2923411702e822 |
C:\Users\Admin\AppData\Local\Temp\D444.exe
| MD5 | a9363557d2eb8af06a9c3e6c5e29e67c |
| SHA1 | 6ff0a1209514e798f5ec2a44240424024e678de3 |
| SHA256 | ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209 |
| SHA512 | 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb |
memory/3136-131-0x0000000007D70000-0x0000000007D80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
| MD5 | 2422b9a0ed2081a58526efd47556f5b6 |
| SHA1 | 4ab2b51421c19ad73b8c44afc131ba0837ce0715 |
| SHA256 | 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12 |
| SHA512 | a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
| MD5 | 73125a5ae5fd152baaeedc235c1fbeac |
| SHA1 | cd2330bc6fc7ef385b00a45234d9645a6d0c39f2 |
| SHA256 | 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38 |
| SHA512 | 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52 |
C:\Users\Admin\AppData\Local\Temp\D54E.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe
| MD5 | 29e94bc491b607b48b76a53a9d9a2a51 |
| SHA1 | b10963258329363a804b57936f5a5a6193a59bc3 |
| SHA256 | 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042 |
| SHA512 | 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
C:\Users\Admin\AppData\Local\Temp\D743.exe
| MD5 | 58258360f94c5c1e36eddf3359a7283a |
| SHA1 | 01deb71ebc5a9021658ee107516a5eafc5c27279 |
| SHA256 | 416b5ac6485817378c5c2fff994c6d76a2df9578a5bbbc21f56780acdad9e901 |
| SHA512 | 1e87b8699d2f589d9dd756f5b123988105861a5aa32c00e2ea460946937d22493c0495f3df97661da78126ab3c3a5e8f14c36d345e6a3573d6fc380e99aa6492 |
C:\Users\Admin\AppData\Local\Temp\D743.exe
| MD5 | 58258360f94c5c1e36eddf3359a7283a |
| SHA1 | 01deb71ebc5a9021658ee107516a5eafc5c27279 |
| SHA256 | 416b5ac6485817378c5c2fff994c6d76a2df9578a5bbbc21f56780acdad9e901 |
| SHA512 | 1e87b8699d2f589d9dd756f5b123988105861a5aa32c00e2ea460946937d22493c0495f3df97661da78126ab3c3a5e8f14c36d345e6a3573d6fc380e99aa6492 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe
| MD5 | 29e94bc491b607b48b76a53a9d9a2a51 |
| SHA1 | b10963258329363a804b57936f5a5a6193a59bc3 |
| SHA256 | 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042 |
| SHA512 | 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31 |
C:\Users\Admin\AppData\Local\Temp\D54E.bat
| MD5 | 9db53ae9e8af72f18e08c8b8955f8035 |
| SHA1 | 50ae5f80c1246733d54db98fac07380b1b2ff90d |
| SHA256 | d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89 |
| SHA512 | 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
| MD5 | 73125a5ae5fd152baaeedc235c1fbeac |
| SHA1 | cd2330bc6fc7ef385b00a45234d9645a6d0c39f2 |
| SHA256 | 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38 |
| SHA512 | 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
C:\Users\Admin\AppData\Local\Temp\D85E.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
C:\Users\Admin\AppData\Local\Temp\D85E.exe
| MD5 | 57543bf9a439bf01773d3d508a221fda |
| SHA1 | 5728a0b9f1856aa5183d15ba00774428be720c35 |
| SHA256 | 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e |
| SHA512 | 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\4cc682me.exe
| MD5 | 2000cabba8fad76b97a656addb1b04cf |
| SHA1 | 8a27b78abb76eb6d27962fc47d189332ab053d9f |
| SHA256 | 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8 |
| SHA512 | eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d |
C:\Users\Admin\AppData\Local\Temp\D444.exe
| MD5 | a9363557d2eb8af06a9c3e6c5e29e67c |
| SHA1 | 6ff0a1209514e798f5ec2a44240424024e678de3 |
| SHA256 | ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209 |
| SHA512 | 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
| MD5 | 2422b9a0ed2081a58526efd47556f5b6 |
| SHA1 | 4ab2b51421c19ad73b8c44afc131ba0837ce0715 |
| SHA256 | 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12 |
| SHA512 | a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
| MD5 | 8899beca899dfb63b0ef64c806172f0d |
| SHA1 | 77c23735a2bdc850c9307c6453ba40b6060ddf68 |
| SHA256 | 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c |
| SHA512 | f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e |
C:\Users\Admin\AppData\Local\Temp\D349.exe
| MD5 | 4dc84b5df7ee95cdeb77587551f275bf |
| SHA1 | 842473aaf295afd6deda1bcc20de2b51cc8df41f |
| SHA256 | aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a |
| SHA512 | 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841 |
memory/4080-184-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4080-187-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3068-188-0x0000000000830000-0x000000000083A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D9B6.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
C:\Users\Admin\AppData\Local\Temp\D9B6.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
memory/3068-189-0x00007FFF063E0000-0x00007FFF06EA1000-memory.dmp
memory/4080-191-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4348-192-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4348-198-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
memory/4788-211-0x00000000741C0000-0x0000000074970000-memory.dmp
\??\pipe\LOCAL\crashpad_3464_ZNKUJJEIONLLFVOU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4348-202-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 78e5bc5b95cf1717fc889f1871f5daf6 |
| SHA1 | 65169a87dd4a0121cd84c9094d58686be468a74a |
| SHA256 | 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966 |
| SHA512 | d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500 |
\??\pipe\LOCAL\crashpad_5056_XVTYISMZQSPNROMP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-10 20:34
Reported
2023-10-10 20:38
Platform
win7-20230831-en
Max time kernel
119s
Max time network
133s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2428 set thread context of 2844 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 284
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | tcp | |
| RU | 5.42.92.211:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
| MD5 | a435fbc1e4e361f61a211d6cac3a4260 |
| SHA1 | 3cb3d775bb552f7756705eeffa4f980bb65d79b3 |
| SHA256 | d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c |
| SHA512 | 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
| MD5 | a435fbc1e4e361f61a211d6cac3a4260 |
| SHA1 | 3cb3d775bb552f7756705eeffa4f980bb65d79b3 |
| SHA256 | d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c |
| SHA512 | 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
| MD5 | a435fbc1e4e361f61a211d6cac3a4260 |
| SHA1 | 3cb3d775bb552f7756705eeffa4f980bb65d79b3 |
| SHA256 | d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c |
| SHA512 | 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tw9sk06.exe
| MD5 | a435fbc1e4e361f61a211d6cac3a4260 |
| SHA1 | 3cb3d775bb552f7756705eeffa4f980bb65d79b3 |
| SHA256 | d58166b3ac6911cee9174430f5095c0c784aa7758fedbbaa6397c478bfe0779c |
| SHA512 | 4961076820bd6733dbf7df74a2e9d4983d6a8b34a6e251cc0cbc3d0f8a67b79d8fa64c0ea206ac5b81ab3e6f270a5cc84d059bb27ce730f691cf2ba901ae5b76 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
| MD5 | 2b96a89e9ca635edafdb9682afa0d7a2 |
| SHA1 | 669c1d1ba10291b7bff1378ae803acaf9e0d12d2 |
| SHA256 | 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2 |
| SHA512 | e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
| MD5 | 2b96a89e9ca635edafdb9682afa0d7a2 |
| SHA1 | 669c1d1ba10291b7bff1378ae803acaf9e0d12d2 |
| SHA256 | 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2 |
| SHA512 | e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
| MD5 | 2b96a89e9ca635edafdb9682afa0d7a2 |
| SHA1 | 669c1d1ba10291b7bff1378ae803acaf9e0d12d2 |
| SHA256 | 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2 |
| SHA512 | e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dn4Re20.exe
| MD5 | 2b96a89e9ca635edafdb9682afa0d7a2 |
| SHA1 | 669c1d1ba10291b7bff1378ae803acaf9e0d12d2 |
| SHA256 | 127468c28226ccddc49412cff9429be898e88226b9f0431a1fa3993ae05ab9b2 |
| SHA512 | e990b19724f209a531d9c83795726b1f37dfb6c64eee2dfb080754b9c9190395542c7653cf867a1b55c2e9d8632f3258bd207fd2ff8687317dfe226a13bde36f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
| MD5 | aae355668362de272191fdfd215753b2 |
| SHA1 | 4de07034358734227c371008fd7ffa3062c4041e |
| SHA256 | 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f |
| SHA512 | 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
| MD5 | aae355668362de272191fdfd215753b2 |
| SHA1 | 4de07034358734227c371008fd7ffa3062c4041e |
| SHA256 | 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f |
| SHA512 | 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
| MD5 | aae355668362de272191fdfd215753b2 |
| SHA1 | 4de07034358734227c371008fd7ffa3062c4041e |
| SHA256 | 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f |
| SHA512 | 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MS3rR13.exe
| MD5 | aae355668362de272191fdfd215753b2 |
| SHA1 | 4de07034358734227c371008fd7ffa3062c4041e |
| SHA256 | 6396fef1ecfd47dd6479ae35389809b6d9a94c3aedf32b2b863cf25b999d3d1f |
| SHA512 | 5b5763933e76b34f61ab351d0f12c0428b80ed9f7b289bc54548e0581dc5e1b3dcf9540d3fbbe94fd78bf3ef0b3b3b415dab15a1edeed24aca870dc659496066 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vl66Xo1.exe
| MD5 | 6241b03d68a610324ecda52f0f84e287 |
| SHA1 | da80280b6e3925e455925efd6c6e59a6118269c4 |
| SHA256 | ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2 |
| SHA512 | a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9 |
memory/2704-40-0x0000000000B50000-0x0000000000B6E000-memory.dmp
memory/2704-41-0x0000000000B90000-0x0000000000BAC000-memory.dmp
memory/2704-42-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-43-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-45-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-49-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-47-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-53-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-51-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-61-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-69-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-67-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-65-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-63-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-59-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-57-0x0000000000B90000-0x0000000000BA6000-memory.dmp
memory/2704-55-0x0000000000B90000-0x0000000000BA6000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
memory/2844-76-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2844-78-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2844-80-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2844-82-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2844-84-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2844-86-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2844-88-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2844-89-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2844-91-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2844-93-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2844-94-0x0000000000400000-0x0000000000433000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Bx2067.exe
| MD5 | d9ca8ec6c70d1ba58410524e132d3aca |
| SHA1 | 5df75acc5c9b8864564406da1f9250ac8af74b66 |
| SHA256 | 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a |
| SHA512 | c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b |
memory/2844-99-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2844-100-0x0000000000400000-0x0000000000433000-memory.dmp