Malware Analysis Report

2024-10-19 08:27

Sample ID 240125-v4yvysbgc8
Target 751acdffdab84a688d4cebf79852b049
SHA256 0e432a16d518b1e14f501faa212323e362daa674d542698f23e05e83a6065a0c
Tags
evasion persistence themida kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e432a16d518b1e14f501faa212323e362daa674d542698f23e05e83a6065a0c

Threat Level: Known bad

The file 751acdffdab84a688d4cebf79852b049 was found to be: Known bad.

Malicious Activity Summary

evasion persistence themida kinsing loader

Kinsing

Modifies Installed Components in the registry

Themida packer

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:33

Reported

2024-01-25 17:35

Platform

win7-20231215-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515} C:\Windows\svcr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}\StubPath = "C:\\windows\\svcr.exe" C:\Windows\svcr.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svcr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB3.exe N/A
N/A N/A C:\Windows\svcr.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\svcr.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Wine C:\Windows\svcr.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe" C:\Users\Admin\AppData\Local\Temp\svcr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe" C:\Users\Admin\AppData\Local\Temp\svcr.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svcr.exe N/A
N/A N/A C:\Windows\svcr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svcr.exe C:\Users\Admin\AppData\Local\Temp\svcr.exe N/A
File created C:\Windows\svcr.exe C:\Users\Admin\AppData\Local\Temp\svcr.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DCA63261-BBA7-11EE-BD5F-6E3D54FB2439} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412365882" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\svcr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe C:\Users\Admin\AppData\Local\Temp\svcr.exe
PID 2956 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe C:\Users\Admin\AppData\Local\Temp\svcr.exe
PID 2956 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe C:\Users\Admin\AppData\Local\Temp\svcr.exe
PID 2956 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe C:\Users\Admin\AppData\Local\Temp\svcr.exe
PID 2956 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe C:\Users\Admin\AppData\Local\Temp\FB3.exe
PID 2956 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe C:\Users\Admin\AppData\Local\Temp\FB3.exe
PID 2956 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe C:\Users\Admin\AppData\Local\Temp\FB3.exe
PID 2956 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe C:\Users\Admin\AppData\Local\Temp\FB3.exe
PID 2756 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\svcr.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\svcr.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\svcr.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\svcr.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 280 wrote to memory of 2904 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 280 wrote to memory of 2904 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 280 wrote to memory of 2904 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 280 wrote to memory of 2904 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 1628 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 1628 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 1628 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 1628 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\svcr.exe C:\Windows\svcr.exe
PID 2756 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\svcr.exe C:\Windows\svcr.exe
PID 2756 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\svcr.exe C:\Windows\svcr.exe
PID 2756 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\svcr.exe C:\Windows\svcr.exe
PID 2504 wrote to memory of 832 N/A C:\Windows\svcr.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 832 N/A C:\Windows\svcr.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 832 N/A C:\Windows\svcr.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 832 N/A C:\Windows\svcr.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 1340 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 1340 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 1340 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 832 wrote to memory of 1340 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 1408 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 1408 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 1408 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 1408 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2504 wrote to memory of 1340 N/A C:\Windows\svcr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe

"C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe"

C:\Users\Admin\AppData\Local\Temp\svcr.exe

"C:\Users\Admin\AppData\Local\Temp\svcr.exe"

C:\Users\Admin\AppData\Local\Temp\FB3.exe

"C:\Users\Admin\AppData\Local\Temp\FB3.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275465 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"

C:\Windows\svcr.exe

"C:\Windows\svcr.exe" "C:\Users\Admin\AppData\Local\Temp\svcr.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2956-0-0x0000000000400000-0x0000000000995000-memory.dmp

memory/2956-1-0x00000000025F0000-0x0000000002700000-memory.dmp

memory/2956-4-0x0000000000400000-0x0000000000995000-memory.dmp

memory/2956-7-0x0000000005640000-0x0000000005641000-memory.dmp

memory/2956-10-0x0000000005670000-0x0000000005671000-memory.dmp

memory/2956-9-0x0000000005690000-0x0000000005691000-memory.dmp

memory/2956-11-0x00000000056A0000-0x00000000056A1000-memory.dmp

memory/2956-8-0x0000000005660000-0x0000000005661000-memory.dmp

memory/2956-6-0x0000000005680000-0x0000000005683000-memory.dmp

\Users\Admin\AppData\Local\Temp\svcr.exe

MD5 90564fde78ee378ca3aa7b64c56ed10b
SHA1 f6219d8943225ebae9c73ca4e28ff773b277eb4d
SHA256 be28c926bf1ab7010a5917e7c3cccae5ebd2330094f745a30dd74fb16b235dce
SHA512 3b79e0e317702b69e2e26fbbef73d6230e2f7285c0a261e1f79d2581255ed99259c8c571f4d0af835bba2df26d22f8e13cf1513f5f736be1f5f68590f64bdd1d

\Users\Admin\AppData\Local\Temp\svcr.exe

MD5 7dc79092c8bbef75bc3246091659fa13
SHA1 7aabc5ccd7289f89de0838d80002993c4232293b
SHA256 e04d923b6acedce424c0c6e6a894d8b732260c4851222b6fc135d934772eae36
SHA512 a693b5a2b9800b9922712dcebc20b6f8b961db9f9d245ad0659d6d1d2c5259ffcc3683a6cf5fcd5b0a96e8979c8d6e4310836cc7c7a8ab58e3dc38ba69d40599

memory/2956-21-0x0000000006A50000-0x0000000006BBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svcr.exe

MD5 c00bd1fbaa3ede925244f497e711a325
SHA1 e7ac9cd242c8b8daa8700b003ffebd233f9c8ee7
SHA256 300a47d020a50936c0beb40eb2839716111b33cabca1aa8bd72c6934e260342a
SHA512 0fceec813ea793aa73b3a437d3181863a155254d43b79660c7526e7e68d22661dd9a24f5d25ebdb5cf71e7972849ecddcceeca66ffa782672e67be51cd64ed72

C:\Users\Admin\AppData\Local\Temp\svcr.exe

MD5 f87927da220880ea62046399dbc0a60c
SHA1 604b77ab442efa8c288165bfcdd4038771249c7e
SHA256 d87efc13af6f7779a78c88ba012046d8431a1c74afa0aa55b807d7266ec93a98
SHA512 ad1d63908b5313e966e00c7c3958dab20a32a18a905f5559c655e1097e3fbef957c4c3cf09e7031ec61750803eeaee64099eb1a1498df9e50b3a500dba411234

\Users\Admin\AppData\Local\Temp\FB3.exe

MD5 8728550584b8c4723ed20988e259e2b7
SHA1 f4330ecd4ed477601d8cd96fa93126bc275bf492
SHA256 60aa1838d41a0277d25faafb6ff0eb2ea0ff4e494936903c4a0ace8c5d81ab29
SHA512 946289f3b48fd3a09871b6f35bd6d6ba4fae8ea00f1b51db7153b00fcd67b714a7ae3bb9bebfb7c0e409177fc949424e4e31696dc9ef5eb6d8e96ec2cf1c30b8

memory/2956-28-0x0000000006A50000-0x0000000006BBE000-memory.dmp

memory/2756-31-0x0000000000400000-0x000000000056E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FB3.exe

MD5 cb24bc4026973489a2a39c74bd5f3e59
SHA1 de52b5b7c52fac8a103e377a97fcfbc8b8f336f8
SHA256 0139ef8a037561389103ee1e094cb2542b670d7bbc11c78e0942f846ae1dd256
SHA512 7bb6dbdb08a5c75533e9eab11fded80ce5c39eeedf564965481389d9c4c09faf6f1655172169935ce8e2928d7d3481d4a7e8885c061eb225d1ee74db1b04c029

C:\Users\Admin\AppData\Local\Temp\FB3.exe

MD5 bf29bb20e90f22aeb5559069e8478b44
SHA1 3f3c8b4f259b09b196e1d5688c49a2ca9bae7e14
SHA256 d6808d5cdf5eb34816a91975b4e370bf4e94be8245cb07b4dd95504fc9b46471
SHA512 cea985cbfb6e8faf8b540c57011931d753634f47f8377eb833ae4977bcbd71080d47cc06e82393c7bc97abd078839d04d30032cc82b664ab59829abf253672e9

\Users\Admin\AppData\Local\Temp\FB3.exe

MD5 e068502c18e1b1c2651019ea1778cbf9
SHA1 2977bb27eae8116017cb89a0ba816bc6df69561e
SHA256 ff0ed5dcc1c7912d393668bf34567ca71629c00b3f7aad7c46bbaf86be3f0109
SHA512 79b31c5e3b01c9fb4727a629530eb416474b2be3f581e7627b2d6174af5df2759fc1e8cf5247ce4aa81e41a470a1fee402a1d9e5875400c249a3226cdf12995b

C:\Users\Admin\AppData\Local\Temp\FB3.exe

MD5 3690965b708b06e24bff3f1d9a4bdbe0
SHA1 a38746d2ef3411d24fb02957cebc280ffcf1e243
SHA256 0e40b5ad6ffbfcd04942dc7264bc10d1874f802938a6e4ac0b5a1c9c5ade684f
SHA512 a8794ad469e43eec17849e824e04cf3fd2f79217715d3c1f2038f67548cac182b5769cb4881ff0fc8b20eac9df10012195907e551f03ecae184af7f16083a9da

memory/2732-33-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2732-34-0x0000000000400000-0x0000000000524000-memory.dmp

memory/2956-37-0x0000000000400000-0x0000000000995000-memory.dmp

memory/2756-38-0x0000000004070000-0x0000000004071000-memory.dmp

memory/2756-36-0x0000000000400000-0x000000000056E000-memory.dmp

memory/2956-40-0x0000000000400000-0x0000000000995000-memory.dmp

memory/2756-39-0x0000000004050000-0x0000000004052000-memory.dmp

memory/2756-43-0x0000000004080000-0x0000000004081000-memory.dmp

memory/2756-44-0x00000000040A0000-0x00000000040A1000-memory.dmp

memory/2956-42-0x00000000025F0000-0x0000000002700000-memory.dmp

memory/2756-41-0x0000000004040000-0x0000000004041000-memory.dmp

memory/2756-48-0x00000000040B0000-0x00000000040B1000-memory.dmp

memory/2756-49-0x00000000040C0000-0x00000000040C1000-memory.dmp

memory/2504-59-0x0000000000400000-0x000000000056E000-memory.dmp

memory/2756-58-0x0000000004030000-0x0000000004031000-memory.dmp

C:\Windows\svcr.exe

MD5 1303de06e2ea4dc77a9670f5d4f765a8
SHA1 9ef08dc31aa34ddf90fbafbd6c3ee429ad292fef
SHA256 de2472e9776f8b83674dfbeb7ae4d830de02b25b8e0c1037bbbfffb3dd28b2a9
SHA512 d7af2a392cb1f617e1774594a33c3042a9524ba8c8c4ea3fabe824d318d8fc9ad6d9555d95a91750b5262846a3fd7722c4103b529a8c8831f9ea7b0a4d3be3f9

memory/2504-65-0x00000000040A0000-0x00000000040A1000-memory.dmp

memory/2504-68-0x0000000010410000-0x000000001042E000-memory.dmp

memory/2504-67-0x00000000040B0000-0x00000000040B1000-memory.dmp

memory/2504-72-0x0000000004090000-0x0000000004091000-memory.dmp

memory/2504-77-0x0000000000400000-0x000000000056E000-memory.dmp

memory/2504-78-0x0000000004030000-0x0000000004031000-memory.dmp

memory/2504-70-0x00000000040C0000-0x00000000040C1000-memory.dmp

memory/2504-64-0x0000000004080000-0x0000000004081000-memory.dmp

memory/2504-63-0x0000000004040000-0x0000000004041000-memory.dmp

memory/2504-62-0x0000000004050000-0x0000000004052000-memory.dmp

memory/2504-61-0x0000000004070000-0x0000000004071000-memory.dmp

memory/2504-60-0x0000000000400000-0x000000000056E000-memory.dmp

memory/2756-56-0x0000000004A10000-0x0000000004B7E000-memory.dmp

memory/2756-55-0x0000000000400000-0x000000000056E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svcr.exe

MD5 67b1ce15cbd5380e6ddc1fe8d4fc1303
SHA1 ac37a8123353e4cfe6504afad3912d5f12d26574
SHA256 1fe6cd64a02c3d306a80faa6810db0537dec87a44c425e64683403ad659e34db
SHA512 102f96d92f89ee8f5cd37671a9a27304ba40fa71097a98a2944a9723bd73d61be48bcbb6ffed8803201c7138896a21469101ae234ef1742025218ba63d202fbc

C:\Users\Admin\AppData\Local\Temp\Cab85F4.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ae18a03e81e0ea7c678c4259b45fc06
SHA1 7cadee3f798604925dbeb878f2d6dedb9b507b4c
SHA256 7d940c637aeeaa45e641ecaf7865cd558a199880e4961aa91a53fa5d1452451e
SHA512 9d6285d520a4fb950ab7ad88f4f8abeb3569c8c53891cd90a13c671e70184b4c4f1acb2f845eaf7fb062d2f9f37f27cf572ef3ebc75b35e952d05b8fc1cfcdeb

C:\Users\Admin\AppData\Local\Temp\Tar86B3.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6452859b368ce789cc60a95faf4d0fdd
SHA1 04d2e1c74d3a8f61cd0fc46f7c94f3b069d9353f
SHA256 6d844380db266d7e268e1e610393f1837bbb66d5b081364b6f98dd6e2d680039
SHA512 0191e65577b4f2fc2942db13cbb61aa6c5baac42422a8cef90e36688b78450f04d503594d1f5f2e3da3734f4299752ae1915dd8f7961f95563c274a791340213

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fcb56f078965e383257745c7a666b4f
SHA1 3aa6fa9d80407cc4c4ffbc8399421c63bba16214
SHA256 cccf6d915a289336badfbe4feaa00158482172858b29896cb9b419dfe9ec7b08
SHA512 954f7390fd9c9926199ce4ab1c552c9942395940d6e0c6cd61357c5cc1c84867307bef89811ac00afae6ad2d38a8b4617035c09f75654d5bad4185e96288450a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a9c3e28efe5c0f1e2b506dafe506cfc
SHA1 e90ea557b3fc04d0c06b7aef6d6ad7ae3d079fd3
SHA256 46fd5b39ccec74d6941b12c791f5b38c2da7eb0c9c6d8c606ea8b375805c10df
SHA512 23c5438e2e0ba095843cdeb41d01b1c6bffcc484ce3b98b9d5136b630dec2769b63ee11caa12381bfde4301f811d81060fb5eeac0f024992eced195a7b2da45b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b45c06cddf462633054bdb38ecfffd89
SHA1 cc8254269a5350742459b13ae271fb1548a9b531
SHA256 ece889b7339f075f1e05983b5f695edb4b3f0e9d4e8aaed1143e20f559f422f8
SHA512 848a7e70859ce7db57725a5ebe63bddbfa92e6b8769a12f426963cde2b80ad71a5b92ff69d03d29d7055471b975c227ba2579df5e76214203bf9fd92c1d1b032

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b847a19f9db1481399673c8feb16f61b
SHA1 eb8956a7cc76c65e02f8e37d124e4e94a48fe7eb
SHA256 f125f8f837c5a4ce4b457aece05b8b8968ac85c0520556ef407ef9b5d17d9f82
SHA512 07907d0f62683ae1c649e748f87680cd172ff6f813e21829ee100ec7b4588671f39a24b9546bd39d31c927d8c7e708a60d7fce635f0911d2ebb4660f9da77139

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2873f7cfc8cf51c460a3628e2e2c6fa1
SHA1 e311b057c7e79738d2ccf62eddb587b61f7f0e3e
SHA256 53bc01a7398270276b9cc4315abf00e759c9353d268b2085f622c5229ce4f0c9
SHA512 e8a2a7f48b142b3c17419b3e20fd2f19dec35fb7ae650d76bcf134faed59ff50409a99dc19f1fce5ab90ae481b88f1f736e144ea1794b9c7473fdd7128c0d226

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba2057514046b0e8ea36cf46480b313b
SHA1 4c7f8d52fb36ea768a02883cc4cf86819f7aaf33
SHA256 70ab9bcd738637f51d0117d145d7221b9a6c79a814fc653206b5b8ba5ad88d35
SHA512 2ba3c0de972ef52f45bbd9c9faa608f6f1f19dee5416fea282ac219c0626055464267a6608841992fe074fb9f3940c4f29165f335788431121ff9e06e9ad9990

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a5a57a59abadee194dffa510f31f139
SHA1 1f1acdc80ba9207e46b46e949926d67e4e3e4d0b
SHA256 a61b8344fda61dd8442501c46b6528cab4851fdfa00d1a5a7ef8b9bf5028f92a
SHA512 d99a70f381ca538c2f5c8beb6943f44ebb58576beeaa3196bb0664a5f617c42da09608e7dfaf5741495cc52e6958301a4427ef7fdd0ea0d4ab5540ccb1cd995b

memory/2756-507-0x0000000004030000-0x0000000004031000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc39baf793effe804e2fe5ebfe0650c8
SHA1 a28e8f74981061c82fc7ea4cd4454507474fbb7a
SHA256 6c982f863f5f7f34a082ddba04b263abe8db0a83a425b4a4917aa1cce9a353be
SHA512 254a88ca3af19f0ef9b6e068d58107ac43772ddb7a5f986d6e3ce42a6b3222468aa98ecc9c7aec59ad01a687a4f032c1fda0a8c06e87ab9a949ecf08119cb642

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87b4d67d19bae165eb0f1f69b1eed2e9
SHA1 4125f4488525a3d7755bf8b236b304b9fd075240
SHA256 44c6a38de5623750a87940a15dbc8e293b94f466f214127c9547961c844eb6c6
SHA512 8046a5333e2e09e407f84b616b4567a2de1cd8fa1cfc241d10edc97efc19da5e8172eea06c85969e909ec54e5705e0a666b9b1bfa5aceb09b9a1b3e4cf5b5bf3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e6fc68180cd861ba5bb273810f7dfeb
SHA1 789c39f4623bd2649a44397092647bd91c6867ef
SHA256 3a12009e2ea24be0a38e128a65bd7568b6be11c3fb81b7dadfdf0ee2e5761da1
SHA512 2ace587c1aac89cf45294e818589bd4b364dbe8ecf0368c3a1af34a947aa397b506ef232c2a71231d1f995a2c98f927b55917f3abe20be01fd92f564d2de06ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64a0590672a912c25221af801c58a187
SHA1 d17f4b7b8893047820c4a8d8eb0a2119272e3c1c
SHA256 5b9afb2536ed9852dbc1c20ef592886172d0d591507dcd6658eafc4fc03067a1
SHA512 cc52e2e9b366b17590cbcfc1dc84b4a50c2f841761a3cb375d6d06bd02a712fea9677d212d13cc03e8cf30f1c5b00b87ef5fb6e10778394ed513bcf4c69cf033

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dcfea5f7536fa542e60a5c7b440b68a6
SHA1 6146c41a836405aebb6c70a09a4e82aecd9c3d06
SHA256 fe38d26ba373a8c886f1edda389b7a32e0bea9f0e1f8051a39d9774582cc586d
SHA512 c5fd31cf7f43d06c73ae91291d32f10cd8ebba9a2aff0d8b57c5729986ac42be7a2fbfc2e628fdbe34ebb399c64fb0e48600a1887f2ae568831ba22509e05b20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6f24656a52f2a5d09bc9f8c2477e11d
SHA1 21ceb1d3fa06f893d00b07c48dc74ba760034e20
SHA256 0f985ad566ece1fe1d3021f379b806a0b44987d55a3abce0199adcdf7edf6d99
SHA512 633e5c891291f02749c84e8acc7073dc7a3ce8a1896291a51a6a570f3dee3980625e71cd5aeb5dbacd03452ccc444201adb278308ff7b394ef2a2bf93f46f00e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad33921d911e8c2d469869c9e8217421
SHA1 ee7310db55caa7c39bbba94aea19f07a2c5f3a36
SHA256 6e9b15a0a1c450fab377019c4a27115a909ccef7ced48a99b3a817d9247604f5
SHA512 81092839ab94b0635c3a1928da2533af2680ca22ddd6a6a390093e0daafd5bb27c2e17145071e8e285699dc79e9f39d97e9f0363cf75ec737c38758b34636a9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ace78826e8b6366382097fa6fc0d2d4
SHA1 a58012bde25532f2f9c9ad1e2c568e3e842f0f1e
SHA256 a7c6bbe2617c41fad4eead102bb490832fcb30726d3caec5d915e6fd6751906e
SHA512 073c23aff5e335bf0a2f5daf6304580c1b981a7bcdcfb958500578306460257b31f18742ffcbd8a8eaf9d91715ada0fd719578eca1d46884a9e169aba08f2649

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 68bc76a599fc7773d841d667553028d8
SHA1 902dc2b29ff9886379e31efe74d7226921bd6fda
SHA256 0a01e4dc8367458e6db931f6e6122fa8649aad23b8825534dcd666205723efa3
SHA512 6290e27270a43c8730f69ee5d6049341ce5614b94c86f2d3ad7655885d3e60ca623bcee2ab5488986c5853627ed2dff7799e4f2d406832977f4e1c648c958bab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdf31db9722d3a39dc46c1ff5e1ee320
SHA1 bd52e181377105d8453f94e5b322650e2a75cb75
SHA256 12bb669afb14c1e7d16c8387bacd9eb9fd91670a6c125b93f126c0e9a0ed99a9
SHA512 1ea6ca073a509b9bf0ab5cdeae034b8cb0a680ed0b798f37d48ae9e89fb40510e3e2d03f85c1cbf3f8981aeb6c94da70eb0e24c739c1e1b4ac6bfcd02341bb0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d2fef518e462fcb65d81842688a36e8
SHA1 54188c68a55698b827f29fe12ecc51761ebafe80
SHA256 ed600e8facc9c01165459d3efa28103ab6a44fa03e10b7e843b98f28042ea367
SHA512 7fefb77448b0e5a7b7dcf226c6a61da01a3d143b40b59e6f8b8495e381ebbba8910ed3f1e8045b6bdf2145fbe49ead32bd206dc080878d7cb2a8ec4e74bab341

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:33

Reported

2024-01-25 17:35

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe"

Signatures

Kinsing

loader kinsing

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe

"C:\Users\Admin\AppData\Local\Temp\751acdffdab84a688d4cebf79852b049.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/1388-0-0x0000000000400000-0x0000000000995000-memory.dmp

memory/1388-1-0x0000000002A00000-0x0000000002AF0000-memory.dmp

memory/1388-4-0x0000000002A00000-0x0000000002AF0000-memory.dmp