Analysis Overview
SHA256
846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da
Threat Level: Known bad
The file 846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Healer family
RedLine
Redline family
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Windows security modification
Loads dropped DLL
Adds Run key to start application
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 13:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 13:56
Reported
2024-11-04 13:58
Platform
win7-20240903-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe
"C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp |
Files
memory/1836-0-0x0000000000230000-0x0000000000304000-memory.dmp
memory/1836-1-0x0000000000230000-0x0000000000304000-memory.dmp
memory/1836-2-0x0000000002C70000-0x0000000002D4D000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
| MD5 | d65c8e9f391cf20655232c5c987b746f |
| SHA1 | bfce684cea9f3ad1f8319e3dd581f58ec22df410 |
| SHA256 | 0376e92c9fdd3170bd6c4589d0ab56494bbef6ebb0c1ec8c2be1ea0c637281dc |
| SHA512 | 226c17e238df5c15eb0a90d5e6922f131e45daa44bee1d7dffe934068cb0db54e03fb23d45826e6daf21f5251bc1cfa65948f19dc45c4c9099376f724e342597 |
memory/1836-9-0x0000000000400000-0x00000000004E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
| MD5 | 79bb8aa7f82a94ba01dc4b70c63957e0 |
| SHA1 | 535a7c0407de96fdce4bf3017f07b4333e9acc01 |
| SHA256 | 337c493481660ea88e0c92612f9caafff009cf7820f9fb84746b24ed2b64fff9 |
| SHA512 | c7adba7203490aee60aa1b678632df1b1b168f47810bc927978f9b8b7e8ace467446c58f8ae85f3f5bbd3fa4cbae2ace32f67b893c02282de618878b98b50139 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
| MD5 | e1b364b4b96ca742b39a069ca1390a0b |
| SHA1 | 970e15712c7b43117b2144d2dbf2aed590fff249 |
| SHA256 | dc2f6a4b3d395642bdd40c133807093078b2e6b7f4e683a878d63e258d58cb4b |
| SHA512 | 4b48624e84da9949c79e3116f9327cd1f1cd1a68cf495db1c7203db470fc668afca3f48674fc47244e6d6e9157a0d3adaa22183a20470a57df1c5f4a31f8573d |
memory/1740-38-0x0000000002C10000-0x0000000002C2A000-memory.dmp
memory/1740-39-0x00000000046B0000-0x00000000046C8000-memory.dmp
memory/1740-40-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-51-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-67-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-65-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-63-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-61-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-59-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-55-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-53-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-49-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-47-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-45-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-43-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-57-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1740-41-0x00000000046B0000-0x00000000046C2000-memory.dmp
memory/1836-68-0x0000000000230000-0x0000000000304000-memory.dmp
memory/1836-69-0x0000000002C70000-0x0000000002D4D000-memory.dmp
memory/1836-71-0x0000000000400000-0x00000000004E1000-memory.dmp
memory/1836-70-0x0000000000400000-0x0000000002C64000-memory.dmp
memory/1740-73-0x0000000000400000-0x0000000002BAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
| MD5 | 848ce28183931ae67c8a0d8ce3a1efc3 |
| SHA1 | a39582bf82be42b8cf83b0015130273ab0e51c90 |
| SHA256 | 1920e51f6e64752f4dd7474638b8d86c646e1b8cc4099415d2319d038fe1aff3 |
| SHA512 | 430e793cac623274f0082eaec2377e946d9238f394837272ea4237ef305a00b3db28c081d6c82d2fbcadab0dc5a11769ebd9423e9129279a91ffe4b7aeae4b1d |
memory/1740-72-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/2516-84-0x0000000004F60000-0x0000000004F9C000-memory.dmp
memory/2516-85-0x0000000004FA0000-0x0000000004FDA000-memory.dmp
memory/2516-97-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-117-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-115-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-113-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-111-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-109-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-107-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-105-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-103-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-101-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-99-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-95-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-93-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-91-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-89-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-87-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
memory/2516-86-0x0000000004FA0000-0x0000000004FD5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 13:56
Reported
2024-11-04 13:58
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe
"C:\Users\Admin\AppData\Local\Temp\846e5cfac587c46e306b86d5dc9903e39e3dae5d7d264b912abcffb29bef08da.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2284 -ip 2284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp |
Files
memory/4788-2-0x00000000049D0000-0x0000000004AAD000-memory.dmp
memory/4788-1-0x00000000048F0000-0x00000000049CD000-memory.dmp
memory/4788-3-0x0000000000400000-0x00000000004E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ut865216.exe
| MD5 | d65c8e9f391cf20655232c5c987b746f |
| SHA1 | bfce684cea9f3ad1f8319e3dd581f58ec22df410 |
| SHA256 | 0376e92c9fdd3170bd6c4589d0ab56494bbef6ebb0c1ec8c2be1ea0c637281dc |
| SHA512 | 226c17e238df5c15eb0a90d5e6922f131e45daa44bee1d7dffe934068cb0db54e03fb23d45826e6daf21f5251bc1cfa65948f19dc45c4c9099376f724e342597 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iY640225.exe
| MD5 | 79bb8aa7f82a94ba01dc4b70c63957e0 |
| SHA1 | 535a7c0407de96fdce4bf3017f07b4333e9acc01 |
| SHA256 | 337c493481660ea88e0c92612f9caafff009cf7820f9fb84746b24ed2b64fff9 |
| SHA512 | c7adba7203490aee60aa1b678632df1b1b168f47810bc927978f9b8b7e8ace467446c58f8ae85f3f5bbd3fa4cbae2ace32f67b893c02282de618878b98b50139 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\106888316.exe
| MD5 | e1b364b4b96ca742b39a069ca1390a0b |
| SHA1 | 970e15712c7b43117b2144d2dbf2aed590fff249 |
| SHA256 | dc2f6a4b3d395642bdd40c133807093078b2e6b7f4e683a878d63e258d58cb4b |
| SHA512 | 4b48624e84da9949c79e3116f9327cd1f1cd1a68cf495db1c7203db470fc668afca3f48674fc47244e6d6e9157a0d3adaa22183a20470a57df1c5f4a31f8573d |
memory/2284-26-0x0000000004930000-0x000000000494A000-memory.dmp
memory/2284-27-0x0000000007310000-0x00000000078B4000-memory.dmp
memory/2284-28-0x0000000004CF0000-0x0000000004D08000-memory.dmp
memory/2284-51-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-56-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-54-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-52-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-49-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-46-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-44-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-42-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-40-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-38-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-36-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-34-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-32-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-30-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/2284-29-0x0000000004CF0000-0x0000000004D02000-memory.dmp
memory/4788-57-0x00000000048F0000-0x00000000049CD000-memory.dmp
memory/4788-59-0x00000000049D0000-0x0000000004AAD000-memory.dmp
memory/4788-58-0x0000000000400000-0x0000000002C64000-memory.dmp
memory/4788-61-0x0000000000400000-0x00000000004E1000-memory.dmp
memory/2284-60-0x0000000000400000-0x0000000002BAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\258768145.exe
| MD5 | 848ce28183931ae67c8a0d8ce3a1efc3 |
| SHA1 | a39582bf82be42b8cf83b0015130273ab0e51c90 |
| SHA256 | 1920e51f6e64752f4dd7474638b8d86c646e1b8cc4099415d2319d038fe1aff3 |
| SHA512 | 430e793cac623274f0082eaec2377e946d9238f394837272ea4237ef305a00b3db28c081d6c82d2fbcadab0dc5a11769ebd9423e9129279a91ffe4b7aeae4b1d |
memory/2284-63-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/3272-68-0x0000000003020000-0x000000000305C000-memory.dmp
memory/3272-69-0x0000000004CC0000-0x0000000004CFA000-memory.dmp
memory/3272-75-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-87-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-101-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-99-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-98-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-95-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-94-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-91-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-90-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-85-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-83-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-81-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-79-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-77-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-73-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-71-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-70-0x0000000004CC0000-0x0000000004CF5000-memory.dmp
memory/3272-862-0x0000000009D00000-0x000000000A318000-memory.dmp
memory/3272-863-0x000000000A360000-0x000000000A372000-memory.dmp
memory/3272-864-0x000000000A380000-0x000000000A48A000-memory.dmp
memory/3272-865-0x000000000A490000-0x000000000A4CC000-memory.dmp
memory/3272-866-0x0000000004A30000-0x0000000004A7C000-memory.dmp