Analysis Overview
SHA256
81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f
Threat Level: Known bad
The file 81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine payload
Healer family
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
Redline family
Windows security modification
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:00
Reported
2024-11-10 02:03
Platform
win7-20240903-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe
"C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
memory/2788-0-0x0000000002C60000-0x0000000002D33000-memory.dmp
memory/2788-1-0x0000000002C60000-0x0000000002D33000-memory.dmp
memory/2788-2-0x00000000045C0000-0x000000000469D000-memory.dmp
memory/2788-3-0x0000000000400000-0x00000000004E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
| MD5 | fa00be7caa8c76ecf693086a43a6fa72 |
| SHA1 | 5a824c7908f9a759b12be9aa2c5d758e003f36eb |
| SHA256 | 47ad2bf46a37ecfa35b25a2a5e59bda6d82e8768361fc9726e2a84d84a85a4b1 |
| SHA512 | cd1f0cc4dfa573648f8979cdc448f45b4ab07ae5e760541725d6a0dba1fa398208b534bb224e5fff79c9953a3ac89bcd3e5aca2c518143bce9dc68a55e4c62ea |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
| MD5 | 200afa6d30b530e30060f4732a7d7ad8 |
| SHA1 | cada950005d7c663e2076e0d8a8147e49b9fbdd2 |
| SHA256 | d4a96660a52626abf454197b499e0c0ab26ed25462b08bbd8b0c14cca16620be |
| SHA512 | d91886c594ff70176cd81f319f63092058729fba82789bae3173f711d32eac6ae189d8b930178338dfac441ec2e8b5d28f18e20f3d58e4f1a26ca86fd49eae2d |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
| MD5 | 4d86b1f078cf5b393a3c4c1977338041 |
| SHA1 | 08ffce6e13ae74e83023e643ea97b0d9960e6e24 |
| SHA256 | a27c02ac2161eee8c4887a42c42af559a1be457c6b46d368c46eafeb3b878e1b |
| SHA512 | f1a4aa45b0a55467d479dc23502556c8766a7551ad3f688fd3092c713f41775373d1a7d3e5c3193ee4d0d8c786bad6dfd0aa20a8702460632612dd992e4e07b0 |
memory/2736-38-0x0000000002BE0000-0x0000000002BFA000-memory.dmp
memory/2736-39-0x0000000002C70000-0x0000000002C88000-memory.dmp
memory/2736-40-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-63-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-67-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-66-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-61-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-59-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-57-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-55-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-53-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-51-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-49-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-47-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-45-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-43-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2736-41-0x0000000002C70000-0x0000000002C82000-memory.dmp
memory/2788-68-0x0000000002C60000-0x0000000002D33000-memory.dmp
memory/2788-69-0x00000000045C0000-0x000000000469D000-memory.dmp
memory/2788-71-0x0000000000400000-0x00000000004E0000-memory.dmp
memory/2788-70-0x0000000000400000-0x0000000002C53000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
| MD5 | a57403199ddf1fad6096938e90ccc21e |
| SHA1 | 45bcfc93e33259f76bfb8a68b19b4b43dd28678e |
| SHA256 | eb0fb8fabb95798d507af3ed1999ab280efb55d61f62222aad3fc59be9551c3e |
| SHA512 | eeeba09adb6171e9a56481e4b68b53359a0d94c16716e0783d7cfd69d61c923f627d41c1e47f0164a705445bf182cbf912347577bb45418fbe44c242bdba4bb7 |
memory/2736-73-0x0000000000400000-0x0000000002B9E000-memory.dmp
memory/2736-72-0x0000000000400000-0x0000000002B9E000-memory.dmp
memory/2884-84-0x0000000004EA0000-0x0000000004EDC000-memory.dmp
memory/2884-85-0x0000000007580000-0x00000000075BA000-memory.dmp
memory/2884-86-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-87-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-89-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-91-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-93-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-95-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-97-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-99-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-101-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-103-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-105-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-107-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-109-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-111-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-113-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-115-0x0000000007580000-0x00000000075B5000-memory.dmp
memory/2884-117-0x0000000007580000-0x00000000075B5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 02:00
Reported
2024-11-10 02:03
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe
"C:\Users\Admin\AppData\Local\Temp\81d5c6797f26ea24943a80ec5b5a9ef1fc5e69ece84b6d417bc1eb7170d2050f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2624 -ip 2624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 1092
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
memory/4416-1-0x0000000004A00000-0x0000000004AD7000-memory.dmp
memory/4416-2-0x0000000004AE0000-0x0000000004BBD000-memory.dmp
memory/4416-3-0x0000000000400000-0x00000000004E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
| MD5 | fa00be7caa8c76ecf693086a43a6fa72 |
| SHA1 | 5a824c7908f9a759b12be9aa2c5d758e003f36eb |
| SHA256 | 47ad2bf46a37ecfa35b25a2a5e59bda6d82e8768361fc9726e2a84d84a85a4b1 |
| SHA512 | cd1f0cc4dfa573648f8979cdc448f45b4ab07ae5e760541725d6a0dba1fa398208b534bb224e5fff79c9953a3ac89bcd3e5aca2c518143bce9dc68a55e4c62ea |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
| MD5 | 200afa6d30b530e30060f4732a7d7ad8 |
| SHA1 | cada950005d7c663e2076e0d8a8147e49b9fbdd2 |
| SHA256 | d4a96660a52626abf454197b499e0c0ab26ed25462b08bbd8b0c14cca16620be |
| SHA512 | d91886c594ff70176cd81f319f63092058729fba82789bae3173f711d32eac6ae189d8b930178338dfac441ec2e8b5d28f18e20f3d58e4f1a26ca86fd49eae2d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
| MD5 | 4d86b1f078cf5b393a3c4c1977338041 |
| SHA1 | 08ffce6e13ae74e83023e643ea97b0d9960e6e24 |
| SHA256 | a27c02ac2161eee8c4887a42c42af559a1be457c6b46d368c46eafeb3b878e1b |
| SHA512 | f1a4aa45b0a55467d479dc23502556c8766a7551ad3f688fd3092c713f41775373d1a7d3e5c3193ee4d0d8c786bad6dfd0aa20a8702460632612dd992e4e07b0 |
memory/2624-26-0x0000000004990000-0x00000000049AA000-memory.dmp
memory/2624-27-0x00000000072D0000-0x0000000007874000-memory.dmp
memory/2624-28-0x0000000007130000-0x0000000007148000-memory.dmp
memory/2624-42-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-56-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-54-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-52-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-50-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-48-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-46-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-44-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-40-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-29-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-38-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-36-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-34-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-32-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2624-30-0x0000000007130000-0x0000000007142000-memory.dmp
memory/4416-57-0x0000000004A00000-0x0000000004AD7000-memory.dmp
memory/4416-59-0x0000000004AE0000-0x0000000004BBD000-memory.dmp
memory/4416-58-0x0000000000400000-0x0000000002C53000-memory.dmp
memory/4416-60-0x0000000000400000-0x00000000004E0000-memory.dmp
memory/2624-61-0x0000000000400000-0x0000000002B9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
| MD5 | a57403199ddf1fad6096938e90ccc21e |
| SHA1 | 45bcfc93e33259f76bfb8a68b19b4b43dd28678e |
| SHA256 | eb0fb8fabb95798d507af3ed1999ab280efb55d61f62222aad3fc59be9551c3e |
| SHA512 | eeeba09adb6171e9a56481e4b68b53359a0d94c16716e0783d7cfd69d61c923f627d41c1e47f0164a705445bf182cbf912347577bb45418fbe44c242bdba4bb7 |
memory/2624-63-0x0000000000400000-0x0000000002B9E000-memory.dmp
memory/4508-68-0x0000000007150000-0x000000000718C000-memory.dmp
memory/4508-69-0x00000000071D0000-0x000000000720A000-memory.dmp
memory/4508-73-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-83-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-101-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-99-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-97-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-95-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-93-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-91-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-89-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-87-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-81-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-79-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-77-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-75-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-85-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-71-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-70-0x00000000071D0000-0x0000000007205000-memory.dmp
memory/4508-862-0x0000000009CB0000-0x000000000A2C8000-memory.dmp
memory/4508-863-0x000000000A340000-0x000000000A352000-memory.dmp
memory/4508-864-0x000000000A360000-0x000000000A46A000-memory.dmp
memory/4508-865-0x000000000A480000-0x000000000A4BC000-memory.dmp
memory/4508-866-0x0000000006C80000-0x0000000006CCC000-memory.dmp