Analysis Overview
SHA256
cd890ba43dabf94075e07b9bff5a21a48ae2469ee7c009c9712a53a759356a74
Threat Level: Known bad
The file cd890ba43dabf94075e07b9bff5a21a48ae2469ee7c009c9712a53a759356a74 was found to be: Known bad.
Malicious Activity Summary
Detects Healer an antivirus disabler dropper
RedLine payload
Healer family
Redline family
Healer
RedLine
Modifies Windows Defender Real-time Protection settings
Loads dropped DLL
Windows security modification
Executes dropped EXE
Adds Run key to start application
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:53
Reported
2024-11-10 02:56
Platform
win7-20240903-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\253376046.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cd890ba43dabf94075e07b9bff5a21a48ae2469ee7c009c9712a53a759356a74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\253376046.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\cd890ba43dabf94075e07b9bff5a21a48ae2469ee7c009c9712a53a759356a74.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\253376046.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cd890ba43dabf94075e07b9bff5a21a48ae2469ee7c009c9712a53a759356a74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\253376046.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd890ba43dabf94075e07b9bff5a21a48ae2469ee7c009c9712a53a759356a74.exe
"C:\Users\Admin\AppData\Local\Temp\cd890ba43dabf94075e07b9bff5a21a48ae2469ee7c009c9712a53a759356a74.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\253376046.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\253376046.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp |
Files
memory/2052-0-0x00000000044C0000-0x00000000045A3000-memory.dmp
memory/2052-1-0x00000000044C0000-0x00000000045A3000-memory.dmp
memory/2052-2-0x0000000004600000-0x00000000046EC000-memory.dmp
memory/2052-3-0x0000000000400000-0x00000000004F0000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe
| MD5 | c0bc7316fd819601d708c897608b26c6 |
| SHA1 | f721c9a7faacfd369cebb60173867de506074dac |
| SHA256 | 13e2a41142ce65a43e2335ff5d6ceb921386681703dee6430bb744be57ce44a3 |
| SHA512 | 218df128bcc962f025e88af6198af3ab0ce990f904545688761c26e09c6be9ac4c5bc9cf0ea0f403b50fe46c986f01d0b1e4cf8f20371482e06030bc2c766b2f |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe
| MD5 | bfe2caae559bf72efbb475d3ab2eb534 |
| SHA1 | d43efcdbf4c805b5fe83f05a17157ca8ef71ce0f |
| SHA256 | e8200687e65472b42df2008b06e066c5b5235a8826c7e7fde8880aa43c77b8e6 |
| SHA512 | 44afab2b2b51673b3cdd840a29f8f442dc0e7c1b11b8e2baad7b41e2fc0ab39901e6e4dc4556b31c0ca31dd73f0ab105262cdb88620fa5cd1c6af7242336fd59 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe
| MD5 | 807f1064228e96917a18eb2b806aa900 |
| SHA1 | 8500f8dcd597b017e367d72efae9d8b9244a7093 |
| SHA256 | 383ccb981b1265f4481cae6abb6c24089dd151a8cfb65152e7a7f0c1165b4c8f |
| SHA512 | 6a23d9812dfb5f5e08fd6d6122956eeea45d1669f68d91d7d5cade856a8d31c2a4a53c92dd6dbd7f30d731cdd73c1ad1ff0fadef516101c7b3f7dfa389913023 |
memory/3064-38-0x00000000003E0000-0x00000000003FA000-memory.dmp
memory/3064-39-0x0000000002C20000-0x0000000002C38000-memory.dmp
memory/3064-48-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-51-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-67-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-65-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-63-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-61-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-59-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-57-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-55-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-53-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-49-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-45-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-43-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-41-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/3064-40-0x0000000002C20000-0x0000000002C32000-memory.dmp
memory/2052-68-0x00000000044C0000-0x00000000045A3000-memory.dmp
memory/2052-69-0x0000000004600000-0x00000000046EC000-memory.dmp
memory/2052-71-0x0000000000400000-0x00000000004F0000-memory.dmp
memory/2052-70-0x0000000000400000-0x0000000002C73000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\253376046.exe
| MD5 | 47cbac6f9d0f549de8092df98638a52d |
| SHA1 | 8caa2a355b7992e107b5a574bcf09fbeb7771df6 |
| SHA256 | fa7929ebc04e83ce66306d03a33f8b48c47bc7654dd8cf2c2ff83b54629b2dab |
| SHA512 | 7c4dcccb0bf79499f1315ec7e0f736a7670fcc63a5035cf2fa18f13c9a969cd5036daa33667453d9fce385b8b1914a5f26377c69f02254800459ff63d5483ae1 |
memory/3064-72-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/2484-83-0x00000000073E0000-0x000000000741C000-memory.dmp
memory/2484-84-0x0000000007420000-0x000000000745A000-memory.dmp
memory/2484-92-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-98-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-96-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-94-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-90-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-88-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-86-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-85-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-118-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-116-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-114-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-112-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-110-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-108-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-106-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-104-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-102-0x0000000007420000-0x0000000007455000-memory.dmp
memory/2484-100-0x0000000007420000-0x0000000007455000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 02:53
Reported
2024-11-10 02:56
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
151s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\253376046.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\cd890ba43dabf94075e07b9bff5a21a48ae2469ee7c009c9712a53a759356a74.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cd890ba43dabf94075e07b9bff5a21a48ae2469ee7c009c9712a53a759356a74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\253376046.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\253376046.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd890ba43dabf94075e07b9bff5a21a48ae2469ee7c009c9712a53a759356a74.exe
"C:\Users\Admin\AppData\Local\Temp\cd890ba43dabf94075e07b9bff5a21a48ae2469ee7c009c9712a53a759356a74.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1192 -ip 1192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 1080
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\253376046.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\253376046.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp | |
| RU | 185.161.248.142:38452 | tcp |
Files
memory/1488-1-0x00000000049D0000-0x0000000004AC0000-memory.dmp
memory/1488-2-0x0000000004B70000-0x0000000004C5C000-memory.dmp
memory/1488-3-0x0000000000400000-0x00000000004F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ir478252.exe
| MD5 | c0bc7316fd819601d708c897608b26c6 |
| SHA1 | f721c9a7faacfd369cebb60173867de506074dac |
| SHA256 | 13e2a41142ce65a43e2335ff5d6ceb921386681703dee6430bb744be57ce44a3 |
| SHA512 | 218df128bcc962f025e88af6198af3ab0ce990f904545688761c26e09c6be9ac4c5bc9cf0ea0f403b50fe46c986f01d0b1e4cf8f20371482e06030bc2c766b2f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl554725.exe
| MD5 | bfe2caae559bf72efbb475d3ab2eb534 |
| SHA1 | d43efcdbf4c805b5fe83f05a17157ca8ef71ce0f |
| SHA256 | e8200687e65472b42df2008b06e066c5b5235a8826c7e7fde8880aa43c77b8e6 |
| SHA512 | 44afab2b2b51673b3cdd840a29f8f442dc0e7c1b11b8e2baad7b41e2fc0ab39901e6e4dc4556b31c0ca31dd73f0ab105262cdb88620fa5cd1c6af7242336fd59 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\195540110.exe
| MD5 | 807f1064228e96917a18eb2b806aa900 |
| SHA1 | 8500f8dcd597b017e367d72efae9d8b9244a7093 |
| SHA256 | 383ccb981b1265f4481cae6abb6c24089dd151a8cfb65152e7a7f0c1165b4c8f |
| SHA512 | 6a23d9812dfb5f5e08fd6d6122956eeea45d1669f68d91d7d5cade856a8d31c2a4a53c92dd6dbd7f30d731cdd73c1ad1ff0fadef516101c7b3f7dfa389913023 |
memory/1192-26-0x0000000004BF0000-0x0000000004C0A000-memory.dmp
memory/1192-27-0x0000000007310000-0x00000000078B4000-memory.dmp
memory/1192-28-0x0000000007290000-0x00000000072A8000-memory.dmp
memory/1192-30-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-32-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-56-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-55-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-52-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-50-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-48-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-46-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-44-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-42-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-40-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-38-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-36-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-34-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1192-29-0x0000000007290000-0x00000000072A2000-memory.dmp
memory/1488-57-0x00000000049D0000-0x0000000004AC0000-memory.dmp
memory/1488-59-0x0000000004B70000-0x0000000004C5C000-memory.dmp
memory/1488-58-0x0000000000400000-0x0000000002C73000-memory.dmp
memory/1488-60-0x0000000000400000-0x00000000004F0000-memory.dmp
memory/1192-61-0x0000000000400000-0x0000000002BAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\253376046.exe
| MD5 | 47cbac6f9d0f549de8092df98638a52d |
| SHA1 | 8caa2a355b7992e107b5a574bcf09fbeb7771df6 |
| SHA256 | fa7929ebc04e83ce66306d03a33f8b48c47bc7654dd8cf2c2ff83b54629b2dab |
| SHA512 | 7c4dcccb0bf79499f1315ec7e0f736a7670fcc63a5035cf2fa18f13c9a969cd5036daa33667453d9fce385b8b1914a5f26377c69f02254800459ff63d5483ae1 |
memory/1192-63-0x0000000000400000-0x0000000002BAF000-memory.dmp
memory/2460-68-0x0000000004BA0000-0x0000000004BDC000-memory.dmp
memory/2460-69-0x00000000077A0000-0x00000000077DA000-memory.dmp
memory/2460-73-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-77-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-101-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-99-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-98-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-95-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-93-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-91-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-90-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-87-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-85-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-83-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-81-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-79-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-75-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-71-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-70-0x00000000077A0000-0x00000000077D5000-memory.dmp
memory/2460-862-0x0000000009CA0000-0x000000000A2B8000-memory.dmp
memory/2460-863-0x000000000A350000-0x000000000A362000-memory.dmp
memory/2460-864-0x000000000A370000-0x000000000A47A000-memory.dmp
memory/2460-865-0x000000000A490000-0x000000000A4CC000-memory.dmp
memory/2460-866-0x00000000049A0000-0x00000000049EC000-memory.dmp