Analysis Overview
SHA256
1da7b6807c55e7942da399ac4eb9b8c1a2fbef954f5eac082607801c54de1a2a
Threat Level: Known bad
The file 1da7b6807c55e7942da399ac4eb9b8c1a2fbef954f5eac082607801c54de1a2a was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Healer family
RedLine
Redline family
Healer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Loads dropped DLL
Executes dropped EXE
Windows security modification
Adds Run key to start application
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 03:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 03:03
Reported
2024-11-10 03:05
Platform
win7-20240903-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1da7b6807c55e7942da399ac4eb9b8c1a2fbef954f5eac082607801c54de1a2a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1da7b6807c55e7942da399ac4eb9b8c1a2fbef954f5eac082607801c54de1a2a.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1da7b6807c55e7942da399ac4eb9b8c1a2fbef954f5eac082607801c54de1a2a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1da7b6807c55e7942da399ac4eb9b8c1a2fbef954f5eac082607801c54de1a2a.exe
"C:\Users\Admin\AppData\Local\Temp\1da7b6807c55e7942da399ac4eb9b8c1a2fbef954f5eac082607801c54de1a2a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
memory/1964-0-0x0000000004420000-0x00000000044F3000-memory.dmp
memory/1964-1-0x0000000004420000-0x00000000044F3000-memory.dmp
memory/1964-2-0x00000000045C0000-0x000000000469D000-memory.dmp
memory/1964-3-0x0000000000400000-0x00000000004E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
| MD5 | fa00be7caa8c76ecf693086a43a6fa72 |
| SHA1 | 5a824c7908f9a759b12be9aa2c5d758e003f36eb |
| SHA256 | 47ad2bf46a37ecfa35b25a2a5e59bda6d82e8768361fc9726e2a84d84a85a4b1 |
| SHA512 | cd1f0cc4dfa573648f8979cdc448f45b4ab07ae5e760541725d6a0dba1fa398208b534bb224e5fff79c9953a3ac89bcd3e5aca2c518143bce9dc68a55e4c62ea |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
| MD5 | 200afa6d30b530e30060f4732a7d7ad8 |
| SHA1 | cada950005d7c663e2076e0d8a8147e49b9fbdd2 |
| SHA256 | d4a96660a52626abf454197b499e0c0ab26ed25462b08bbd8b0c14cca16620be |
| SHA512 | d91886c594ff70176cd81f319f63092058729fba82789bae3173f711d32eac6ae189d8b930178338dfac441ec2e8b5d28f18e20f3d58e4f1a26ca86fd49eae2d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
| MD5 | 4d86b1f078cf5b393a3c4c1977338041 |
| SHA1 | 08ffce6e13ae74e83023e643ea97b0d9960e6e24 |
| SHA256 | a27c02ac2161eee8c4887a42c42af559a1be457c6b46d368c46eafeb3b878e1b |
| SHA512 | f1a4aa45b0a55467d479dc23502556c8766a7551ad3f688fd3092c713f41775373d1a7d3e5c3193ee4d0d8c786bad6dfd0aa20a8702460632612dd992e4e07b0 |
memory/2804-38-0x0000000002FA0000-0x0000000002FBA000-memory.dmp
memory/2804-39-0x0000000003120000-0x0000000003138000-memory.dmp
memory/2804-49-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-63-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-67-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-66-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-61-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-59-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-57-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-55-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-53-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-51-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-47-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-45-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-41-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-40-0x0000000003120000-0x0000000003132000-memory.dmp
memory/2804-43-0x0000000003120000-0x0000000003132000-memory.dmp
memory/1964-68-0x0000000004420000-0x00000000044F3000-memory.dmp
memory/1964-69-0x00000000045C0000-0x000000000469D000-memory.dmp
memory/1964-71-0x0000000000400000-0x00000000004E0000-memory.dmp
memory/1964-70-0x0000000000400000-0x0000000002C53000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
| MD5 | a57403199ddf1fad6096938e90ccc21e |
| SHA1 | 45bcfc93e33259f76bfb8a68b19b4b43dd28678e |
| SHA256 | eb0fb8fabb95798d507af3ed1999ab280efb55d61f62222aad3fc59be9551c3e |
| SHA512 | eeeba09adb6171e9a56481e4b68b53359a0d94c16716e0783d7cfd69d61c923f627d41c1e47f0164a705445bf182cbf912347577bb45418fbe44c242bdba4bb7 |
memory/2804-72-0x0000000000400000-0x0000000002B9E000-memory.dmp
memory/2628-83-0x0000000004D90000-0x0000000004DCC000-memory.dmp
memory/2628-84-0x0000000004F10000-0x0000000004F4A000-memory.dmp
memory/2628-100-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-106-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-116-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-114-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-112-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-110-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-108-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-104-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-102-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-98-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-96-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-94-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-92-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-90-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-88-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-86-0x0000000004F10000-0x0000000004F45000-memory.dmp
memory/2628-85-0x0000000004F10000-0x0000000004F45000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 03:03
Reported
2024-11-10 03:06
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1da7b6807c55e7942da399ac4eb9b8c1a2fbef954f5eac082607801c54de1a2a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1da7b6807c55e7942da399ac4eb9b8c1a2fbef954f5eac082607801c54de1a2a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1da7b6807c55e7942da399ac4eb9b8c1a2fbef954f5eac082607801c54de1a2a.exe
"C:\Users\Admin\AppData\Local\Temp\1da7b6807c55e7942da399ac4eb9b8c1a2fbef954f5eac082607801c54de1a2a.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2952 -ip 2952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 1088
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.208.201.84.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp |
Files
memory/1636-2-0x0000000004AE0000-0x0000000004BBD000-memory.dmp
memory/1636-1-0x00000000049F0000-0x0000000004AD3000-memory.dmp
memory/1636-3-0x0000000000400000-0x00000000004E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
| MD5 | fa00be7caa8c76ecf693086a43a6fa72 |
| SHA1 | 5a824c7908f9a759b12be9aa2c5d758e003f36eb |
| SHA256 | 47ad2bf46a37ecfa35b25a2a5e59bda6d82e8768361fc9726e2a84d84a85a4b1 |
| SHA512 | cd1f0cc4dfa573648f8979cdc448f45b4ab07ae5e760541725d6a0dba1fa398208b534bb224e5fff79c9953a3ac89bcd3e5aca2c518143bce9dc68a55e4c62ea |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
| MD5 | 200afa6d30b530e30060f4732a7d7ad8 |
| SHA1 | cada950005d7c663e2076e0d8a8147e49b9fbdd2 |
| SHA256 | d4a96660a52626abf454197b499e0c0ab26ed25462b08bbd8b0c14cca16620be |
| SHA512 | d91886c594ff70176cd81f319f63092058729fba82789bae3173f711d32eac6ae189d8b930178338dfac441ec2e8b5d28f18e20f3d58e4f1a26ca86fd49eae2d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
| MD5 | 4d86b1f078cf5b393a3c4c1977338041 |
| SHA1 | 08ffce6e13ae74e83023e643ea97b0d9960e6e24 |
| SHA256 | a27c02ac2161eee8c4887a42c42af559a1be457c6b46d368c46eafeb3b878e1b |
| SHA512 | f1a4aa45b0a55467d479dc23502556c8766a7551ad3f688fd3092c713f41775373d1a7d3e5c3193ee4d0d8c786bad6dfd0aa20a8702460632612dd992e4e07b0 |
memory/2952-26-0x0000000004B10000-0x0000000004B2A000-memory.dmp
memory/2952-27-0x0000000007280000-0x0000000007824000-memory.dmp
memory/2952-28-0x0000000007130000-0x0000000007148000-memory.dmp
memory/2952-48-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-56-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-54-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-52-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-50-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-36-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-46-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-44-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-42-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-40-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-38-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-34-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-32-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-30-0x0000000007130000-0x0000000007142000-memory.dmp
memory/2952-29-0x0000000007130000-0x0000000007142000-memory.dmp
memory/1636-57-0x00000000049F0000-0x0000000004AD3000-memory.dmp
memory/1636-59-0x0000000004AE0000-0x0000000004BBD000-memory.dmp
memory/1636-58-0x0000000000400000-0x0000000002C53000-memory.dmp
memory/1636-60-0x0000000000400000-0x00000000004E0000-memory.dmp
memory/2952-61-0x0000000000400000-0x0000000002B9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
| MD5 | a57403199ddf1fad6096938e90ccc21e |
| SHA1 | 45bcfc93e33259f76bfb8a68b19b4b43dd28678e |
| SHA256 | eb0fb8fabb95798d507af3ed1999ab280efb55d61f62222aad3fc59be9551c3e |
| SHA512 | eeeba09adb6171e9a56481e4b68b53359a0d94c16716e0783d7cfd69d61c923f627d41c1e47f0164a705445bf182cbf912347577bb45418fbe44c242bdba4bb7 |
memory/2952-63-0x0000000000400000-0x0000000002B9E000-memory.dmp
memory/64-68-0x0000000004D10000-0x0000000004D4C000-memory.dmp
memory/64-69-0x0000000007210000-0x000000000724A000-memory.dmp
memory/64-83-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-101-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-99-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-97-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-95-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-93-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-91-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-89-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-87-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-85-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-81-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-79-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-77-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-75-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-73-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-862-0x0000000009D40000-0x000000000A358000-memory.dmp
memory/64-864-0x000000000A360000-0x000000000A46A000-memory.dmp
memory/64-863-0x00000000072E0000-0x00000000072F2000-memory.dmp
memory/64-71-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-70-0x0000000007210000-0x0000000007245000-memory.dmp
memory/64-865-0x000000000A480000-0x000000000A4BC000-memory.dmp
memory/64-866-0x0000000004B10000-0x0000000004B5C000-memory.dmp