Malware Analysis Report

2025-03-15 01:43

Sample ID 230910-m3zrvsge5z
Target cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe
SHA256 cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc

Threat Level: Known bad

The file cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

RedLine

SmokeLoader

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 11:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 11:00

Reported

2023-09-10 11:02

Platform

win7-20230831-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2196 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
PID 2860 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
PID 2860 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
PID 2860 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
PID 2860 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
PID 2860 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
PID 2860 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
PID 2644 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
PID 2644 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
PID 2644 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
PID 2644 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
PID 2644 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
PID 2644 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
PID 2644 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
PID 2796 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
PID 2544 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
PID 2544 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
PID 2544 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
PID 2544 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
PID 2544 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
PID 2544 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
PID 2544 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
PID 2520 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
PID 2520 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
PID 2520 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
PID 2520 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
PID 2520 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
PID 2520 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
PID 2520 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
PID 2640 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2640 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2520 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
PID 2520 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
PID 2520 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

memory/2860-0-0x0000000000400000-0x000000000052A000-memory.dmp

memory/2860-2-0x0000000000400000-0x000000000052A000-memory.dmp

memory/2860-4-0x0000000000400000-0x000000000052A000-memory.dmp

memory/2860-6-0x0000000000400000-0x000000000052A000-memory.dmp

memory/2860-8-0x0000000000400000-0x000000000052A000-memory.dmp

memory/2860-10-0x0000000000400000-0x000000000052A000-memory.dmp

memory/2860-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2860-12-0x0000000000400000-0x000000000052A000-memory.dmp

memory/2860-14-0x0000000000400000-0x000000000052A000-memory.dmp

memory/2860-16-0x0000000000400000-0x000000000052A000-memory.dmp

memory/2860-17-0x0000000000400000-0x000000000052A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe

MD5 8220e94d0abd491aa7aaeb085b5f8ed6
SHA1 cda4978c09b2bf2012ead07e3540acd40c5eea61
SHA256 79ed158d54490f8b28f83c1fb4b847e2fee2bd3911112ea442022042367437d8
SHA512 38f42b6d1a2f54df705593084b05aa2160d475a95e15ea4271b1525ae9a0da7e4a5ce4f767ee122d76ef726174ebabb3e4127cc11a6f399477b190a865b7c702

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe

MD5 8220e94d0abd491aa7aaeb085b5f8ed6
SHA1 cda4978c09b2bf2012ead07e3540acd40c5eea61
SHA256 79ed158d54490f8b28f83c1fb4b847e2fee2bd3911112ea442022042367437d8
SHA512 38f42b6d1a2f54df705593084b05aa2160d475a95e15ea4271b1525ae9a0da7e4a5ce4f767ee122d76ef726174ebabb3e4127cc11a6f399477b190a865b7c702

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe

MD5 8220e94d0abd491aa7aaeb085b5f8ed6
SHA1 cda4978c09b2bf2012ead07e3540acd40c5eea61
SHA256 79ed158d54490f8b28f83c1fb4b847e2fee2bd3911112ea442022042367437d8
SHA512 38f42b6d1a2f54df705593084b05aa2160d475a95e15ea4271b1525ae9a0da7e4a5ce4f767ee122d76ef726174ebabb3e4127cc11a6f399477b190a865b7c702

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe

MD5 8220e94d0abd491aa7aaeb085b5f8ed6
SHA1 cda4978c09b2bf2012ead07e3540acd40c5eea61
SHA256 79ed158d54490f8b28f83c1fb4b847e2fee2bd3911112ea442022042367437d8
SHA512 38f42b6d1a2f54df705593084b05aa2160d475a95e15ea4271b1525ae9a0da7e4a5ce4f767ee122d76ef726174ebabb3e4127cc11a6f399477b190a865b7c702

\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe

MD5 29b7911c9b2eb9ec7ca12ddc41caaf9e
SHA1 778a2edfe144892c0def3778544bb4fa4262db5b
SHA256 de6d594aabec119a8731a7410f59d79560fa2612481f3ad19816dd6cd3d9c20a
SHA512 c81d3064ba516aeb5ffd597b315b56b95a7212cb79ff6d351211439f1e92b99d425c0dca61a7b537985470468a2054a1e18ddfd96d5a67371979d11270dcda5e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe

MD5 29b7911c9b2eb9ec7ca12ddc41caaf9e
SHA1 778a2edfe144892c0def3778544bb4fa4262db5b
SHA256 de6d594aabec119a8731a7410f59d79560fa2612481f3ad19816dd6cd3d9c20a
SHA512 c81d3064ba516aeb5ffd597b315b56b95a7212cb79ff6d351211439f1e92b99d425c0dca61a7b537985470468a2054a1e18ddfd96d5a67371979d11270dcda5e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe

MD5 29b7911c9b2eb9ec7ca12ddc41caaf9e
SHA1 778a2edfe144892c0def3778544bb4fa4262db5b
SHA256 de6d594aabec119a8731a7410f59d79560fa2612481f3ad19816dd6cd3d9c20a
SHA512 c81d3064ba516aeb5ffd597b315b56b95a7212cb79ff6d351211439f1e92b99d425c0dca61a7b537985470468a2054a1e18ddfd96d5a67371979d11270dcda5e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe

MD5 29b7911c9b2eb9ec7ca12ddc41caaf9e
SHA1 778a2edfe144892c0def3778544bb4fa4262db5b
SHA256 de6d594aabec119a8731a7410f59d79560fa2612481f3ad19816dd6cd3d9c20a
SHA512 c81d3064ba516aeb5ffd597b315b56b95a7212cb79ff6d351211439f1e92b99d425c0dca61a7b537985470468a2054a1e18ddfd96d5a67371979d11270dcda5e

\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe

MD5 e56f8e438000f87296d514a65dbc87e7
SHA1 f4ccbd1f597dc45bd9c786803c386dc53c8c6065
SHA256 b46b43c853e6d8e9f5007b09323a19d42a12d919cefa0835133ebb3d712cd4a2
SHA512 534206a85e1ca3bb379d1886668aa8781d703b9a88ab9607872fce6e4fdc25f027460684cc834ecf4494e3d4d18e3086da61c009f3d21cfc5292eb091e9d583e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe

MD5 e56f8e438000f87296d514a65dbc87e7
SHA1 f4ccbd1f597dc45bd9c786803c386dc53c8c6065
SHA256 b46b43c853e6d8e9f5007b09323a19d42a12d919cefa0835133ebb3d712cd4a2
SHA512 534206a85e1ca3bb379d1886668aa8781d703b9a88ab9607872fce6e4fdc25f027460684cc834ecf4494e3d4d18e3086da61c009f3d21cfc5292eb091e9d583e

\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe

MD5 e56f8e438000f87296d514a65dbc87e7
SHA1 f4ccbd1f597dc45bd9c786803c386dc53c8c6065
SHA256 b46b43c853e6d8e9f5007b09323a19d42a12d919cefa0835133ebb3d712cd4a2
SHA512 534206a85e1ca3bb379d1886668aa8781d703b9a88ab9607872fce6e4fdc25f027460684cc834ecf4494e3d4d18e3086da61c009f3d21cfc5292eb091e9d583e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe

MD5 e56f8e438000f87296d514a65dbc87e7
SHA1 f4ccbd1f597dc45bd9c786803c386dc53c8c6065
SHA256 b46b43c853e6d8e9f5007b09323a19d42a12d919cefa0835133ebb3d712cd4a2
SHA512 534206a85e1ca3bb379d1886668aa8781d703b9a88ab9607872fce6e4fdc25f027460684cc834ecf4494e3d4d18e3086da61c009f3d21cfc5292eb091e9d583e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe

MD5 97bb852d45f562866b584556ff04bebb
SHA1 ea58a1613ae4c0efec1604b8dd0d1689c9f180ac
SHA256 7851c735cc50b0bc2aec80600febbe6fcab26c44e2ead38b2921d5da46b74da4
SHA512 b4634507d68b580958501cc450d0db56f67586febfba145cb99d6bd134a09d42a106d59505d6724435ceedb4aedc24daad791305fa93c54309b55fcbb0cfcf3e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe

MD5 97bb852d45f562866b584556ff04bebb
SHA1 ea58a1613ae4c0efec1604b8dd0d1689c9f180ac
SHA256 7851c735cc50b0bc2aec80600febbe6fcab26c44e2ead38b2921d5da46b74da4
SHA512 b4634507d68b580958501cc450d0db56f67586febfba145cb99d6bd134a09d42a106d59505d6724435ceedb4aedc24daad791305fa93c54309b55fcbb0cfcf3e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe

MD5 97bb852d45f562866b584556ff04bebb
SHA1 ea58a1613ae4c0efec1604b8dd0d1689c9f180ac
SHA256 7851c735cc50b0bc2aec80600febbe6fcab26c44e2ead38b2921d5da46b74da4
SHA512 b4634507d68b580958501cc450d0db56f67586febfba145cb99d6bd134a09d42a106d59505d6724435ceedb4aedc24daad791305fa93c54309b55fcbb0cfcf3e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe

MD5 97bb852d45f562866b584556ff04bebb
SHA1 ea58a1613ae4c0efec1604b8dd0d1689c9f180ac
SHA256 7851c735cc50b0bc2aec80600febbe6fcab26c44e2ead38b2921d5da46b74da4
SHA512 b4634507d68b580958501cc450d0db56f67586febfba145cb99d6bd134a09d42a106d59505d6724435ceedb4aedc24daad791305fa93c54309b55fcbb0cfcf3e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe

MD5 28c5856280ccf61e923fb8fb107ef33b
SHA1 98ced60b1c83b2c5ec37a194e0e4f789eb071eec
SHA256 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b
SHA512 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282

\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe

MD5 28c5856280ccf61e923fb8fb107ef33b
SHA1 98ced60b1c83b2c5ec37a194e0e4f789eb071eec
SHA256 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b
SHA512 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe

MD5 28c5856280ccf61e923fb8fb107ef33b
SHA1 98ced60b1c83b2c5ec37a194e0e4f789eb071eec
SHA256 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b
SHA512 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282

\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe

MD5 28c5856280ccf61e923fb8fb107ef33b
SHA1 98ced60b1c83b2c5ec37a194e0e4f789eb071eec
SHA256 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b
SHA512 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe

MD5 28c5856280ccf61e923fb8fb107ef33b
SHA1 98ced60b1c83b2c5ec37a194e0e4f789eb071eec
SHA256 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b
SHA512 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe

MD5 28c5856280ccf61e923fb8fb107ef33b
SHA1 98ced60b1c83b2c5ec37a194e0e4f789eb071eec
SHA256 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b
SHA512 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282

memory/2392-71-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2392-72-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2392-73-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2392-74-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2392-76-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2392-78-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2392-80-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe

MD5 78883d4c10d0ad274668f2bac0f427ac
SHA1 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5
SHA256 d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb
SHA512 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe

MD5 78883d4c10d0ad274668f2bac0f427ac
SHA1 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5
SHA256 d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb
SHA512 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51

\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe

MD5 78883d4c10d0ad274668f2bac0f427ac
SHA1 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5
SHA256 d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb
SHA512 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51

\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe

MD5 78883d4c10d0ad274668f2bac0f427ac
SHA1 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5
SHA256 d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb
SHA512 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51

\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe

MD5 78883d4c10d0ad274668f2bac0f427ac
SHA1 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5
SHA256 d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb
SHA512 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe

MD5 78883d4c10d0ad274668f2bac0f427ac
SHA1 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5
SHA256 d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb
SHA512 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51

memory/2884-90-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2884-92-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2884-94-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2884-95-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2884-96-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2884-97-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2884-98-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2884-99-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2884-101-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe

MD5 9177c713e8e5fb0c2922e7d00554fc78
SHA1 b1982a50a76a5119d2419e35b6e285c56bf4d120
SHA256 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b
SHA512 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe

MD5 9177c713e8e5fb0c2922e7d00554fc78
SHA1 b1982a50a76a5119d2419e35b6e285c56bf4d120
SHA256 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b
SHA512 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe

MD5 9177c713e8e5fb0c2922e7d00554fc78
SHA1 b1982a50a76a5119d2419e35b6e285c56bf4d120
SHA256 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b
SHA512 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707

\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe

MD5 9177c713e8e5fb0c2922e7d00554fc78
SHA1 b1982a50a76a5119d2419e35b6e285c56bf4d120
SHA256 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b
SHA512 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707

\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe

MD5 9177c713e8e5fb0c2922e7d00554fc78
SHA1 b1982a50a76a5119d2419e35b6e285c56bf4d120
SHA256 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b
SHA512 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe

MD5 9177c713e8e5fb0c2922e7d00554fc78
SHA1 b1982a50a76a5119d2419e35b6e285c56bf4d120
SHA256 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b
SHA512 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707

memory/2884-112-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2884-113-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2808-114-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2808-115-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2808-117-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe

MD5 867086e6182dd113f491da7b41f983e7
SHA1 74c3be0338040fc236ec544da41248059de8e26d
SHA256 231b02386855f4f1475271a1a9e1b89c1294da336142c379cca4ad3df2f2d9cd
SHA512 2541e377e1abbc7630035a09fe547fc751730601bb84741e98f60bf505b85d08c4805cb93fba45c3153e579379b40845c3ffcfa33249b151b4cd5e2e6dc11767

memory/2508-125-0x0000000000AE0000-0x0000000000B10000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe

MD5 867086e6182dd113f491da7b41f983e7
SHA1 74c3be0338040fc236ec544da41248059de8e26d
SHA256 231b02386855f4f1475271a1a9e1b89c1294da336142c379cca4ad3df2f2d9cd
SHA512 2541e377e1abbc7630035a09fe547fc751730601bb84741e98f60bf505b85d08c4805cb93fba45c3153e579379b40845c3ffcfa33249b151b4cd5e2e6dc11767

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe

MD5 867086e6182dd113f491da7b41f983e7
SHA1 74c3be0338040fc236ec544da41248059de8e26d
SHA256 231b02386855f4f1475271a1a9e1b89c1294da336142c379cca4ad3df2f2d9cd
SHA512 2541e377e1abbc7630035a09fe547fc751730601bb84741e98f60bf505b85d08c4805cb93fba45c3153e579379b40845c3ffcfa33249b151b4cd5e2e6dc11767

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe

MD5 867086e6182dd113f491da7b41f983e7
SHA1 74c3be0338040fc236ec544da41248059de8e26d
SHA256 231b02386855f4f1475271a1a9e1b89c1294da336142c379cca4ad3df2f2d9cd
SHA512 2541e377e1abbc7630035a09fe547fc751730601bb84741e98f60bf505b85d08c4805cb93fba45c3153e579379b40845c3ffcfa33249b151b4cd5e2e6dc11767

memory/2808-120-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2508-126-0x0000000000310000-0x0000000000316000-memory.dmp

memory/2884-127-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1216-128-0x0000000002A60000-0x0000000002A76000-memory.dmp

memory/2808-130-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2860-132-0x0000000000400000-0x000000000052A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-10 11:00

Reported

2023-09-10 11:02

Platform

win10v2004-20230831-en

Max time kernel

154s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2816 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2816 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2816 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2816 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2816 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2816 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2816 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2816 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2816 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 452 wrote to memory of 3504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
PID 452 wrote to memory of 3504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
PID 452 wrote to memory of 3504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
PID 3504 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
PID 3504 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
PID 3504 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
PID 4064 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
PID 4064 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
PID 4064 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
PID 2296 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
PID 2296 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
PID 2296 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
PID 724 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
PID 724 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
PID 724 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
PID 4092 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4092 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4092 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4092 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4092 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4092 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4092 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4092 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 724 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
PID 724 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
PID 724 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
PID 2416 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2416 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2416 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2416 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2416 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2416 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2416 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2416 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2416 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2416 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2416 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2416 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2416 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2296 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
PID 2296 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
PID 2296 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
PID 4348 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4348 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4348 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4348 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4348 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4348 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4064 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe
PID 4064 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe
PID 4064 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2816 -ip 2816

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 288

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4092 -ip 4092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 564

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2416 -ip 2416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3436 -ip 3436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 564

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/452-0-0x0000000000400000-0x000000000052A000-memory.dmp

memory/452-1-0x0000000000400000-0x000000000052A000-memory.dmp

memory/452-2-0x0000000000400000-0x000000000052A000-memory.dmp

memory/452-3-0x0000000000400000-0x000000000052A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe

MD5 8220e94d0abd491aa7aaeb085b5f8ed6
SHA1 cda4978c09b2bf2012ead07e3540acd40c5eea61
SHA256 79ed158d54490f8b28f83c1fb4b847e2fee2bd3911112ea442022042367437d8
SHA512 38f42b6d1a2f54df705593084b05aa2160d475a95e15ea4271b1525ae9a0da7e4a5ce4f767ee122d76ef726174ebabb3e4127cc11a6f399477b190a865b7c702

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe

MD5 8220e94d0abd491aa7aaeb085b5f8ed6
SHA1 cda4978c09b2bf2012ead07e3540acd40c5eea61
SHA256 79ed158d54490f8b28f83c1fb4b847e2fee2bd3911112ea442022042367437d8
SHA512 38f42b6d1a2f54df705593084b05aa2160d475a95e15ea4271b1525ae9a0da7e4a5ce4f767ee122d76ef726174ebabb3e4127cc11a6f399477b190a865b7c702

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe

MD5 29b7911c9b2eb9ec7ca12ddc41caaf9e
SHA1 778a2edfe144892c0def3778544bb4fa4262db5b
SHA256 de6d594aabec119a8731a7410f59d79560fa2612481f3ad19816dd6cd3d9c20a
SHA512 c81d3064ba516aeb5ffd597b315b56b95a7212cb79ff6d351211439f1e92b99d425c0dca61a7b537985470468a2054a1e18ddfd96d5a67371979d11270dcda5e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe

MD5 29b7911c9b2eb9ec7ca12ddc41caaf9e
SHA1 778a2edfe144892c0def3778544bb4fa4262db5b
SHA256 de6d594aabec119a8731a7410f59d79560fa2612481f3ad19816dd6cd3d9c20a
SHA512 c81d3064ba516aeb5ffd597b315b56b95a7212cb79ff6d351211439f1e92b99d425c0dca61a7b537985470468a2054a1e18ddfd96d5a67371979d11270dcda5e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe

MD5 e56f8e438000f87296d514a65dbc87e7
SHA1 f4ccbd1f597dc45bd9c786803c386dc53c8c6065
SHA256 b46b43c853e6d8e9f5007b09323a19d42a12d919cefa0835133ebb3d712cd4a2
SHA512 534206a85e1ca3bb379d1886668aa8781d703b9a88ab9607872fce6e4fdc25f027460684cc834ecf4494e3d4d18e3086da61c009f3d21cfc5292eb091e9d583e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe

MD5 e56f8e438000f87296d514a65dbc87e7
SHA1 f4ccbd1f597dc45bd9c786803c386dc53c8c6065
SHA256 b46b43c853e6d8e9f5007b09323a19d42a12d919cefa0835133ebb3d712cd4a2
SHA512 534206a85e1ca3bb379d1886668aa8781d703b9a88ab9607872fce6e4fdc25f027460684cc834ecf4494e3d4d18e3086da61c009f3d21cfc5292eb091e9d583e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe

MD5 97bb852d45f562866b584556ff04bebb
SHA1 ea58a1613ae4c0efec1604b8dd0d1689c9f180ac
SHA256 7851c735cc50b0bc2aec80600febbe6fcab26c44e2ead38b2921d5da46b74da4
SHA512 b4634507d68b580958501cc450d0db56f67586febfba145cb99d6bd134a09d42a106d59505d6724435ceedb4aedc24daad791305fa93c54309b55fcbb0cfcf3e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe

MD5 97bb852d45f562866b584556ff04bebb
SHA1 ea58a1613ae4c0efec1604b8dd0d1689c9f180ac
SHA256 7851c735cc50b0bc2aec80600febbe6fcab26c44e2ead38b2921d5da46b74da4
SHA512 b4634507d68b580958501cc450d0db56f67586febfba145cb99d6bd134a09d42a106d59505d6724435ceedb4aedc24daad791305fa93c54309b55fcbb0cfcf3e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe

MD5 28c5856280ccf61e923fb8fb107ef33b
SHA1 98ced60b1c83b2c5ec37a194e0e4f789eb071eec
SHA256 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b
SHA512 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe

MD5 28c5856280ccf61e923fb8fb107ef33b
SHA1 98ced60b1c83b2c5ec37a194e0e4f789eb071eec
SHA256 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b
SHA512 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282

memory/1376-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1376-40-0x0000000073900000-0x00000000740B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe

MD5 78883d4c10d0ad274668f2bac0f427ac
SHA1 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5
SHA256 d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb
SHA512 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe

MD5 78883d4c10d0ad274668f2bac0f427ac
SHA1 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5
SHA256 d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb
SHA512 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51

memory/3436-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3436-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3436-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3436-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe

MD5 9177c713e8e5fb0c2922e7d00554fc78
SHA1 b1982a50a76a5119d2419e35b6e285c56bf4d120
SHA256 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b
SHA512 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe

MD5 9177c713e8e5fb0c2922e7d00554fc78
SHA1 b1982a50a76a5119d2419e35b6e285c56bf4d120
SHA256 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b
SHA512 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707

memory/4572-51-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4572-52-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe

MD5 867086e6182dd113f491da7b41f983e7
SHA1 74c3be0338040fc236ec544da41248059de8e26d
SHA256 231b02386855f4f1475271a1a9e1b89c1294da336142c379cca4ad3df2f2d9cd
SHA512 2541e377e1abbc7630035a09fe547fc751730601bb84741e98f60bf505b85d08c4805cb93fba45c3153e579379b40845c3ffcfa33249b151b4cd5e2e6dc11767

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe

MD5 867086e6182dd113f491da7b41f983e7
SHA1 74c3be0338040fc236ec544da41248059de8e26d
SHA256 231b02386855f4f1475271a1a9e1b89c1294da336142c379cca4ad3df2f2d9cd
SHA512 2541e377e1abbc7630035a09fe547fc751730601bb84741e98f60bf505b85d08c4805cb93fba45c3153e579379b40845c3ffcfa33249b151b4cd5e2e6dc11767

memory/3888-56-0x0000000000660000-0x0000000000690000-memory.dmp

memory/3888-57-0x0000000073900000-0x00000000740B0000-memory.dmp

memory/3888-58-0x000000000A990000-0x000000000AFA8000-memory.dmp

memory/452-59-0x0000000000400000-0x000000000052A000-memory.dmp

memory/3888-60-0x000000000A4D0000-0x000000000A5DA000-memory.dmp

memory/3888-62-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/3888-61-0x000000000A410000-0x000000000A422000-memory.dmp

memory/3888-63-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/4572-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3116-64-0x0000000000170000-0x0000000000186000-memory.dmp

memory/1376-68-0x0000000073900000-0x00000000740B0000-memory.dmp

memory/1376-70-0x0000000073900000-0x00000000740B0000-memory.dmp

memory/3888-71-0x0000000073900000-0x00000000740B0000-memory.dmp

memory/3888-72-0x0000000004EE0000-0x0000000004EF0000-memory.dmp