Analysis Overview
SHA256
cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc
Threat Level: Known bad
The file cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
SmokeLoader
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Healer
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 11:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 11:00
Reported
2023-09-10 11:02
Platform
win7-20230831-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
SmokeLoader
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2196 set thread context of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2640 set thread context of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2872 set thread context of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2616 set thread context of 2808 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.124.231:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.124.231:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp |
Files
memory/2860-0-0x0000000000400000-0x000000000052A000-memory.dmp
memory/2860-2-0x0000000000400000-0x000000000052A000-memory.dmp
memory/2860-4-0x0000000000400000-0x000000000052A000-memory.dmp
memory/2860-6-0x0000000000400000-0x000000000052A000-memory.dmp
memory/2860-8-0x0000000000400000-0x000000000052A000-memory.dmp
memory/2860-10-0x0000000000400000-0x000000000052A000-memory.dmp
memory/2860-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2860-12-0x0000000000400000-0x000000000052A000-memory.dmp
memory/2860-14-0x0000000000400000-0x000000000052A000-memory.dmp
memory/2860-16-0x0000000000400000-0x000000000052A000-memory.dmp
memory/2860-17-0x0000000000400000-0x000000000052A000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
| MD5 | 8220e94d0abd491aa7aaeb085b5f8ed6 |
| SHA1 | cda4978c09b2bf2012ead07e3540acd40c5eea61 |
| SHA256 | 79ed158d54490f8b28f83c1fb4b847e2fee2bd3911112ea442022042367437d8 |
| SHA512 | 38f42b6d1a2f54df705593084b05aa2160d475a95e15ea4271b1525ae9a0da7e4a5ce4f767ee122d76ef726174ebabb3e4127cc11a6f399477b190a865b7c702 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
| MD5 | 8220e94d0abd491aa7aaeb085b5f8ed6 |
| SHA1 | cda4978c09b2bf2012ead07e3540acd40c5eea61 |
| SHA256 | 79ed158d54490f8b28f83c1fb4b847e2fee2bd3911112ea442022042367437d8 |
| SHA512 | 38f42b6d1a2f54df705593084b05aa2160d475a95e15ea4271b1525ae9a0da7e4a5ce4f767ee122d76ef726174ebabb3e4127cc11a6f399477b190a865b7c702 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
| MD5 | 8220e94d0abd491aa7aaeb085b5f8ed6 |
| SHA1 | cda4978c09b2bf2012ead07e3540acd40c5eea61 |
| SHA256 | 79ed158d54490f8b28f83c1fb4b847e2fee2bd3911112ea442022042367437d8 |
| SHA512 | 38f42b6d1a2f54df705593084b05aa2160d475a95e15ea4271b1525ae9a0da7e4a5ce4f767ee122d76ef726174ebabb3e4127cc11a6f399477b190a865b7c702 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
| MD5 | 8220e94d0abd491aa7aaeb085b5f8ed6 |
| SHA1 | cda4978c09b2bf2012ead07e3540acd40c5eea61 |
| SHA256 | 79ed158d54490f8b28f83c1fb4b847e2fee2bd3911112ea442022042367437d8 |
| SHA512 | 38f42b6d1a2f54df705593084b05aa2160d475a95e15ea4271b1525ae9a0da7e4a5ce4f767ee122d76ef726174ebabb3e4127cc11a6f399477b190a865b7c702 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
| MD5 | 29b7911c9b2eb9ec7ca12ddc41caaf9e |
| SHA1 | 778a2edfe144892c0def3778544bb4fa4262db5b |
| SHA256 | de6d594aabec119a8731a7410f59d79560fa2612481f3ad19816dd6cd3d9c20a |
| SHA512 | c81d3064ba516aeb5ffd597b315b56b95a7212cb79ff6d351211439f1e92b99d425c0dca61a7b537985470468a2054a1e18ddfd96d5a67371979d11270dcda5e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
| MD5 | 29b7911c9b2eb9ec7ca12ddc41caaf9e |
| SHA1 | 778a2edfe144892c0def3778544bb4fa4262db5b |
| SHA256 | de6d594aabec119a8731a7410f59d79560fa2612481f3ad19816dd6cd3d9c20a |
| SHA512 | c81d3064ba516aeb5ffd597b315b56b95a7212cb79ff6d351211439f1e92b99d425c0dca61a7b537985470468a2054a1e18ddfd96d5a67371979d11270dcda5e |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
| MD5 | 29b7911c9b2eb9ec7ca12ddc41caaf9e |
| SHA1 | 778a2edfe144892c0def3778544bb4fa4262db5b |
| SHA256 | de6d594aabec119a8731a7410f59d79560fa2612481f3ad19816dd6cd3d9c20a |
| SHA512 | c81d3064ba516aeb5ffd597b315b56b95a7212cb79ff6d351211439f1e92b99d425c0dca61a7b537985470468a2054a1e18ddfd96d5a67371979d11270dcda5e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
| MD5 | 29b7911c9b2eb9ec7ca12ddc41caaf9e |
| SHA1 | 778a2edfe144892c0def3778544bb4fa4262db5b |
| SHA256 | de6d594aabec119a8731a7410f59d79560fa2612481f3ad19816dd6cd3d9c20a |
| SHA512 | c81d3064ba516aeb5ffd597b315b56b95a7212cb79ff6d351211439f1e92b99d425c0dca61a7b537985470468a2054a1e18ddfd96d5a67371979d11270dcda5e |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
| MD5 | e56f8e438000f87296d514a65dbc87e7 |
| SHA1 | f4ccbd1f597dc45bd9c786803c386dc53c8c6065 |
| SHA256 | b46b43c853e6d8e9f5007b09323a19d42a12d919cefa0835133ebb3d712cd4a2 |
| SHA512 | 534206a85e1ca3bb379d1886668aa8781d703b9a88ab9607872fce6e4fdc25f027460684cc834ecf4494e3d4d18e3086da61c009f3d21cfc5292eb091e9d583e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
| MD5 | e56f8e438000f87296d514a65dbc87e7 |
| SHA1 | f4ccbd1f597dc45bd9c786803c386dc53c8c6065 |
| SHA256 | b46b43c853e6d8e9f5007b09323a19d42a12d919cefa0835133ebb3d712cd4a2 |
| SHA512 | 534206a85e1ca3bb379d1886668aa8781d703b9a88ab9607872fce6e4fdc25f027460684cc834ecf4494e3d4d18e3086da61c009f3d21cfc5292eb091e9d583e |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
| MD5 | e56f8e438000f87296d514a65dbc87e7 |
| SHA1 | f4ccbd1f597dc45bd9c786803c386dc53c8c6065 |
| SHA256 | b46b43c853e6d8e9f5007b09323a19d42a12d919cefa0835133ebb3d712cd4a2 |
| SHA512 | 534206a85e1ca3bb379d1886668aa8781d703b9a88ab9607872fce6e4fdc25f027460684cc834ecf4494e3d4d18e3086da61c009f3d21cfc5292eb091e9d583e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
| MD5 | e56f8e438000f87296d514a65dbc87e7 |
| SHA1 | f4ccbd1f597dc45bd9c786803c386dc53c8c6065 |
| SHA256 | b46b43c853e6d8e9f5007b09323a19d42a12d919cefa0835133ebb3d712cd4a2 |
| SHA512 | 534206a85e1ca3bb379d1886668aa8781d703b9a88ab9607872fce6e4fdc25f027460684cc834ecf4494e3d4d18e3086da61c009f3d21cfc5292eb091e9d583e |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
| MD5 | 97bb852d45f562866b584556ff04bebb |
| SHA1 | ea58a1613ae4c0efec1604b8dd0d1689c9f180ac |
| SHA256 | 7851c735cc50b0bc2aec80600febbe6fcab26c44e2ead38b2921d5da46b74da4 |
| SHA512 | b4634507d68b580958501cc450d0db56f67586febfba145cb99d6bd134a09d42a106d59505d6724435ceedb4aedc24daad791305fa93c54309b55fcbb0cfcf3e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
| MD5 | 97bb852d45f562866b584556ff04bebb |
| SHA1 | ea58a1613ae4c0efec1604b8dd0d1689c9f180ac |
| SHA256 | 7851c735cc50b0bc2aec80600febbe6fcab26c44e2ead38b2921d5da46b74da4 |
| SHA512 | b4634507d68b580958501cc450d0db56f67586febfba145cb99d6bd134a09d42a106d59505d6724435ceedb4aedc24daad791305fa93c54309b55fcbb0cfcf3e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
| MD5 | 97bb852d45f562866b584556ff04bebb |
| SHA1 | ea58a1613ae4c0efec1604b8dd0d1689c9f180ac |
| SHA256 | 7851c735cc50b0bc2aec80600febbe6fcab26c44e2ead38b2921d5da46b74da4 |
| SHA512 | b4634507d68b580958501cc450d0db56f67586febfba145cb99d6bd134a09d42a106d59505d6724435ceedb4aedc24daad791305fa93c54309b55fcbb0cfcf3e |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
| MD5 | 97bb852d45f562866b584556ff04bebb |
| SHA1 | ea58a1613ae4c0efec1604b8dd0d1689c9f180ac |
| SHA256 | 7851c735cc50b0bc2aec80600febbe6fcab26c44e2ead38b2921d5da46b74da4 |
| SHA512 | b4634507d68b580958501cc450d0db56f67586febfba145cb99d6bd134a09d42a106d59505d6724435ceedb4aedc24daad791305fa93c54309b55fcbb0cfcf3e |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
| MD5 | 28c5856280ccf61e923fb8fb107ef33b |
| SHA1 | 98ced60b1c83b2c5ec37a194e0e4f789eb071eec |
| SHA256 | 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b |
| SHA512 | 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
| MD5 | 28c5856280ccf61e923fb8fb107ef33b |
| SHA1 | 98ced60b1c83b2c5ec37a194e0e4f789eb071eec |
| SHA256 | 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b |
| SHA512 | 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
| MD5 | 28c5856280ccf61e923fb8fb107ef33b |
| SHA1 | 98ced60b1c83b2c5ec37a194e0e4f789eb071eec |
| SHA256 | 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b |
| SHA512 | 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
| MD5 | 28c5856280ccf61e923fb8fb107ef33b |
| SHA1 | 98ced60b1c83b2c5ec37a194e0e4f789eb071eec |
| SHA256 | 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b |
| SHA512 | 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
| MD5 | 28c5856280ccf61e923fb8fb107ef33b |
| SHA1 | 98ced60b1c83b2c5ec37a194e0e4f789eb071eec |
| SHA256 | 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b |
| SHA512 | 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
| MD5 | 28c5856280ccf61e923fb8fb107ef33b |
| SHA1 | 98ced60b1c83b2c5ec37a194e0e4f789eb071eec |
| SHA256 | 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b |
| SHA512 | 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282 |
memory/2392-71-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2392-72-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2392-73-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2392-74-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2392-76-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2392-78-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2392-80-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
| MD5 | 78883d4c10d0ad274668f2bac0f427ac |
| SHA1 | 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5 |
| SHA256 | d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb |
| SHA512 | 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
| MD5 | 78883d4c10d0ad274668f2bac0f427ac |
| SHA1 | 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5 |
| SHA256 | d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb |
| SHA512 | 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
| MD5 | 78883d4c10d0ad274668f2bac0f427ac |
| SHA1 | 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5 |
| SHA256 | d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb |
| SHA512 | 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
| MD5 | 78883d4c10d0ad274668f2bac0f427ac |
| SHA1 | 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5 |
| SHA256 | d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb |
| SHA512 | 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
| MD5 | 78883d4c10d0ad274668f2bac0f427ac |
| SHA1 | 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5 |
| SHA256 | d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb |
| SHA512 | 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
| MD5 | 78883d4c10d0ad274668f2bac0f427ac |
| SHA1 | 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5 |
| SHA256 | d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb |
| SHA512 | 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51 |
memory/2884-90-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2884-92-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2884-94-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2884-95-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2884-96-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2884-97-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2884-98-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2884-99-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2884-101-0x0000000000400000-0x0000000000428000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
| MD5 | 9177c713e8e5fb0c2922e7d00554fc78 |
| SHA1 | b1982a50a76a5119d2419e35b6e285c56bf4d120 |
| SHA256 | 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b |
| SHA512 | 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
| MD5 | 9177c713e8e5fb0c2922e7d00554fc78 |
| SHA1 | b1982a50a76a5119d2419e35b6e285c56bf4d120 |
| SHA256 | 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b |
| SHA512 | 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
| MD5 | 9177c713e8e5fb0c2922e7d00554fc78 |
| SHA1 | b1982a50a76a5119d2419e35b6e285c56bf4d120 |
| SHA256 | 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b |
| SHA512 | 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
| MD5 | 9177c713e8e5fb0c2922e7d00554fc78 |
| SHA1 | b1982a50a76a5119d2419e35b6e285c56bf4d120 |
| SHA256 | 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b |
| SHA512 | 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
| MD5 | 9177c713e8e5fb0c2922e7d00554fc78 |
| SHA1 | b1982a50a76a5119d2419e35b6e285c56bf4d120 |
| SHA256 | 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b |
| SHA512 | 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
| MD5 | 9177c713e8e5fb0c2922e7d00554fc78 |
| SHA1 | b1982a50a76a5119d2419e35b6e285c56bf4d120 |
| SHA256 | 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b |
| SHA512 | 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707 |
memory/2884-112-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2884-113-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2808-114-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2808-115-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2808-117-0x0000000000400000-0x0000000000409000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe
| MD5 | 867086e6182dd113f491da7b41f983e7 |
| SHA1 | 74c3be0338040fc236ec544da41248059de8e26d |
| SHA256 | 231b02386855f4f1475271a1a9e1b89c1294da336142c379cca4ad3df2f2d9cd |
| SHA512 | 2541e377e1abbc7630035a09fe547fc751730601bb84741e98f60bf505b85d08c4805cb93fba45c3153e579379b40845c3ffcfa33249b151b4cd5e2e6dc11767 |
memory/2508-125-0x0000000000AE0000-0x0000000000B10000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe
| MD5 | 867086e6182dd113f491da7b41f983e7 |
| SHA1 | 74c3be0338040fc236ec544da41248059de8e26d |
| SHA256 | 231b02386855f4f1475271a1a9e1b89c1294da336142c379cca4ad3df2f2d9cd |
| SHA512 | 2541e377e1abbc7630035a09fe547fc751730601bb84741e98f60bf505b85d08c4805cb93fba45c3153e579379b40845c3ffcfa33249b151b4cd5e2e6dc11767 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe
| MD5 | 867086e6182dd113f491da7b41f983e7 |
| SHA1 | 74c3be0338040fc236ec544da41248059de8e26d |
| SHA256 | 231b02386855f4f1475271a1a9e1b89c1294da336142c379cca4ad3df2f2d9cd |
| SHA512 | 2541e377e1abbc7630035a09fe547fc751730601bb84741e98f60bf505b85d08c4805cb93fba45c3153e579379b40845c3ffcfa33249b151b4cd5e2e6dc11767 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe
| MD5 | 867086e6182dd113f491da7b41f983e7 |
| SHA1 | 74c3be0338040fc236ec544da41248059de8e26d |
| SHA256 | 231b02386855f4f1475271a1a9e1b89c1294da336142c379cca4ad3df2f2d9cd |
| SHA512 | 2541e377e1abbc7630035a09fe547fc751730601bb84741e98f60bf505b85d08c4805cb93fba45c3153e579379b40845c3ffcfa33249b151b4cd5e2e6dc11767 |
memory/2808-120-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2508-126-0x0000000000310000-0x0000000000316000-memory.dmp
memory/2884-127-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1216-128-0x0000000002A60000-0x0000000002A76000-memory.dmp
memory/2808-130-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2860-132-0x0000000000400000-0x000000000052A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-10 11:00
Reported
2023-09-10 11:02
Platform
win10v2004-20230831-en
Max time kernel
154s
Max time network
154s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
SmokeLoader
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2816 set thread context of 452 | N/A | C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4092 set thread context of 1376 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2416 set thread context of 3436 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4348 set thread context of 4572 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bcexe_JC.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2816 -ip 2816
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 288
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4092 -ip 4092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 564
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2416 -ip 2416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3436 -ip 3436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 564
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.124.231:80 | tcp | |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.124.231:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/452-0-0x0000000000400000-0x000000000052A000-memory.dmp
memory/452-1-0x0000000000400000-0x000000000052A000-memory.dmp
memory/452-2-0x0000000000400000-0x000000000052A000-memory.dmp
memory/452-3-0x0000000000400000-0x000000000052A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
| MD5 | 8220e94d0abd491aa7aaeb085b5f8ed6 |
| SHA1 | cda4978c09b2bf2012ead07e3540acd40c5eea61 |
| SHA256 | 79ed158d54490f8b28f83c1fb4b847e2fee2bd3911112ea442022042367437d8 |
| SHA512 | 38f42b6d1a2f54df705593084b05aa2160d475a95e15ea4271b1525ae9a0da7e4a5ce4f767ee122d76ef726174ebabb3e4127cc11a6f399477b190a865b7c702 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2986601.exe
| MD5 | 8220e94d0abd491aa7aaeb085b5f8ed6 |
| SHA1 | cda4978c09b2bf2012ead07e3540acd40c5eea61 |
| SHA256 | 79ed158d54490f8b28f83c1fb4b847e2fee2bd3911112ea442022042367437d8 |
| SHA512 | 38f42b6d1a2f54df705593084b05aa2160d475a95e15ea4271b1525ae9a0da7e4a5ce4f767ee122d76ef726174ebabb3e4127cc11a6f399477b190a865b7c702 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
| MD5 | 29b7911c9b2eb9ec7ca12ddc41caaf9e |
| SHA1 | 778a2edfe144892c0def3778544bb4fa4262db5b |
| SHA256 | de6d594aabec119a8731a7410f59d79560fa2612481f3ad19816dd6cd3d9c20a |
| SHA512 | c81d3064ba516aeb5ffd597b315b56b95a7212cb79ff6d351211439f1e92b99d425c0dca61a7b537985470468a2054a1e18ddfd96d5a67371979d11270dcda5e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7348974.exe
| MD5 | 29b7911c9b2eb9ec7ca12ddc41caaf9e |
| SHA1 | 778a2edfe144892c0def3778544bb4fa4262db5b |
| SHA256 | de6d594aabec119a8731a7410f59d79560fa2612481f3ad19816dd6cd3d9c20a |
| SHA512 | c81d3064ba516aeb5ffd597b315b56b95a7212cb79ff6d351211439f1e92b99d425c0dca61a7b537985470468a2054a1e18ddfd96d5a67371979d11270dcda5e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
| MD5 | e56f8e438000f87296d514a65dbc87e7 |
| SHA1 | f4ccbd1f597dc45bd9c786803c386dc53c8c6065 |
| SHA256 | b46b43c853e6d8e9f5007b09323a19d42a12d919cefa0835133ebb3d712cd4a2 |
| SHA512 | 534206a85e1ca3bb379d1886668aa8781d703b9a88ab9607872fce6e4fdc25f027460684cc834ecf4494e3d4d18e3086da61c009f3d21cfc5292eb091e9d583e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7758148.exe
| MD5 | e56f8e438000f87296d514a65dbc87e7 |
| SHA1 | f4ccbd1f597dc45bd9c786803c386dc53c8c6065 |
| SHA256 | b46b43c853e6d8e9f5007b09323a19d42a12d919cefa0835133ebb3d712cd4a2 |
| SHA512 | 534206a85e1ca3bb379d1886668aa8781d703b9a88ab9607872fce6e4fdc25f027460684cc834ecf4494e3d4d18e3086da61c009f3d21cfc5292eb091e9d583e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
| MD5 | 97bb852d45f562866b584556ff04bebb |
| SHA1 | ea58a1613ae4c0efec1604b8dd0d1689c9f180ac |
| SHA256 | 7851c735cc50b0bc2aec80600febbe6fcab26c44e2ead38b2921d5da46b74da4 |
| SHA512 | b4634507d68b580958501cc450d0db56f67586febfba145cb99d6bd134a09d42a106d59505d6724435ceedb4aedc24daad791305fa93c54309b55fcbb0cfcf3e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5153711.exe
| MD5 | 97bb852d45f562866b584556ff04bebb |
| SHA1 | ea58a1613ae4c0efec1604b8dd0d1689c9f180ac |
| SHA256 | 7851c735cc50b0bc2aec80600febbe6fcab26c44e2ead38b2921d5da46b74da4 |
| SHA512 | b4634507d68b580958501cc450d0db56f67586febfba145cb99d6bd134a09d42a106d59505d6724435ceedb4aedc24daad791305fa93c54309b55fcbb0cfcf3e |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
| MD5 | 28c5856280ccf61e923fb8fb107ef33b |
| SHA1 | 98ced60b1c83b2c5ec37a194e0e4f789eb071eec |
| SHA256 | 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b |
| SHA512 | 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8829678.exe
| MD5 | 28c5856280ccf61e923fb8fb107ef33b |
| SHA1 | 98ced60b1c83b2c5ec37a194e0e4f789eb071eec |
| SHA256 | 3b305a4ec760d3663e31c6fee2b54b0eb85a5e39ee987c4fe1b2b786b1e31a0b |
| SHA512 | 3cb2bb77161d9ae80cc1b96f22cc5d505e4fc654fd2d4f007a2d9b0815d37cbcbbf77b033e0af411056b5979672e293b4ed5e43f16e6b1d340a9f3d01c488282 |
memory/1376-39-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1376-40-0x0000000073900000-0x00000000740B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
| MD5 | 78883d4c10d0ad274668f2bac0f427ac |
| SHA1 | 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5 |
| SHA256 | d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb |
| SHA512 | 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0310728.exe
| MD5 | 78883d4c10d0ad274668f2bac0f427ac |
| SHA1 | 9f6d3da86e5ac28fb7c2ec25069116021fe9d9e5 |
| SHA256 | d02ee8720a243708179c67ac007e6824e6429cabd3f7ab0888217012f61e4afb |
| SHA512 | 5dc2b99497653a7b340945c364be366db5dbb1c9d87eee5913a6c91e325606cc52d59b21e9635cde467ff3b07584de48629738fac34957b2fff44c2ab1fa7b51 |
memory/3436-44-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3436-45-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3436-46-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3436-48-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
| MD5 | 9177c713e8e5fb0c2922e7d00554fc78 |
| SHA1 | b1982a50a76a5119d2419e35b6e285c56bf4d120 |
| SHA256 | 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b |
| SHA512 | 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6608501.exe
| MD5 | 9177c713e8e5fb0c2922e7d00554fc78 |
| SHA1 | b1982a50a76a5119d2419e35b6e285c56bf4d120 |
| SHA256 | 3a2374346db140b276116ec922ad481954bc1853ed1e3b2f43189b60f202236b |
| SHA512 | 8d60ef30151038d4dc58065c71752f0b7631a63a47e085b84465bdbc496ed38f3167d084736254d5fe27f6716c909e5621264f9ac702273c4ae03500fc79d707 |
memory/4572-51-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4572-52-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe
| MD5 | 867086e6182dd113f491da7b41f983e7 |
| SHA1 | 74c3be0338040fc236ec544da41248059de8e26d |
| SHA256 | 231b02386855f4f1475271a1a9e1b89c1294da336142c379cca4ad3df2f2d9cd |
| SHA512 | 2541e377e1abbc7630035a09fe547fc751730601bb84741e98f60bf505b85d08c4805cb93fba45c3153e579379b40845c3ffcfa33249b151b4cd5e2e6dc11767 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9184870.exe
| MD5 | 867086e6182dd113f491da7b41f983e7 |
| SHA1 | 74c3be0338040fc236ec544da41248059de8e26d |
| SHA256 | 231b02386855f4f1475271a1a9e1b89c1294da336142c379cca4ad3df2f2d9cd |
| SHA512 | 2541e377e1abbc7630035a09fe547fc751730601bb84741e98f60bf505b85d08c4805cb93fba45c3153e579379b40845c3ffcfa33249b151b4cd5e2e6dc11767 |
memory/3888-56-0x0000000000660000-0x0000000000690000-memory.dmp
memory/3888-57-0x0000000073900000-0x00000000740B0000-memory.dmp
memory/3888-58-0x000000000A990000-0x000000000AFA8000-memory.dmp
memory/452-59-0x0000000000400000-0x000000000052A000-memory.dmp
memory/3888-60-0x000000000A4D0000-0x000000000A5DA000-memory.dmp
memory/3888-62-0x0000000004EE0000-0x0000000004EF0000-memory.dmp
memory/3888-61-0x000000000A410000-0x000000000A422000-memory.dmp
memory/3888-63-0x000000000A470000-0x000000000A4AC000-memory.dmp
memory/4572-66-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3116-64-0x0000000000170000-0x0000000000186000-memory.dmp
memory/1376-68-0x0000000073900000-0x00000000740B0000-memory.dmp
memory/1376-70-0x0000000073900000-0x00000000740B0000-memory.dmp
memory/3888-71-0x0000000073900000-0x00000000740B0000-memory.dmp
memory/3888-72-0x0000000004EE0000-0x0000000004EF0000-memory.dmp