Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-rseq6ahg7t
Target 264e03f2c4b3c9b812f440fe60bf15c6.exe
SHA256 d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5
Tags
redline virad infostealer persistence healer dropper evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5

Threat Level: Known bad

The file 264e03f2c4b3c9b812f440fe60bf15c6.exe was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence healer dropper evasion trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:27

Reported

2023-09-10 14:29

Platform

win7-20230831-en

Max time kernel

134s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe
PID 2864 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe
PID 2864 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe
PID 2864 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe
PID 2864 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe
PID 2864 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe
PID 2864 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe
PID 1128 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe
PID 1128 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe
PID 1128 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe
PID 1128 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe
PID 1128 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe
PID 1128 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe
PID 1128 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe

Processes

C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe

"C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe

Network

Country Destination Domain Proto
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe

MD5 8eecf3ef114fec449b73699aa34ffe37
SHA1 29a34db49eef84dd7764710dc1cff64ee742c413
SHA256 7bafd46168f0a6fe6b2713e31803286729533b11bea0edd8bf9d54b5e1267bcf
SHA512 96440233a742dd0dc6a233709c104b831d707fa39aba371bdf10cdbb559198eb25ed0aa35b56e81bae607cea24dc26a318aff7e8627be04b76177ce059d000b0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe

MD5 8eecf3ef114fec449b73699aa34ffe37
SHA1 29a34db49eef84dd7764710dc1cff64ee742c413
SHA256 7bafd46168f0a6fe6b2713e31803286729533b11bea0edd8bf9d54b5e1267bcf
SHA512 96440233a742dd0dc6a233709c104b831d707fa39aba371bdf10cdbb559198eb25ed0aa35b56e81bae607cea24dc26a318aff7e8627be04b76177ce059d000b0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe

MD5 8eecf3ef114fec449b73699aa34ffe37
SHA1 29a34db49eef84dd7764710dc1cff64ee742c413
SHA256 7bafd46168f0a6fe6b2713e31803286729533b11bea0edd8bf9d54b5e1267bcf
SHA512 96440233a742dd0dc6a233709c104b831d707fa39aba371bdf10cdbb559198eb25ed0aa35b56e81bae607cea24dc26a318aff7e8627be04b76177ce059d000b0

\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe

MD5 8eecf3ef114fec449b73699aa34ffe37
SHA1 29a34db49eef84dd7764710dc1cff64ee742c413
SHA256 7bafd46168f0a6fe6b2713e31803286729533b11bea0edd8bf9d54b5e1267bcf
SHA512 96440233a742dd0dc6a233709c104b831d707fa39aba371bdf10cdbb559198eb25ed0aa35b56e81bae607cea24dc26a318aff7e8627be04b76177ce059d000b0

\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe

MD5 4bdd624329fc7cb602da2fd40821499c
SHA1 42826c83d458408f5f809cb33458864b48e032a1
SHA256 354349c7e766293e603daaf9b48533d7e7ed893cdf9c9bfd5360e3b6a9b5691c
SHA512 7871e4efba207725b6dc7611a354e4c4766f383d63282f2d1b92b4041be764d0a80a31ae918519c843683280853494f3bd251bc5504513af7bfe91c5b776c5ee

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe

MD5 4bdd624329fc7cb602da2fd40821499c
SHA1 42826c83d458408f5f809cb33458864b48e032a1
SHA256 354349c7e766293e603daaf9b48533d7e7ed893cdf9c9bfd5360e3b6a9b5691c
SHA512 7871e4efba207725b6dc7611a354e4c4766f383d63282f2d1b92b4041be764d0a80a31ae918519c843683280853494f3bd251bc5504513af7bfe91c5b776c5ee

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe

MD5 2de01b395051684dc835db65f4cb3c4e
SHA1 31e0fc638b0dfe21a6058d3c5db8d37916b68a83
SHA256 c02b7d9985047c83a08b3f0ee8d25e08ae2310f2152739ff404766f88fab4902
SHA512 54b798c40ce5a9f97cdfccabd6b567108787efcec9f2be9a6990624f053df2a12c2a3f0badc5ed9577f6958deacf78e4f70c3ae4edc8158f561fb61a36873667

\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe

MD5 2de01b395051684dc835db65f4cb3c4e
SHA1 31e0fc638b0dfe21a6058d3c5db8d37916b68a83
SHA256 c02b7d9985047c83a08b3f0ee8d25e08ae2310f2152739ff404766f88fab4902
SHA512 54b798c40ce5a9f97cdfccabd6b567108787efcec9f2be9a6990624f053df2a12c2a3f0badc5ed9577f6958deacf78e4f70c3ae4edc8158f561fb61a36873667

\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe

MD5 4bdd624329fc7cb602da2fd40821499c
SHA1 42826c83d458408f5f809cb33458864b48e032a1
SHA256 354349c7e766293e603daaf9b48533d7e7ed893cdf9c9bfd5360e3b6a9b5691c
SHA512 7871e4efba207725b6dc7611a354e4c4766f383d63282f2d1b92b4041be764d0a80a31ae918519c843683280853494f3bd251bc5504513af7bfe91c5b776c5ee

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe

MD5 4bdd624329fc7cb602da2fd40821499c
SHA1 42826c83d458408f5f809cb33458864b48e032a1
SHA256 354349c7e766293e603daaf9b48533d7e7ed893cdf9c9bfd5360e3b6a9b5691c
SHA512 7871e4efba207725b6dc7611a354e4c4766f383d63282f2d1b92b4041be764d0a80a31ae918519c843683280853494f3bd251bc5504513af7bfe91c5b776c5ee

\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe

MD5 3371b03650be3d3e3f57406c5f7707ef
SHA1 feb58741a68e4c26671357dcb16d4783c6147264
SHA256 b23a658bef8c7090ab41e9caa8a6f17f1b24cb8e51f379481a523aaf58a8ebb0
SHA512 8b50ee47e75889091a64a1eae7948a66602de6a236fdf21b6e7b4dd65c84fd70ef3b01805c0e29bdd5f09acba63ce429df3559fe1f2359e70bae73f98917e5d8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe

MD5 3371b03650be3d3e3f57406c5f7707ef
SHA1 feb58741a68e4c26671357dcb16d4783c6147264
SHA256 b23a658bef8c7090ab41e9caa8a6f17f1b24cb8e51f379481a523aaf58a8ebb0
SHA512 8b50ee47e75889091a64a1eae7948a66602de6a236fdf21b6e7b4dd65c84fd70ef3b01805c0e29bdd5f09acba63ce429df3559fe1f2359e70bae73f98917e5d8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe

MD5 3371b03650be3d3e3f57406c5f7707ef
SHA1 feb58741a68e4c26671357dcb16d4783c6147264
SHA256 b23a658bef8c7090ab41e9caa8a6f17f1b24cb8e51f379481a523aaf58a8ebb0
SHA512 8b50ee47e75889091a64a1eae7948a66602de6a236fdf21b6e7b4dd65c84fd70ef3b01805c0e29bdd5f09acba63ce429df3559fe1f2359e70bae73f98917e5d8

\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe

MD5 3371b03650be3d3e3f57406c5f7707ef
SHA1 feb58741a68e4c26671357dcb16d4783c6147264
SHA256 b23a658bef8c7090ab41e9caa8a6f17f1b24cb8e51f379481a523aaf58a8ebb0
SHA512 8b50ee47e75889091a64a1eae7948a66602de6a236fdf21b6e7b4dd65c84fd70ef3b01805c0e29bdd5f09acba63ce429df3559fe1f2359e70bae73f98917e5d8

memory/2636-34-0x0000000000940000-0x0000000000970000-memory.dmp

memory/2636-35-0x0000000000350000-0x0000000000356000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-10 14:27

Reported

2023-09-10 14:29

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1668 set thread context of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe
PID 1648 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe
PID 1648 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe
PID 3136 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe
PID 3136 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe
PID 3136 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe
PID 2344 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe
PID 2344 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe
PID 2344 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe
PID 1668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1668 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2344 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe
PID 2344 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe
PID 2344 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe

Processes

C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe

"C:\Users\Admin\AppData\Local\Temp\264e03f2c4b3c9b812f440fe60bf15c6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1668 -ip 1668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 114.132.60.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe

MD5 8eecf3ef114fec449b73699aa34ffe37
SHA1 29a34db49eef84dd7764710dc1cff64ee742c413
SHA256 7bafd46168f0a6fe6b2713e31803286729533b11bea0edd8bf9d54b5e1267bcf
SHA512 96440233a742dd0dc6a233709c104b831d707fa39aba371bdf10cdbb559198eb25ed0aa35b56e81bae607cea24dc26a318aff7e8627be04b76177ce059d000b0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7585153.exe

MD5 8eecf3ef114fec449b73699aa34ffe37
SHA1 29a34db49eef84dd7764710dc1cff64ee742c413
SHA256 7bafd46168f0a6fe6b2713e31803286729533b11bea0edd8bf9d54b5e1267bcf
SHA512 96440233a742dd0dc6a233709c104b831d707fa39aba371bdf10cdbb559198eb25ed0aa35b56e81bae607cea24dc26a318aff7e8627be04b76177ce059d000b0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe

MD5 4bdd624329fc7cb602da2fd40821499c
SHA1 42826c83d458408f5f809cb33458864b48e032a1
SHA256 354349c7e766293e603daaf9b48533d7e7ed893cdf9c9bfd5360e3b6a9b5691c
SHA512 7871e4efba207725b6dc7611a354e4c4766f383d63282f2d1b92b4041be764d0a80a31ae918519c843683280853494f3bd251bc5504513af7bfe91c5b776c5ee

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8100774.exe

MD5 4bdd624329fc7cb602da2fd40821499c
SHA1 42826c83d458408f5f809cb33458864b48e032a1
SHA256 354349c7e766293e603daaf9b48533d7e7ed893cdf9c9bfd5360e3b6a9b5691c
SHA512 7871e4efba207725b6dc7611a354e4c4766f383d63282f2d1b92b4041be764d0a80a31ae918519c843683280853494f3bd251bc5504513af7bfe91c5b776c5ee

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe

MD5 2de01b395051684dc835db65f4cb3c4e
SHA1 31e0fc638b0dfe21a6058d3c5db8d37916b68a83
SHA256 c02b7d9985047c83a08b3f0ee8d25e08ae2310f2152739ff404766f88fab4902
SHA512 54b798c40ce5a9f97cdfccabd6b567108787efcec9f2be9a6990624f053df2a12c2a3f0badc5ed9577f6958deacf78e4f70c3ae4edc8158f561fb61a36873667

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9569753.exe

MD5 2de01b395051684dc835db65f4cb3c4e
SHA1 31e0fc638b0dfe21a6058d3c5db8d37916b68a83
SHA256 c02b7d9985047c83a08b3f0ee8d25e08ae2310f2152739ff404766f88fab4902
SHA512 54b798c40ce5a9f97cdfccabd6b567108787efcec9f2be9a6990624f053df2a12c2a3f0badc5ed9577f6958deacf78e4f70c3ae4edc8158f561fb61a36873667

memory/1948-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1948-22-0x0000000074930000-0x00000000750E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe

MD5 3371b03650be3d3e3f57406c5f7707ef
SHA1 feb58741a68e4c26671357dcb16d4783c6147264
SHA256 b23a658bef8c7090ab41e9caa8a6f17f1b24cb8e51f379481a523aaf58a8ebb0
SHA512 8b50ee47e75889091a64a1eae7948a66602de6a236fdf21b6e7b4dd65c84fd70ef3b01805c0e29bdd5f09acba63ce429df3559fe1f2359e70bae73f98917e5d8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2341115.exe

MD5 3371b03650be3d3e3f57406c5f7707ef
SHA1 feb58741a68e4c26671357dcb16d4783c6147264
SHA256 b23a658bef8c7090ab41e9caa8a6f17f1b24cb8e51f379481a523aaf58a8ebb0
SHA512 8b50ee47e75889091a64a1eae7948a66602de6a236fdf21b6e7b4dd65c84fd70ef3b01805c0e29bdd5f09acba63ce429df3559fe1f2359e70bae73f98917e5d8

memory/3752-26-0x0000000000020000-0x0000000000050000-memory.dmp

memory/3752-27-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/3752-28-0x0000000005140000-0x0000000005758000-memory.dmp

memory/3752-29-0x0000000004C30000-0x0000000004D3A000-memory.dmp

memory/3752-31-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/3752-30-0x0000000004910000-0x0000000004920000-memory.dmp

memory/3752-32-0x0000000004B60000-0x0000000004B9C000-memory.dmp

memory/1948-33-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/1948-35-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/3752-36-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/3752-37-0x0000000004910000-0x0000000004920000-memory.dmp