Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-sp28qaaa8z
Target tmp
SHA256 b2f6611341dfb9fc45cbb320ba334412758fd71e83393f66c638e0ffbda7c397
Tags
redline virad infostealer persistence healer dropper evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2f6611341dfb9fc45cbb320ba334412758fd71e83393f66c638e0ffbda7c397

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence healer dropper evasion trojan

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 15:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 15:18

Reported

2023-09-10 15:21

Platform

win7-20230831-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe
PID 1596 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe
PID 1596 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe
PID 1596 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe
PID 1596 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe
PID 1596 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe
PID 1596 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe
PID 1712 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe
PID 1712 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe
PID 1712 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe
PID 1712 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe
PID 1712 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe
PID 1712 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe
PID 1712 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe
PID 2116 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe
PID 2116 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe
PID 2116 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe
PID 2116 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe
PID 2116 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe
PID 2116 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe
PID 2116 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe
PID 2116 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe
PID 2116 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe
PID 2116 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe
PID 2116 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe
PID 2116 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe
PID 2116 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe
PID 2116 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe

Network

Country Destination Domain Proto
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe

MD5 465c6d2352284d150a9b2179f4d9e7ae
SHA1 5ff15d1cda77a7be9ea9c617601b3db5b9311ae0
SHA256 691639ccc05606d3c26582f11bdec76d77267ba89f9ab2dfd2df19341f74ab15
SHA512 cc6f1fc0823aa2ebfcbf2ac4607965500319f85986c5717787e399847199e4d0ff53f3122a5b8227fc43c531a8b238f551f25f8d0257a981e17df14f35969771

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe

MD5 465c6d2352284d150a9b2179f4d9e7ae
SHA1 5ff15d1cda77a7be9ea9c617601b3db5b9311ae0
SHA256 691639ccc05606d3c26582f11bdec76d77267ba89f9ab2dfd2df19341f74ab15
SHA512 cc6f1fc0823aa2ebfcbf2ac4607965500319f85986c5717787e399847199e4d0ff53f3122a5b8227fc43c531a8b238f551f25f8d0257a981e17df14f35969771

\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe

MD5 465c6d2352284d150a9b2179f4d9e7ae
SHA1 5ff15d1cda77a7be9ea9c617601b3db5b9311ae0
SHA256 691639ccc05606d3c26582f11bdec76d77267ba89f9ab2dfd2df19341f74ab15
SHA512 cc6f1fc0823aa2ebfcbf2ac4607965500319f85986c5717787e399847199e4d0ff53f3122a5b8227fc43c531a8b238f551f25f8d0257a981e17df14f35969771

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe

MD5 465c6d2352284d150a9b2179f4d9e7ae
SHA1 5ff15d1cda77a7be9ea9c617601b3db5b9311ae0
SHA256 691639ccc05606d3c26582f11bdec76d77267ba89f9ab2dfd2df19341f74ab15
SHA512 cc6f1fc0823aa2ebfcbf2ac4607965500319f85986c5717787e399847199e4d0ff53f3122a5b8227fc43c531a8b238f551f25f8d0257a981e17df14f35969771

\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe

MD5 c2792040cfaa5b6d1c40766f24de1fb6
SHA1 deade634406e12775c09a4c4c439a175887fd4d4
SHA256 631a5f1ddf595d05bc5e112400e8709200ae6af3b70702e5b7724c40cea430b9
SHA512 5725814c5bdc1973dfcb8d017132606c0718f26ce37b382569b9def41c5d56da5ce9986f24274ac98097e9b143572c80b22fe5f9cd1c014cd7a9513da2950875

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe

MD5 c2792040cfaa5b6d1c40766f24de1fb6
SHA1 deade634406e12775c09a4c4c439a175887fd4d4
SHA256 631a5f1ddf595d05bc5e112400e8709200ae6af3b70702e5b7724c40cea430b9
SHA512 5725814c5bdc1973dfcb8d017132606c0718f26ce37b382569b9def41c5d56da5ce9986f24274ac98097e9b143572c80b22fe5f9cd1c014cd7a9513da2950875

\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe

MD5 c2792040cfaa5b6d1c40766f24de1fb6
SHA1 deade634406e12775c09a4c4c439a175887fd4d4
SHA256 631a5f1ddf595d05bc5e112400e8709200ae6af3b70702e5b7724c40cea430b9
SHA512 5725814c5bdc1973dfcb8d017132606c0718f26ce37b382569b9def41c5d56da5ce9986f24274ac98097e9b143572c80b22fe5f9cd1c014cd7a9513da2950875

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe

MD5 c2792040cfaa5b6d1c40766f24de1fb6
SHA1 deade634406e12775c09a4c4c439a175887fd4d4
SHA256 631a5f1ddf595d05bc5e112400e8709200ae6af3b70702e5b7724c40cea430b9
SHA512 5725814c5bdc1973dfcb8d017132606c0718f26ce37b382569b9def41c5d56da5ce9986f24274ac98097e9b143572c80b22fe5f9cd1c014cd7a9513da2950875

\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe

MD5 0841136745fed26db0100d2f7afa9123
SHA1 1e6968f5ec1ec3b812b297041264fd674fd50a6e
SHA256 e83af78b68458b4e41d8b0163aa8c7976f3af6f8e5218e15d9beac54be070d92
SHA512 b359a115c47a8a22f79ea03eebd24993304e935dd96856cc59030f716bffbf0a0b0ec546452a4c6bd1e0cd8367801eb52283e7456d95c5bb246273b26bdf8a40

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe

MD5 0841136745fed26db0100d2f7afa9123
SHA1 1e6968f5ec1ec3b812b297041264fd674fd50a6e
SHA256 e83af78b68458b4e41d8b0163aa8c7976f3af6f8e5218e15d9beac54be070d92
SHA512 b359a115c47a8a22f79ea03eebd24993304e935dd96856cc59030f716bffbf0a0b0ec546452a4c6bd1e0cd8367801eb52283e7456d95c5bb246273b26bdf8a40

\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe

MD5 7b6a393d9aa2696a989a516ceb1b2ac7
SHA1 dc1807b37096b6c48e8fffa8e50b53d3f2b742e4
SHA256 5bb7f0a58f226534f4727599cb4f03da171e88aae0b0bca43e4633841ca62988
SHA512 a81ff5cc2821e97eacf13e7441b3a0dc329d07a6b2f6f841c417dace487810b796915a524cf6a2bedd70354d5e8fb6983f9f9232cf0c7b69a026d6b2df3d9475

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe

MD5 7b6a393d9aa2696a989a516ceb1b2ac7
SHA1 dc1807b37096b6c48e8fffa8e50b53d3f2b742e4
SHA256 5bb7f0a58f226534f4727599cb4f03da171e88aae0b0bca43e4633841ca62988
SHA512 a81ff5cc2821e97eacf13e7441b3a0dc329d07a6b2f6f841c417dace487810b796915a524cf6a2bedd70354d5e8fb6983f9f9232cf0c7b69a026d6b2df3d9475

\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe

MD5 7b6a393d9aa2696a989a516ceb1b2ac7
SHA1 dc1807b37096b6c48e8fffa8e50b53d3f2b742e4
SHA256 5bb7f0a58f226534f4727599cb4f03da171e88aae0b0bca43e4633841ca62988
SHA512 a81ff5cc2821e97eacf13e7441b3a0dc329d07a6b2f6f841c417dace487810b796915a524cf6a2bedd70354d5e8fb6983f9f9232cf0c7b69a026d6b2df3d9475

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe

MD5 7b6a393d9aa2696a989a516ceb1b2ac7
SHA1 dc1807b37096b6c48e8fffa8e50b53d3f2b742e4
SHA256 5bb7f0a58f226534f4727599cb4f03da171e88aae0b0bca43e4633841ca62988
SHA512 a81ff5cc2821e97eacf13e7441b3a0dc329d07a6b2f6f841c417dace487810b796915a524cf6a2bedd70354d5e8fb6983f9f9232cf0c7b69a026d6b2df3d9475

memory/2624-34-0x0000000000160000-0x0000000000190000-memory.dmp

memory/2624-35-0x0000000000350000-0x0000000000356000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-10 15:18

Reported

2023-09-10 15:21

Platform

win10v2004-20230831-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 776 set thread context of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1452 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe
PID 1452 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe
PID 1452 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe
PID 112 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe
PID 112 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe
PID 112 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe
PID 644 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe
PID 644 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe
PID 644 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe
PID 776 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 776 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 776 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 776 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 776 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 776 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 776 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 776 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 776 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 776 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 776 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 644 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe
PID 644 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe
PID 644 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 776 -ip 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 140

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 125.132.60.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 120.150.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe

MD5 465c6d2352284d150a9b2179f4d9e7ae
SHA1 5ff15d1cda77a7be9ea9c617601b3db5b9311ae0
SHA256 691639ccc05606d3c26582f11bdec76d77267ba89f9ab2dfd2df19341f74ab15
SHA512 cc6f1fc0823aa2ebfcbf2ac4607965500319f85986c5717787e399847199e4d0ff53f3122a5b8227fc43c531a8b238f551f25f8d0257a981e17df14f35969771

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9854880.exe

MD5 465c6d2352284d150a9b2179f4d9e7ae
SHA1 5ff15d1cda77a7be9ea9c617601b3db5b9311ae0
SHA256 691639ccc05606d3c26582f11bdec76d77267ba89f9ab2dfd2df19341f74ab15
SHA512 cc6f1fc0823aa2ebfcbf2ac4607965500319f85986c5717787e399847199e4d0ff53f3122a5b8227fc43c531a8b238f551f25f8d0257a981e17df14f35969771

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe

MD5 c2792040cfaa5b6d1c40766f24de1fb6
SHA1 deade634406e12775c09a4c4c439a175887fd4d4
SHA256 631a5f1ddf595d05bc5e112400e8709200ae6af3b70702e5b7724c40cea430b9
SHA512 5725814c5bdc1973dfcb8d017132606c0718f26ce37b382569b9def41c5d56da5ce9986f24274ac98097e9b143572c80b22fe5f9cd1c014cd7a9513da2950875

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4418309.exe

MD5 c2792040cfaa5b6d1c40766f24de1fb6
SHA1 deade634406e12775c09a4c4c439a175887fd4d4
SHA256 631a5f1ddf595d05bc5e112400e8709200ae6af3b70702e5b7724c40cea430b9
SHA512 5725814c5bdc1973dfcb8d017132606c0718f26ce37b382569b9def41c5d56da5ce9986f24274ac98097e9b143572c80b22fe5f9cd1c014cd7a9513da2950875

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe

MD5 0841136745fed26db0100d2f7afa9123
SHA1 1e6968f5ec1ec3b812b297041264fd674fd50a6e
SHA256 e83af78b68458b4e41d8b0163aa8c7976f3af6f8e5218e15d9beac54be070d92
SHA512 b359a115c47a8a22f79ea03eebd24993304e935dd96856cc59030f716bffbf0a0b0ec546452a4c6bd1e0cd8367801eb52283e7456d95c5bb246273b26bdf8a40

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4407486.exe

MD5 0841136745fed26db0100d2f7afa9123
SHA1 1e6968f5ec1ec3b812b297041264fd674fd50a6e
SHA256 e83af78b68458b4e41d8b0163aa8c7976f3af6f8e5218e15d9beac54be070d92
SHA512 b359a115c47a8a22f79ea03eebd24993304e935dd96856cc59030f716bffbf0a0b0ec546452a4c6bd1e0cd8367801eb52283e7456d95c5bb246273b26bdf8a40

memory/4576-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4576-22-0x0000000073D60000-0x0000000074510000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe

MD5 7b6a393d9aa2696a989a516ceb1b2ac7
SHA1 dc1807b37096b6c48e8fffa8e50b53d3f2b742e4
SHA256 5bb7f0a58f226534f4727599cb4f03da171e88aae0b0bca43e4633841ca62988
SHA512 a81ff5cc2821e97eacf13e7441b3a0dc329d07a6b2f6f841c417dace487810b796915a524cf6a2bedd70354d5e8fb6983f9f9232cf0c7b69a026d6b2df3d9475

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0181364.exe

MD5 7b6a393d9aa2696a989a516ceb1b2ac7
SHA1 dc1807b37096b6c48e8fffa8e50b53d3f2b742e4
SHA256 5bb7f0a58f226534f4727599cb4f03da171e88aae0b0bca43e4633841ca62988
SHA512 a81ff5cc2821e97eacf13e7441b3a0dc329d07a6b2f6f841c417dace487810b796915a524cf6a2bedd70354d5e8fb6983f9f9232cf0c7b69a026d6b2df3d9475

memory/4444-26-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/4444-27-0x0000000073D60000-0x0000000074510000-memory.dmp

memory/4444-28-0x0000000005400000-0x0000000005A18000-memory.dmp

memory/4444-29-0x0000000004F60000-0x000000000506A000-memory.dmp

memory/4444-31-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

memory/4444-30-0x0000000004B90000-0x0000000004BA0000-memory.dmp

memory/4444-32-0x0000000004F00000-0x0000000004F3C000-memory.dmp

memory/4576-33-0x0000000073D60000-0x0000000074510000-memory.dmp

memory/4576-35-0x0000000073D60000-0x0000000074510000-memory.dmp

memory/4444-36-0x0000000073D60000-0x0000000074510000-memory.dmp

memory/4444-37-0x0000000004B90000-0x0000000004BA0000-memory.dmp