Malware Analysis Report

2024-10-24 19:57

Sample ID 231024-zql2fshf44
Target NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe
SHA256 d3141d6f1c8e9ffc38e1f50bfbb6a98b12cfb3928b385d08a3432a11a9eec78d
Tags
healer redline duha dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d3141d6f1c8e9ffc38e1f50bfbb6a98b12cfb3928b385d08a3432a11a9eec78d

Threat Level: Known bad

The file NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe was found to be: Known bad.

Malicious Activity Summary

healer redline duha dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

RedLine

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-24 20:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-24 20:55

Reported

2023-10-24 20:58

Platform

win7-20231023-en

Max time kernel

178s

Max time network

201s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A

RedLine

infostealer redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2740 set thread context of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
PID 2320 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
PID 2320 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
PID 2320 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
PID 2320 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
PID 2320 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
PID 2320 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
PID 2688 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
PID 2688 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
PID 2688 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
PID 2688 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
PID 2688 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
PID 2688 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
PID 2688 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
PID 2648 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
PID 2648 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
PID 2648 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
PID 2648 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
PID 2648 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
PID 2648 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
PID 2648 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
PID 2760 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
PID 2760 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
PID 2760 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
PID 2760 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
PID 2760 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
PID 2760 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
PID 2760 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2760 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
PID 2760 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
PID 2760 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
PID 2760 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
PID 2760 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
PID 2760 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
PID 2760 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
PID 2648 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
PID 2648 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
PID 2648 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
PID 2648 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
PID 2648 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
PID 2648 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
PID 2648 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe

Network

Country Destination Domain Proto
N/A 83.97.73.129:19068 tcp
N/A 83.97.73.129:19068 tcp
N/A 83.97.73.129:19068 tcp
N/A 83.97.73.129:19068 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe

MD5 0e3d2239c4a25a7264ae44a831d81c3b
SHA1 f7fc628a57c60b3bbbf436cc96385da4e1ad11b6
SHA256 4ebd7f708933604017190e74268abd7323e95dac8626d1225e90924cb12ff140
SHA512 def73ad5cb247fb3ebd20b30c4d922482ffbcaa343e461a346fb796919c134eff1e8d38654f8e3cef55a84de1a63a4742abf635b382caa2d2f55e0bf512fd440

\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe

MD5 0e3d2239c4a25a7264ae44a831d81c3b
SHA1 f7fc628a57c60b3bbbf436cc96385da4e1ad11b6
SHA256 4ebd7f708933604017190e74268abd7323e95dac8626d1225e90924cb12ff140
SHA512 def73ad5cb247fb3ebd20b30c4d922482ffbcaa343e461a346fb796919c134eff1e8d38654f8e3cef55a84de1a63a4742abf635b382caa2d2f55e0bf512fd440

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe

MD5 0e3d2239c4a25a7264ae44a831d81c3b
SHA1 f7fc628a57c60b3bbbf436cc96385da4e1ad11b6
SHA256 4ebd7f708933604017190e74268abd7323e95dac8626d1225e90924cb12ff140
SHA512 def73ad5cb247fb3ebd20b30c4d922482ffbcaa343e461a346fb796919c134eff1e8d38654f8e3cef55a84de1a63a4742abf635b382caa2d2f55e0bf512fd440

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe

MD5 0e3d2239c4a25a7264ae44a831d81c3b
SHA1 f7fc628a57c60b3bbbf436cc96385da4e1ad11b6
SHA256 4ebd7f708933604017190e74268abd7323e95dac8626d1225e90924cb12ff140
SHA512 def73ad5cb247fb3ebd20b30c4d922482ffbcaa343e461a346fb796919c134eff1e8d38654f8e3cef55a84de1a63a4742abf635b382caa2d2f55e0bf512fd440

\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe

MD5 fd8ac51dc1c2d8b7834a78e0db6ed6a8
SHA1 c8798848dc8fb611de0e9514ef2c7a8bdb5d976c
SHA256 5992c5b2b73ca34d4df5089c28ff838b011b8b85137a0185f5fb50de5894019d
SHA512 bd88d89b6d922ae65b15020ee975e25972a5049db7a953bb11df4756facffbbe7137800ad23db76edc75aabdff46866f42262b39fa16968ac8d6b7d4a49351e0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe

MD5 fd8ac51dc1c2d8b7834a78e0db6ed6a8
SHA1 c8798848dc8fb611de0e9514ef2c7a8bdb5d976c
SHA256 5992c5b2b73ca34d4df5089c28ff838b011b8b85137a0185f5fb50de5894019d
SHA512 bd88d89b6d922ae65b15020ee975e25972a5049db7a953bb11df4756facffbbe7137800ad23db76edc75aabdff46866f42262b39fa16968ac8d6b7d4a49351e0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe

MD5 fd8ac51dc1c2d8b7834a78e0db6ed6a8
SHA1 c8798848dc8fb611de0e9514ef2c7a8bdb5d976c
SHA256 5992c5b2b73ca34d4df5089c28ff838b011b8b85137a0185f5fb50de5894019d
SHA512 bd88d89b6d922ae65b15020ee975e25972a5049db7a953bb11df4756facffbbe7137800ad23db76edc75aabdff46866f42262b39fa16968ac8d6b7d4a49351e0

\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe

MD5 fd8ac51dc1c2d8b7834a78e0db6ed6a8
SHA1 c8798848dc8fb611de0e9514ef2c7a8bdb5d976c
SHA256 5992c5b2b73ca34d4df5089c28ff838b011b8b85137a0185f5fb50de5894019d
SHA512 bd88d89b6d922ae65b15020ee975e25972a5049db7a953bb11df4756facffbbe7137800ad23db76edc75aabdff46866f42262b39fa16968ac8d6b7d4a49351e0

\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe

MD5 3aaa25211c35dde49090c60afec1679a
SHA1 a453fc2428636100ce1851a1af869285213b6cb3
SHA256 3db7d44dded8a8fe3becfc44572cb11db47392724b2a6df9081a447d98836c70
SHA512 951dd188bfe1005c3929bf9537490e919e35f62f9572ef3ca0fb246bd0041a867e4a6989474b598f4cc81f81cf6693d01386e6d58f650c882dfc1dec0b9ea141

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe

MD5 3aaa25211c35dde49090c60afec1679a
SHA1 a453fc2428636100ce1851a1af869285213b6cb3
SHA256 3db7d44dded8a8fe3becfc44572cb11db47392724b2a6df9081a447d98836c70
SHA512 951dd188bfe1005c3929bf9537490e919e35f62f9572ef3ca0fb246bd0041a867e4a6989474b598f4cc81f81cf6693d01386e6d58f650c882dfc1dec0b9ea141

\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe

MD5 3aaa25211c35dde49090c60afec1679a
SHA1 a453fc2428636100ce1851a1af869285213b6cb3
SHA256 3db7d44dded8a8fe3becfc44572cb11db47392724b2a6df9081a447d98836c70
SHA512 951dd188bfe1005c3929bf9537490e919e35f62f9572ef3ca0fb246bd0041a867e4a6989474b598f4cc81f81cf6693d01386e6d58f650c882dfc1dec0b9ea141

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe

MD5 3aaa25211c35dde49090c60afec1679a
SHA1 a453fc2428636100ce1851a1af869285213b6cb3
SHA256 3db7d44dded8a8fe3becfc44572cb11db47392724b2a6df9081a447d98836c70
SHA512 951dd188bfe1005c3929bf9537490e919e35f62f9572ef3ca0fb246bd0041a867e4a6989474b598f4cc81f81cf6693d01386e6d58f650c882dfc1dec0b9ea141

\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe

MD5 fca5dc284ff561346aed89cf22e65f3a
SHA1 c4ed9b4b787262731387c3ea1fe607048e479c64
SHA256 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73
SHA512 c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe

MD5 fca5dc284ff561346aed89cf22e65f3a
SHA1 c4ed9b4b787262731387c3ea1fe607048e479c64
SHA256 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73
SHA512 c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe

MD5 fca5dc284ff561346aed89cf22e65f3a
SHA1 c4ed9b4b787262731387c3ea1fe607048e479c64
SHA256 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73
SHA512 c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0

\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe

MD5 fca5dc284ff561346aed89cf22e65f3a
SHA1 c4ed9b4b787262731387c3ea1fe607048e479c64
SHA256 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73
SHA512 c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe

MD5 fca5dc284ff561346aed89cf22e65f3a
SHA1 c4ed9b4b787262731387c3ea1fe607048e479c64
SHA256 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73
SHA512 c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0

\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe

MD5 fca5dc284ff561346aed89cf22e65f3a
SHA1 c4ed9b4b787262731387c3ea1fe607048e479c64
SHA256 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73
SHA512 c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0

memory/2492-44-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2492-45-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2492-49-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2492-51-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2492-52-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe

MD5 7d8dae05fe03c9a974fa360c6ed466bd
SHA1 2b99b1aefc805b891128e71d505397589db65046
SHA256 f5d850e8ca95e93bb5fae3cdca1131b44c598bb92b31601d0bfaf413a9e3cacc
SHA512 178cc29f1707c9a015b265b8bd56c656ea7226b6533f5e498d82753d4b0ae33f51b2f2e1a3929c0f47e5df672fe7288c42d33129723590521a9e174c3a871636

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe

MD5 7d8dae05fe03c9a974fa360c6ed466bd
SHA1 2b99b1aefc805b891128e71d505397589db65046
SHA256 f5d850e8ca95e93bb5fae3cdca1131b44c598bb92b31601d0bfaf413a9e3cacc
SHA512 178cc29f1707c9a015b265b8bd56c656ea7226b6533f5e498d82753d4b0ae33f51b2f2e1a3929c0f47e5df672fe7288c42d33129723590521a9e174c3a871636

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe

MD5 7d8dae05fe03c9a974fa360c6ed466bd
SHA1 2b99b1aefc805b891128e71d505397589db65046
SHA256 f5d850e8ca95e93bb5fae3cdca1131b44c598bb92b31601d0bfaf413a9e3cacc
SHA512 178cc29f1707c9a015b265b8bd56c656ea7226b6533f5e498d82753d4b0ae33f51b2f2e1a3929c0f47e5df672fe7288c42d33129723590521a9e174c3a871636

memory/2612-57-0x00000000008C0000-0x00000000008CA000-memory.dmp

memory/2612-58-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

memory/2612-59-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

memory/2612-60-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe

MD5 6404d3c5153ae0e1d7e242fa31eda8d1
SHA1 138b0d7ffc3361614529ca25fb0064e187b92e51
SHA256 790daa4b0bdb251922811cad0b9022897b871e41850aa5ab6b6075bc4313bfe1
SHA512 92ef5b1b32ddecf45234622a5184e7bfc4288c43ac03d22d50e517096a37da1808d5fc549e917e389abe0cac3cefd9fed01ef2d538b58d528d8e3212f681d316

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe

MD5 6404d3c5153ae0e1d7e242fa31eda8d1
SHA1 138b0d7ffc3361614529ca25fb0064e187b92e51
SHA256 790daa4b0bdb251922811cad0b9022897b871e41850aa5ab6b6075bc4313bfe1
SHA512 92ef5b1b32ddecf45234622a5184e7bfc4288c43ac03d22d50e517096a37da1808d5fc549e917e389abe0cac3cefd9fed01ef2d538b58d528d8e3212f681d316

\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe

MD5 6404d3c5153ae0e1d7e242fa31eda8d1
SHA1 138b0d7ffc3361614529ca25fb0064e187b92e51
SHA256 790daa4b0bdb251922811cad0b9022897b871e41850aa5ab6b6075bc4313bfe1
SHA512 92ef5b1b32ddecf45234622a5184e7bfc4288c43ac03d22d50e517096a37da1808d5fc549e917e389abe0cac3cefd9fed01ef2d538b58d528d8e3212f681d316

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe

MD5 6404d3c5153ae0e1d7e242fa31eda8d1
SHA1 138b0d7ffc3361614529ca25fb0064e187b92e51
SHA256 790daa4b0bdb251922811cad0b9022897b871e41850aa5ab6b6075bc4313bfe1
SHA512 92ef5b1b32ddecf45234622a5184e7bfc4288c43ac03d22d50e517096a37da1808d5fc549e917e389abe0cac3cefd9fed01ef2d538b58d528d8e3212f681d316

memory/2876-67-0x00000000001D0000-0x0000000000200000-memory.dmp

memory/2876-68-0x0000000000260000-0x0000000000266000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-24 20:55

Reported

2023-10-24 20:58

Platform

win10v2004-20231020-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A

RedLine

infostealer redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1504 set thread context of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
PID 4980 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
PID 4980 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
PID 1584 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
PID 1584 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
PID 1584 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
PID 2456 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
PID 2456 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
PID 2456 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
PID 4896 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
PID 4896 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
PID 4896 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
PID 1504 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1504 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1504 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1504 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1504 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4896 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
PID 4896 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
PID 2456 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
PID 2456 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
PID 2456 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1504 -ip 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
N/A 83.97.73.129:19068 tcp
N/A 83.97.73.129:19068 tcp
US 8.8.8.8:53 126.209.247.8.in-addr.arpa udp
N/A 83.97.73.129:19068 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 83.97.73.129:19068 tcp
N/A 83.97.73.129:19068 tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
N/A 83.97.73.129:19068 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe

MD5 0e3d2239c4a25a7264ae44a831d81c3b
SHA1 f7fc628a57c60b3bbbf436cc96385da4e1ad11b6
SHA256 4ebd7f708933604017190e74268abd7323e95dac8626d1225e90924cb12ff140
SHA512 def73ad5cb247fb3ebd20b30c4d922482ffbcaa343e461a346fb796919c134eff1e8d38654f8e3cef55a84de1a63a4742abf635b382caa2d2f55e0bf512fd440

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe

MD5 0e3d2239c4a25a7264ae44a831d81c3b
SHA1 f7fc628a57c60b3bbbf436cc96385da4e1ad11b6
SHA256 4ebd7f708933604017190e74268abd7323e95dac8626d1225e90924cb12ff140
SHA512 def73ad5cb247fb3ebd20b30c4d922482ffbcaa343e461a346fb796919c134eff1e8d38654f8e3cef55a84de1a63a4742abf635b382caa2d2f55e0bf512fd440

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe

MD5 fd8ac51dc1c2d8b7834a78e0db6ed6a8
SHA1 c8798848dc8fb611de0e9514ef2c7a8bdb5d976c
SHA256 5992c5b2b73ca34d4df5089c28ff838b011b8b85137a0185f5fb50de5894019d
SHA512 bd88d89b6d922ae65b15020ee975e25972a5049db7a953bb11df4756facffbbe7137800ad23db76edc75aabdff46866f42262b39fa16968ac8d6b7d4a49351e0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe

MD5 fd8ac51dc1c2d8b7834a78e0db6ed6a8
SHA1 c8798848dc8fb611de0e9514ef2c7a8bdb5d976c
SHA256 5992c5b2b73ca34d4df5089c28ff838b011b8b85137a0185f5fb50de5894019d
SHA512 bd88d89b6d922ae65b15020ee975e25972a5049db7a953bb11df4756facffbbe7137800ad23db76edc75aabdff46866f42262b39fa16968ac8d6b7d4a49351e0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe

MD5 3aaa25211c35dde49090c60afec1679a
SHA1 a453fc2428636100ce1851a1af869285213b6cb3
SHA256 3db7d44dded8a8fe3becfc44572cb11db47392724b2a6df9081a447d98836c70
SHA512 951dd188bfe1005c3929bf9537490e919e35f62f9572ef3ca0fb246bd0041a867e4a6989474b598f4cc81f81cf6693d01386e6d58f650c882dfc1dec0b9ea141

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe

MD5 3aaa25211c35dde49090c60afec1679a
SHA1 a453fc2428636100ce1851a1af869285213b6cb3
SHA256 3db7d44dded8a8fe3becfc44572cb11db47392724b2a6df9081a447d98836c70
SHA512 951dd188bfe1005c3929bf9537490e919e35f62f9572ef3ca0fb246bd0041a867e4a6989474b598f4cc81f81cf6693d01386e6d58f650c882dfc1dec0b9ea141

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe

MD5 fca5dc284ff561346aed89cf22e65f3a
SHA1 c4ed9b4b787262731387c3ea1fe607048e479c64
SHA256 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73
SHA512 c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe

MD5 fca5dc284ff561346aed89cf22e65f3a
SHA1 c4ed9b4b787262731387c3ea1fe607048e479c64
SHA256 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73
SHA512 c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0

memory/1504-29-0x0000000000680000-0x0000000000780000-memory.dmp

memory/972-30-0x0000000000400000-0x000000000040A000-memory.dmp

memory/972-35-0x0000000074520000-0x0000000074CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe

MD5 7d8dae05fe03c9a974fa360c6ed466bd
SHA1 2b99b1aefc805b891128e71d505397589db65046
SHA256 f5d850e8ca95e93bb5fae3cdca1131b44c598bb92b31601d0bfaf413a9e3cacc
SHA512 178cc29f1707c9a015b265b8bd56c656ea7226b6533f5e498d82753d4b0ae33f51b2f2e1a3929c0f47e5df672fe7288c42d33129723590521a9e174c3a871636

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe

MD5 7d8dae05fe03c9a974fa360c6ed466bd
SHA1 2b99b1aefc805b891128e71d505397589db65046
SHA256 f5d850e8ca95e93bb5fae3cdca1131b44c598bb92b31601d0bfaf413a9e3cacc
SHA512 178cc29f1707c9a015b265b8bd56c656ea7226b6533f5e498d82753d4b0ae33f51b2f2e1a3929c0f47e5df672fe7288c42d33129723590521a9e174c3a871636

memory/3696-39-0x0000000000770000-0x000000000077A000-memory.dmp

memory/3696-40-0x00007FF8FF240000-0x00007FF8FFD01000-memory.dmp

memory/972-41-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/972-43-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3696-45-0x00007FF8FF240000-0x00007FF8FFD01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe

MD5 6404d3c5153ae0e1d7e242fa31eda8d1
SHA1 138b0d7ffc3361614529ca25fb0064e187b92e51
SHA256 790daa4b0bdb251922811cad0b9022897b871e41850aa5ab6b6075bc4313bfe1
SHA512 92ef5b1b32ddecf45234622a5184e7bfc4288c43ac03d22d50e517096a37da1808d5fc549e917e389abe0cac3cefd9fed01ef2d538b58d528d8e3212f681d316

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe

MD5 6404d3c5153ae0e1d7e242fa31eda8d1
SHA1 138b0d7ffc3361614529ca25fb0064e187b92e51
SHA256 790daa4b0bdb251922811cad0b9022897b871e41850aa5ab6b6075bc4313bfe1
SHA512 92ef5b1b32ddecf45234622a5184e7bfc4288c43ac03d22d50e517096a37da1808d5fc549e917e389abe0cac3cefd9fed01ef2d538b58d528d8e3212f681d316

memory/1168-49-0x0000000000500000-0x0000000000530000-memory.dmp

memory/1168-50-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1168-51-0x0000000002700000-0x0000000002706000-memory.dmp

memory/1168-52-0x0000000005550000-0x0000000005B68000-memory.dmp

memory/1168-53-0x0000000005090000-0x000000000519A000-memory.dmp

memory/1168-54-0x00000000026E0000-0x00000000026F0000-memory.dmp

memory/1168-55-0x0000000004FD0000-0x0000000004FE2000-memory.dmp

memory/1168-56-0x0000000005030000-0x000000000506C000-memory.dmp

memory/1168-57-0x00000000051A0000-0x00000000051EC000-memory.dmp

memory/1168-58-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/1168-59-0x00000000026E0000-0x00000000026F0000-memory.dmp