Malware Analysis Report

2024-10-16 03:40

Sample ID 240817-y4nlrsxenq
Target 428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4
SHA256 428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4
Tags
discovery healer redline petin dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4

Threat Level: Known bad

The file 428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4 was found to be: Known bad.

Malicious Activity Summary

discovery healer redline petin dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

Detects Healer an antivirus disabler dropper

RedLine payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 20:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 20:20

Reported

2024-08-17 20:23

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2884 set thread context of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2212 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2212 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2212 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2212 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2212 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2212 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2212 wrote to memory of 2908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe

"C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 200

Network

N/A

Files

memory/2212-0-0x0000000000400000-0x0000000000505000-memory.dmp

memory/2212-1-0x0000000000400000-0x0000000000505000-memory.dmp

memory/2212-3-0x0000000000400000-0x0000000000505000-memory.dmp

memory/2212-4-0x0000000000400000-0x0000000000505000-memory.dmp

memory/2212-7-0x0000000000400000-0x0000000000505000-memory.dmp

memory/2212-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2212-2-0x0000000000400000-0x0000000000505000-memory.dmp

memory/2212-5-0x0000000000400000-0x0000000000505000-memory.dmp

memory/2212-11-0x0000000000400000-0x0000000000505000-memory.dmp

memory/2212-9-0x0000000000400000-0x0000000000505000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 20:20

Reported

2024-08-17 20:23

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7447906.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2600 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2600 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2600 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2600 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2600 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2600 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2600 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2600 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2600 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3140 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe
PID 3140 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe
PID 3140 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe
PID 1688 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe
PID 1688 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe
PID 1688 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe
PID 1204 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe
PID 1204 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe
PID 1204 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe
PID 5100 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe
PID 5100 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe
PID 5100 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe
PID 3180 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5100 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7447906.exe
PID 5100 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7447906.exe
PID 5100 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7447906.exe

Processes

C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe

"C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7447906.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7447906.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

memory/3140-0-0x0000000000400000-0x0000000000505000-memory.dmp

memory/3140-1-0x0000000000400000-0x0000000000505000-memory.dmp

memory/3140-2-0x0000000000400000-0x0000000000505000-memory.dmp

memory/3140-3-0x0000000000400000-0x0000000000505000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe

MD5 88d5fd113c09668f3838eef2ab65b905
SHA1 30f05b24630d929558f3974adfee993fef8bd36b
SHA256 e3c1e438cd356f996a754365db5dc415567006bffe35f93d85919b6f88179eef
SHA512 3111772f9af5b7bfe37bbb8faf52e189db3333f9d4909000de8caf90a514b06cb4a48fd58c39c321493e8f7f6c6b8db093827efa5c135eb60643fe5f5de2980f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe

MD5 f4dcf0031561539adcb557adf8b97985
SHA1 1d6c780c0fc7a3a4f24396ec65e92e3702fd0af0
SHA256 cf0d8739cdbe376e1a8b8a3952adc99d47bcd3116b1dd86035724f803ec43dde
SHA512 261da04b6be2e0e43dd11fbd7a53151d9c11d441c584b6e5b45184508ebbad259cdc1f0689f12ef7fd6d9c25e9c2b446742d1995e6a4b8dde933ffbfbc77d0c8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe

MD5 9ea3ea99bb86b9d68aee43047d6db7cb
SHA1 e0908f8a9335ca8cf1c13207b97e4785f5f21e98
SHA256 4caecef34efb1cec16aa421840ece7a0119148ef06316d86f32214302baee5ba
SHA512 9d43cf7e1e4da4cc7a66dd5d054dec32460c08751cc3292cb10636fc2ebebd3c629805ed7f06cd4767b25156b1a79be8dc7c07f053b3b0130e466200e76ab988

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe

MD5 d46c32d6c3de62189b821e9d38959c3a
SHA1 9d91af0c4ac196df3bce8b5ad5ebde458405a1ac
SHA256 6170f39ac92cf7d6416b228963cd414e159c986bce346059953c95c7763e0285
SHA512 2c5aac5425f64ebf426033bef32d35304caf000345f977767f605586dfe7729caf1bfd937e65f37f0eba896ef7836f817c8899b7827ef4a60d7f6b4e74eabcc6

memory/4676-32-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7447906.exe

MD5 18bde8c4099d21e05eeeb1ad55d7477e
SHA1 cf08147f849b66af7caed2e8a86dbf37963aa980
SHA256 6d1ba25a80f57f73a0ada041ec135321bdd73503b8adee6aea9616106af18da9
SHA512 f764cfa1e6360cc02dae11408190820b454409eba565ff63d7a6061daffc5ce658399dd929a96acb941e4d8dc102e6f905314708647eabcb115610b694b4a267

memory/4572-36-0x0000000000650000-0x0000000000680000-memory.dmp

memory/4572-37-0x00000000029F0000-0x00000000029F6000-memory.dmp

memory/4572-38-0x000000000AAA0000-0x000000000B0B8000-memory.dmp

memory/4572-39-0x000000000A600000-0x000000000A70A000-memory.dmp

memory/4572-40-0x000000000A540000-0x000000000A552000-memory.dmp

memory/4572-41-0x000000000A5A0000-0x000000000A5DC000-memory.dmp

memory/4572-42-0x00000000028D0000-0x000000000291C000-memory.dmp

memory/3140-43-0x0000000000400000-0x0000000000505000-memory.dmp