Malware Analysis Report

2025-08-11 07:52

Sample ID 241111-glvtpavcjh
Target 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173
SHA256 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173
Tags
healer redline sony discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173

Threat Level: Known bad

The file 3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173 was found to be: Known bad.

Malicious Activity Summary

healer redline sony discovery dropper evasion infostealer persistence trojan

Healer

RedLine

Redline family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer family

Detects Healer an antivirus disabler dropper

Windows security modification

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:54

Reported

2024-11-11 05:56

Platform

win7-20240903-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe
PID 2136 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe
PID 2136 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe
PID 2136 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe
PID 2136 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe
PID 2136 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe
PID 2136 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe
PID 2136 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe
PID 2136 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe
PID 2136 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe
PID 2136 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe
PID 2136 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe
PID 2136 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe
PID 2136 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe
PID 2136 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe

"C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe

Network

Country Destination Domain Proto
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp

Files

memory/2132-0-0x0000000000230000-0x00000000002B1000-memory.dmp

memory/2132-1-0x0000000000230000-0x00000000002B1000-memory.dmp

memory/2132-2-0x0000000001FB0000-0x000000000203B000-memory.dmp

memory/2132-3-0x0000000000400000-0x000000000048E000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe

MD5 fbb0766c66e33ee3a53e9ed2b827daa0
SHA1 8928d09d37a301d996657da261f2697ba3a647fd
SHA256 59b04f3e7728eb2f28ea01087a66a2c8ba6edcc36f43c81dbf61da5a5e99c7b1
SHA512 d973971cec47db5b79905c93853ed456d6dae1420992a668f74917d0d3eb7f2b7baebbba658b79289457ae1d032424db214a51ef7229ce77c7bdb74f42540494

\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe

MD5 6e8f52ddef9bef053648d152ac59f057
SHA1 5c54bbcd7e25c9518c0f431357cc79ac64af1de8
SHA256 07a913a067031ab6c5b18b73b6026320586bea449bc6f9d183fa72553bb17d49
SHA512 7f740f706ebda245c4f3a0224b42f292fd3fb681f6ba4bad9a0b4c9469c4652a11bd1b8bb2f3b7cb5a82ccd06e22bef047fad1041b95538ef58b990fc4a9cd78

memory/2128-22-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

memory/2128-23-0x0000000001090000-0x000000000109A000-memory.dmp

memory/2132-24-0x0000000001FB0000-0x000000000203B000-memory.dmp

memory/2132-25-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2128-27-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

memory/2132-26-0x0000000000400000-0x0000000000770000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe

MD5 746c4dd70fed84f4a332eb0472cd09b1
SHA1 009678bae4c4fe11393e8196f91d98122273e7df
SHA256 5f7919f529a13f35bd52dd31bae98948a6e130e29785b3dcc99e238d5bfdfc43
SHA512 82b2db294024f50e3394058361fe8582e43927040aa975995a14be143f22bf04ea98c17114c7cbd3d0e8a9fb275eb9e169aa84d74d6656247e77d8f369fe12a0

memory/2652-38-0x0000000004DD0000-0x0000000004E16000-memory.dmp

memory/2652-39-0x0000000004E10000-0x0000000004E54000-memory.dmp

memory/2652-45-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-57-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-40-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-41-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-43-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-55-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-63-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-65-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-79-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-77-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-75-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-81-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-73-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-71-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-69-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-67-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-61-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-59-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-53-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-101-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-51-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-49-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-47-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-99-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-97-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-95-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-93-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-91-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-89-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-87-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-85-0x0000000004E10000-0x0000000004E4E000-memory.dmp

memory/2652-83-0x0000000004E10000-0x0000000004E4E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 05:54

Reported

2024-11-11 05:56

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe

"C:\Users\Admin\AppData\Local\Temp\3b809e2cdc53dd38b6a46e60fc0b7d327e293787bd4bc1724bff96ffcbfad173.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp

Files

memory/3136-1-0x0000000002380000-0x0000000002403000-memory.dmp

memory/3136-2-0x0000000002410000-0x000000000249B000-memory.dmp

memory/3136-3-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOc8233.exe

MD5 fbb0766c66e33ee3a53e9ed2b827daa0
SHA1 8928d09d37a301d996657da261f2697ba3a647fd
SHA256 59b04f3e7728eb2f28ea01087a66a2c8ba6edcc36f43c81dbf61da5a5e99c7b1
SHA512 d973971cec47db5b79905c93853ed456d6dae1420992a668f74917d0d3eb7f2b7baebbba658b79289457ae1d032424db214a51ef7229ce77c7bdb74f42540494

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr053814.exe

MD5 6e8f52ddef9bef053648d152ac59f057
SHA1 5c54bbcd7e25c9518c0f431357cc79ac64af1de8
SHA256 07a913a067031ab6c5b18b73b6026320586bea449bc6f9d183fa72553bb17d49
SHA512 7f740f706ebda245c4f3a0224b42f292fd3fb681f6ba4bad9a0b4c9469c4652a11bd1b8bb2f3b7cb5a82ccd06e22bef047fad1041b95538ef58b990fc4a9cd78

memory/2312-18-0x00007FFBF6223000-0x00007FFBF6225000-memory.dmp

memory/2312-19-0x0000000000390000-0x000000000039A000-memory.dmp

memory/3136-20-0x0000000002380000-0x0000000002403000-memory.dmp

memory/3136-21-0x0000000002410000-0x000000000249B000-memory.dmp

memory/3136-22-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2312-24-0x00007FFBF6223000-0x00007FFBF6225000-memory.dmp

memory/3136-23-0x0000000000400000-0x0000000000770000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku613286.exe

MD5 746c4dd70fed84f4a332eb0472cd09b1
SHA1 009678bae4c4fe11393e8196f91d98122273e7df
SHA256 5f7919f529a13f35bd52dd31bae98948a6e130e29785b3dcc99e238d5bfdfc43
SHA512 82b2db294024f50e3394058361fe8582e43927040aa975995a14be143f22bf04ea98c17114c7cbd3d0e8a9fb275eb9e169aa84d74d6656247e77d8f369fe12a0

memory/2128-30-0x0000000004A80000-0x0000000004AC6000-memory.dmp

memory/2128-31-0x00000000072A0000-0x0000000007844000-memory.dmp

memory/2128-32-0x0000000007160000-0x00000000071A4000-memory.dmp

memory/2128-38-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-50-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-94-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-92-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-90-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-88-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-84-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-82-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-80-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-78-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-76-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-72-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-70-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-69-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-66-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-65-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-62-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-60-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-58-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-56-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-54-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-48-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-46-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-44-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-42-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-40-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-86-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-74-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-52-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-36-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-34-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-33-0x0000000007160000-0x000000000719E000-memory.dmp

memory/2128-939-0x0000000007850000-0x0000000007E68000-memory.dmp

memory/2128-940-0x0000000007E70000-0x0000000007F7A000-memory.dmp

memory/2128-941-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/2128-942-0x00000000080C0000-0x00000000080FC000-memory.dmp

memory/2128-943-0x0000000008110000-0x000000000815C000-memory.dmp