Malware Analysis Report

2025-08-05 11:06

Sample ID 241111-hn19xstrb1
Target c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5
SHA256 c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5
Tags
healer redline boris discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5

Threat Level: Known bad

The file c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5 was found to be: Known bad.

Malicious Activity Summary

healer redline boris discovery dropper evasion infostealer persistence trojan

Healer

Healer family

RedLine

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detects Healer an antivirus disabler dropper

Redline family

Windows security modification

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:53

Reported

2024-11-11 06:56

Platform

win7-20240903-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe
PID 2472 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe
PID 2472 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe
PID 2472 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe
PID 2472 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe
PID 2472 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe
PID 2472 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe
PID 1992 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe
PID 1992 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe
PID 1992 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe
PID 1992 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe
PID 1992 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe
PID 1992 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe
PID 1992 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe
PID 1992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe
PID 1992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe
PID 1992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe
PID 1992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe
PID 1992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe
PID 1992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe
PID 1992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe

"C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe

Network

Country Destination Domain Proto
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp

Files

memory/2472-0-0x0000000000230000-0x00000000002B2000-memory.dmp

memory/2472-1-0x0000000000230000-0x00000000002B2000-memory.dmp

memory/2472-2-0x0000000002BF0000-0x0000000002C7C000-memory.dmp

memory/2472-3-0x0000000000400000-0x000000000048F000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe

MD5 c31bfc218dc4b4bc62d8deffd5ee697b
SHA1 56985a2622bfdf6d05f069e05593fe75dfb53c2f
SHA256 2f6bbe6ecc31cdb88d3bf571e99f3d04bf1e1fcb1ce8173c06259e8acd70c002
SHA512 fdea666d04f6a95393ab7da59440fe7a9680d996d8cf72ec84d8e5942c691634634ef0fa47382b791755e69f64627c31ae2a784734756aad25afcf1def76a059

\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe

MD5 ef81976e2567c13c535b6fbb9c7d0449
SHA1 686f13926bd592e6e2e3299d2289a7a91aab4016
SHA256 007180bcbbb47134203165b2d135856a2a8d5797b1b1b8517d5a72ae5ae49a79
SHA512 d055f442afb631863b82f358c4923608c5e83959a03ae41ab5dabd55036259b41bdde31e0985935cca1fb75e645b7ff92340c795421e54c1b2f65539ebe5cba0

memory/2320-22-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

memory/2472-23-0x0000000002BF0000-0x0000000002C7C000-memory.dmp

memory/2472-25-0x0000000000400000-0x000000000048F000-memory.dmp

memory/2472-24-0x0000000000400000-0x0000000002BE2000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe

MD5 dc6982d18197b20cf779fe63bbb3d121
SHA1 45fd57ac612df4cf75c9c7c2c5d6cac54375d91a
SHA256 10a0c4a7dc771f95230157b49db44efa4ed4086bc0555eb8a2fd0c7f8ad989d6
SHA512 b60efef987a10ea3b72ee66a97e51cf2169375607a331997a8dabca6d2134391e9c8e20984ecc517ac03a2d5d04cb0de2514ad411522c5114825197c81a45e52

memory/2960-36-0x00000000045E0000-0x0000000004626000-memory.dmp

memory/2960-37-0x0000000004C30000-0x0000000004C74000-memory.dmp

memory/2960-38-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-39-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-41-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-43-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-45-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-51-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-49-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-53-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-57-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-55-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-59-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-47-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-61-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-63-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-65-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-67-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-69-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-73-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-75-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-77-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-81-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-85-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-97-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-99-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-95-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-93-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-91-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-89-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-87-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-83-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-79-0x0000000004C30000-0x0000000004C6F000-memory.dmp

memory/2960-71-0x0000000004C30000-0x0000000004C6F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 06:53

Reported

2024-11-11 06:56

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe

"C:\Users\Admin\AppData\Local\Temp\c28b71d62c7875261590da26e4271f0f682faaea6cfb83192f74cd4e0d50b3e5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp

Files

memory/3884-1-0x00000000048A0000-0x0000000004927000-memory.dmp

memory/3884-2-0x0000000004930000-0x00000000049BC000-memory.dmp

memory/3884-3-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihW1524.exe

MD5 c31bfc218dc4b4bc62d8deffd5ee697b
SHA1 56985a2622bfdf6d05f069e05593fe75dfb53c2f
SHA256 2f6bbe6ecc31cdb88d3bf571e99f3d04bf1e1fcb1ce8173c06259e8acd70c002
SHA512 fdea666d04f6a95393ab7da59440fe7a9680d996d8cf72ec84d8e5942c691634634ef0fa47382b791755e69f64627c31ae2a784734756aad25afcf1def76a059

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr395234.exe

MD5 ef81976e2567c13c535b6fbb9c7d0449
SHA1 686f13926bd592e6e2e3299d2289a7a91aab4016
SHA256 007180bcbbb47134203165b2d135856a2a8d5797b1b1b8517d5a72ae5ae49a79
SHA512 d055f442afb631863b82f358c4923608c5e83959a03ae41ab5dabd55036259b41bdde31e0985935cca1fb75e645b7ff92340c795421e54c1b2f65539ebe5cba0

memory/2152-19-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

memory/2152-18-0x00007FFE55B23000-0x00007FFE55B25000-memory.dmp

memory/3884-20-0x00000000048A0000-0x0000000004927000-memory.dmp

memory/3884-21-0x0000000004930000-0x00000000049BC000-memory.dmp

memory/3884-22-0x0000000000400000-0x000000000048F000-memory.dmp

memory/3884-23-0x0000000000400000-0x0000000002BE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku679542.exe

MD5 dc6982d18197b20cf779fe63bbb3d121
SHA1 45fd57ac612df4cf75c9c7c2c5d6cac54375d91a
SHA256 10a0c4a7dc771f95230157b49db44efa4ed4086bc0555eb8a2fd0c7f8ad989d6
SHA512 b60efef987a10ea3b72ee66a97e51cf2169375607a331997a8dabca6d2134391e9c8e20984ecc517ac03a2d5d04cb0de2514ad411522c5114825197c81a45e52

memory/988-29-0x0000000004950000-0x0000000004996000-memory.dmp

memory/988-30-0x0000000007270000-0x0000000007814000-memory.dmp

memory/988-31-0x0000000007170000-0x00000000071B4000-memory.dmp

memory/988-39-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-45-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-93-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-91-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-89-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-87-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-85-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-83-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-81-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-79-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-75-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-73-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-71-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-69-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-67-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-65-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-63-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-61-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-59-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-57-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-53-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-51-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-49-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-47-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-43-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-41-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-37-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-77-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-55-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-35-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-33-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-32-0x0000000007170000-0x00000000071AF000-memory.dmp

memory/988-938-0x0000000007820000-0x0000000007E38000-memory.dmp

memory/988-939-0x0000000007E50000-0x0000000007F5A000-memory.dmp

memory/988-940-0x0000000007F90000-0x0000000007FA2000-memory.dmp

memory/988-941-0x0000000007FB0000-0x0000000007FEC000-memory.dmp

memory/988-942-0x0000000008100000-0x000000000814C000-memory.dmp