Malware Analysis Report

2025-03-15 01:42

Sample ID 230910-k264fafh8s
Target file
SHA256 a2f28321fe155d154fee2fa53c6116b193e1c908ea0ae3aa7157ea739f38861d
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2f28321fe155d154fee2fa53c6116b193e1c908ea0ae3aa7157ea739f38861d

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

SmokeLoader

RedLine

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 09:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 09:06

Reported

2023-09-10 09:09

Platform

win7-20230831-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2408 set thread context of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2324 wrote to memory of 2120 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2324 wrote to memory of 2120 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2324 wrote to memory of 2120 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2324 wrote to memory of 2120 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2324 wrote to memory of 2120 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2324 wrote to memory of 2120 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2324 wrote to memory of 2120 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 200

Network

N/A

Files

memory/2324-0-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2324-2-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2324-1-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2324-3-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2324-4-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2324-5-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2324-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2324-7-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2324-9-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2324-11-0x0000000000400000-0x0000000000525000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-10 09:06

Reported

2023-09-10 09:09

Platform

win10v2004-20230831-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2272 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2272 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2272 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2272 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2272 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2272 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2272 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2272 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2272 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2288 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe
PID 2288 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe
PID 2288 wrote to memory of 3428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe
PID 3428 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe
PID 3428 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe
PID 3428 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe
PID 3988 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe
PID 3988 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe
PID 3988 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe
PID 1888 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe
PID 1888 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe
PID 1888 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe
PID 1988 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe
PID 1988 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe
PID 1988 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe
PID 2240 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe
PID 1988 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe
PID 1988 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe
PID 1720 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1888 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe
PID 1888 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe
PID 1888 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe
PID 1208 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3988 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe
PID 3988 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe
PID 3988 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2272 -ip 2272

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 240

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2240 -ip 2240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1120 -ip 1120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1208 -ip 1208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 568

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

memory/2288-0-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2288-1-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2288-2-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2288-3-0x0000000000400000-0x0000000000525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe

MD5 bafb2d8450df47c7e24c29c4c09a89f6
SHA1 3e1f5226c10b89868f2ba02765d216c77b05a2e7
SHA256 5423bbfb958e1e1f63e71258dcb4627f8c032b52bc041031836963dd91438761
SHA512 646d9b6b8884a4122bbe1dcb19203214114c91dbf8fecb4f701ef1e34c3592df2a75eaa5c7c3f9b70a6aa0dd9cef4990d37424168f93c09e2e52b07740f9b4fa

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe

MD5 bafb2d8450df47c7e24c29c4c09a89f6
SHA1 3e1f5226c10b89868f2ba02765d216c77b05a2e7
SHA256 5423bbfb958e1e1f63e71258dcb4627f8c032b52bc041031836963dd91438761
SHA512 646d9b6b8884a4122bbe1dcb19203214114c91dbf8fecb4f701ef1e34c3592df2a75eaa5c7c3f9b70a6aa0dd9cef4990d37424168f93c09e2e52b07740f9b4fa

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe

MD5 c9e6cadf3478906f3f8fd3a457955b84
SHA1 e0b931c456ff10556a35057b42a664b6c339606e
SHA256 182fdde752aff01648128a5fffb0bd56bd5ccbe3c091f466129f90fde7694cab
SHA512 39046dd1b7c55de8772e5942fcb1463d715c33d7008b7e79579f935a34b36dd65745d9d68a5bfc15b53cb2ed9894aaba9b787758a1a68800239df704c6408b18

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe

MD5 c9e6cadf3478906f3f8fd3a457955b84
SHA1 e0b931c456ff10556a35057b42a664b6c339606e
SHA256 182fdde752aff01648128a5fffb0bd56bd5ccbe3c091f466129f90fde7694cab
SHA512 39046dd1b7c55de8772e5942fcb1463d715c33d7008b7e79579f935a34b36dd65745d9d68a5bfc15b53cb2ed9894aaba9b787758a1a68800239df704c6408b18

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe

MD5 c768f7d41a7dea0ec447894dd1923286
SHA1 66d98aab3cb17657fd6b0adef818df95ad7d084c
SHA256 b3d5058d30bdefc609434282b4f4ee7bf02fcb4df0e478d28207b3bac3327390
SHA512 38e74198945a7d05edce739053418c9a300b46c8b5ce460b4b1657c85319f5b55551f97de5b1db12878ad5f289f6aa459be9b2b785101168ba155d8e56fa2181

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe

MD5 c768f7d41a7dea0ec447894dd1923286
SHA1 66d98aab3cb17657fd6b0adef818df95ad7d084c
SHA256 b3d5058d30bdefc609434282b4f4ee7bf02fcb4df0e478d28207b3bac3327390
SHA512 38e74198945a7d05edce739053418c9a300b46c8b5ce460b4b1657c85319f5b55551f97de5b1db12878ad5f289f6aa459be9b2b785101168ba155d8e56fa2181

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe

MD5 0489b6d5ae6fad72336cbb3a111b9bc4
SHA1 2ca8cd81a7965b190219c289db536c12f5a2fe2b
SHA256 04e1c33603caa9189f797274c789a84421e267f5323839c21583b9911610200a
SHA512 5eab7c3527751333227ebb2ac87476fa59e53af69625cb4af0687033ea5b189e534b1f85a0c505d7815e61a4a59fe35c5c42fa20271465530ceeb45a95301248

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe

MD5 0489b6d5ae6fad72336cbb3a111b9bc4
SHA1 2ca8cd81a7965b190219c289db536c12f5a2fe2b
SHA256 04e1c33603caa9189f797274c789a84421e267f5323839c21583b9911610200a
SHA512 5eab7c3527751333227ebb2ac87476fa59e53af69625cb4af0687033ea5b189e534b1f85a0c505d7815e61a4a59fe35c5c42fa20271465530ceeb45a95301248

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe

MD5 ae5b250ffb0d2a9ca9fcc270d9fc202a
SHA1 aec1190c5cc903f771746f1be9dc5b73743840c4
SHA256 5912811fc9fd1400d6d1f1db48cd18ffa19c9e2c2a2d76d1a49cb80350f43c01
SHA512 dba3d5ede1a3e82625452a499ef56d5a90a5c927d3822b2af467e3852ed061b9c32acf0fd30b942061ad2945221e3c3b00c049f5f738a2e552a638dc43205a46

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe

MD5 ae5b250ffb0d2a9ca9fcc270d9fc202a
SHA1 aec1190c5cc903f771746f1be9dc5b73743840c4
SHA256 5912811fc9fd1400d6d1f1db48cd18ffa19c9e2c2a2d76d1a49cb80350f43c01
SHA512 dba3d5ede1a3e82625452a499ef56d5a90a5c927d3822b2af467e3852ed061b9c32acf0fd30b942061ad2945221e3c3b00c049f5f738a2e552a638dc43205a46

memory/3264-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3264-40-0x00000000730D0000-0x0000000073880000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe

MD5 a59e94fb59115e83bf896b9f28f88ce5
SHA1 644f8222a1e7af573131e9db2045f48e0d6386a6
SHA256 85b44c0cad0dfd9da0d1da420e65d2a1336565574836041299624b749703533a
SHA512 e5f5698271c60ac856554921c9622258de92f79a46c60583bab8d55a35fb897fe56425d41d92658f19162be736b8f54a9aaf2f7c5494f98e119785251ed22b98

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe

MD5 a59e94fb59115e83bf896b9f28f88ce5
SHA1 644f8222a1e7af573131e9db2045f48e0d6386a6
SHA256 85b44c0cad0dfd9da0d1da420e65d2a1336565574836041299624b749703533a
SHA512 e5f5698271c60ac856554921c9622258de92f79a46c60583bab8d55a35fb897fe56425d41d92658f19162be736b8f54a9aaf2f7c5494f98e119785251ed22b98

memory/1120-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1120-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1120-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1120-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe

MD5 37115f3c0c1614a487f0d113597cb27f
SHA1 3ea7c535787769fd5e7ce87c9d7c1d9d92e53915
SHA256 275ea88dfa54c56c85812b9f0d9324a02ed6f82b6291dc933aee128382d94e5a
SHA512 81af23582e05793931acf382172d0f0b76793716f051e533985a2310a71d1f0c4950f21a75327574605d2d23038f184a60460d502c06779edb017b5ed3ffbe45

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe

MD5 37115f3c0c1614a487f0d113597cb27f
SHA1 3ea7c535787769fd5e7ce87c9d7c1d9d92e53915
SHA256 275ea88dfa54c56c85812b9f0d9324a02ed6f82b6291dc933aee128382d94e5a
SHA512 81af23582e05793931acf382172d0f0b76793716f051e533985a2310a71d1f0c4950f21a75327574605d2d23038f184a60460d502c06779edb017b5ed3ffbe45

memory/4452-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4452-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe

MD5 5ef335d8ec5c9b50adbc35a0895c19f0
SHA1 4c574dc5d646c42c7c507fdfe8c96ac42d653e90
SHA256 927dffce1baf35a6af33e8f645de335f9f53b2707b563438603cb7dd16c29844
SHA512 492adfdd9fe7c39ecc7dafb145b47f72915294270f4ac0dfedefecac67d55daec9c4f7b582539cf275e1ff1d6867aac9aa00bebf6845a3771bdf6c0e0cbff9b0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe

MD5 5ef335d8ec5c9b50adbc35a0895c19f0
SHA1 4c574dc5d646c42c7c507fdfe8c96ac42d653e90
SHA256 927dffce1baf35a6af33e8f645de335f9f53b2707b563438603cb7dd16c29844
SHA512 492adfdd9fe7c39ecc7dafb145b47f72915294270f4ac0dfedefecac67d55daec9c4f7b582539cf275e1ff1d6867aac9aa00bebf6845a3771bdf6c0e0cbff9b0

memory/4484-57-0x0000000000E70000-0x0000000000EA0000-memory.dmp

memory/4484-58-0x00000000730D0000-0x0000000073880000-memory.dmp

memory/4484-59-0x0000000005F50000-0x0000000006568000-memory.dmp

memory/4484-60-0x0000000005A40000-0x0000000005B4A000-memory.dmp

memory/4484-61-0x0000000005820000-0x0000000005830000-memory.dmp

memory/4484-62-0x0000000005950000-0x0000000005962000-memory.dmp

memory/4484-63-0x00000000059B0000-0x00000000059EC000-memory.dmp

memory/2288-64-0x0000000000400000-0x0000000000525000-memory.dmp

memory/3236-65-0x0000000000910000-0x0000000000926000-memory.dmp

memory/4452-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3264-69-0x00000000730D0000-0x0000000073880000-memory.dmp

memory/3264-71-0x00000000730D0000-0x0000000073880000-memory.dmp

memory/4484-72-0x00000000730D0000-0x0000000073880000-memory.dmp

memory/4484-73-0x0000000005820000-0x0000000005830000-memory.dmp