Analysis Overview
SHA256
a2f28321fe155d154fee2fa53c6116b193e1c908ea0ae3aa7157ea739f38861d
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
SmokeLoader
Detects Healer an antivirus disabler dropper
Healer
Modifies Windows Defender Real-time Protection settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 09:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 09:06
Reported
2023-09-10 09:08
Platform
win7-20230831-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1152 set thread context of 1896 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 200
Network
Files
memory/1896-0-0x0000000000400000-0x0000000000525000-memory.dmp
memory/1896-1-0x0000000000400000-0x0000000000525000-memory.dmp
memory/1896-2-0x0000000000400000-0x0000000000525000-memory.dmp
memory/1896-4-0x0000000000400000-0x0000000000525000-memory.dmp
memory/1896-3-0x0000000000400000-0x0000000000525000-memory.dmp
memory/1896-5-0x0000000000400000-0x0000000000525000-memory.dmp
memory/1896-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1896-7-0x0000000000400000-0x0000000000525000-memory.dmp
memory/1896-9-0x0000000000400000-0x0000000000525000-memory.dmp
memory/1896-11-0x0000000000400000-0x0000000000525000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-10 09:06
Reported
2023-09-10 09:08
Platform
win10v2004-20230831-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
SmokeLoader
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wivdter | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2000 set thread context of 768 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 5048 set thread context of 4832 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1232 set thread context of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2352 set thread context of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2000 -ip 2000
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 236
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5048 -ip 5048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 572
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1232 -ip 1232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2012 -ip 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 184
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2352 -ip 2352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 552
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe
C:\Users\Admin\AppData\Roaming\wivdter
C:\Users\Admin\AppData\Roaming\wivdter
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.124.231:80 | tcp | |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.124.231:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
memory/768-0-0x0000000000400000-0x0000000000525000-memory.dmp
memory/768-1-0x0000000000400000-0x0000000000525000-memory.dmp
memory/768-2-0x0000000000400000-0x0000000000525000-memory.dmp
memory/768-3-0x0000000000400000-0x0000000000525000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe
| MD5 | bafb2d8450df47c7e24c29c4c09a89f6 |
| SHA1 | 3e1f5226c10b89868f2ba02765d216c77b05a2e7 |
| SHA256 | 5423bbfb958e1e1f63e71258dcb4627f8c032b52bc041031836963dd91438761 |
| SHA512 | 646d9b6b8884a4122bbe1dcb19203214114c91dbf8fecb4f701ef1e34c3592df2a75eaa5c7c3f9b70a6aa0dd9cef4990d37424168f93c09e2e52b07740f9b4fa |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3557447.exe
| MD5 | bafb2d8450df47c7e24c29c4c09a89f6 |
| SHA1 | 3e1f5226c10b89868f2ba02765d216c77b05a2e7 |
| SHA256 | 5423bbfb958e1e1f63e71258dcb4627f8c032b52bc041031836963dd91438761 |
| SHA512 | 646d9b6b8884a4122bbe1dcb19203214114c91dbf8fecb4f701ef1e34c3592df2a75eaa5c7c3f9b70a6aa0dd9cef4990d37424168f93c09e2e52b07740f9b4fa |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe
| MD5 | c9e6cadf3478906f3f8fd3a457955b84 |
| SHA1 | e0b931c456ff10556a35057b42a664b6c339606e |
| SHA256 | 182fdde752aff01648128a5fffb0bd56bd5ccbe3c091f466129f90fde7694cab |
| SHA512 | 39046dd1b7c55de8772e5942fcb1463d715c33d7008b7e79579f935a34b36dd65745d9d68a5bfc15b53cb2ed9894aaba9b787758a1a68800239df704c6408b18 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1585555.exe
| MD5 | c9e6cadf3478906f3f8fd3a457955b84 |
| SHA1 | e0b931c456ff10556a35057b42a664b6c339606e |
| SHA256 | 182fdde752aff01648128a5fffb0bd56bd5ccbe3c091f466129f90fde7694cab |
| SHA512 | 39046dd1b7c55de8772e5942fcb1463d715c33d7008b7e79579f935a34b36dd65745d9d68a5bfc15b53cb2ed9894aaba9b787758a1a68800239df704c6408b18 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe
| MD5 | c768f7d41a7dea0ec447894dd1923286 |
| SHA1 | 66d98aab3cb17657fd6b0adef818df95ad7d084c |
| SHA256 | b3d5058d30bdefc609434282b4f4ee7bf02fcb4df0e478d28207b3bac3327390 |
| SHA512 | 38e74198945a7d05edce739053418c9a300b46c8b5ce460b4b1657c85319f5b55551f97de5b1db12878ad5f289f6aa459be9b2b785101168ba155d8e56fa2181 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0139340.exe
| MD5 | c768f7d41a7dea0ec447894dd1923286 |
| SHA1 | 66d98aab3cb17657fd6b0adef818df95ad7d084c |
| SHA256 | b3d5058d30bdefc609434282b4f4ee7bf02fcb4df0e478d28207b3bac3327390 |
| SHA512 | 38e74198945a7d05edce739053418c9a300b46c8b5ce460b4b1657c85319f5b55551f97de5b1db12878ad5f289f6aa459be9b2b785101168ba155d8e56fa2181 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe
| MD5 | 0489b6d5ae6fad72336cbb3a111b9bc4 |
| SHA1 | 2ca8cd81a7965b190219c289db536c12f5a2fe2b |
| SHA256 | 04e1c33603caa9189f797274c789a84421e267f5323839c21583b9911610200a |
| SHA512 | 5eab7c3527751333227ebb2ac87476fa59e53af69625cb4af0687033ea5b189e534b1f85a0c505d7815e61a4a59fe35c5c42fa20271465530ceeb45a95301248 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2419279.exe
| MD5 | 0489b6d5ae6fad72336cbb3a111b9bc4 |
| SHA1 | 2ca8cd81a7965b190219c289db536c12f5a2fe2b |
| SHA256 | 04e1c33603caa9189f797274c789a84421e267f5323839c21583b9911610200a |
| SHA512 | 5eab7c3527751333227ebb2ac87476fa59e53af69625cb4af0687033ea5b189e534b1f85a0c505d7815e61a4a59fe35c5c42fa20271465530ceeb45a95301248 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe
| MD5 | ae5b250ffb0d2a9ca9fcc270d9fc202a |
| SHA1 | aec1190c5cc903f771746f1be9dc5b73743840c4 |
| SHA256 | 5912811fc9fd1400d6d1f1db48cd18ffa19c9e2c2a2d76d1a49cb80350f43c01 |
| SHA512 | dba3d5ede1a3e82625452a499ef56d5a90a5c927d3822b2af467e3852ed061b9c32acf0fd30b942061ad2945221e3c3b00c049f5f738a2e552a638dc43205a46 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8274425.exe
| MD5 | ae5b250ffb0d2a9ca9fcc270d9fc202a |
| SHA1 | aec1190c5cc903f771746f1be9dc5b73743840c4 |
| SHA256 | 5912811fc9fd1400d6d1f1db48cd18ffa19c9e2c2a2d76d1a49cb80350f43c01 |
| SHA512 | dba3d5ede1a3e82625452a499ef56d5a90a5c927d3822b2af467e3852ed061b9c32acf0fd30b942061ad2945221e3c3b00c049f5f738a2e552a638dc43205a46 |
memory/4832-39-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4832-40-0x00000000734B0000-0x0000000073C60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe
| MD5 | a59e94fb59115e83bf896b9f28f88ce5 |
| SHA1 | 644f8222a1e7af573131e9db2045f48e0d6386a6 |
| SHA256 | 85b44c0cad0dfd9da0d1da420e65d2a1336565574836041299624b749703533a |
| SHA512 | e5f5698271c60ac856554921c9622258de92f79a46c60583bab8d55a35fb897fe56425d41d92658f19162be736b8f54a9aaf2f7c5494f98e119785251ed22b98 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5407173.exe
| MD5 | a59e94fb59115e83bf896b9f28f88ce5 |
| SHA1 | 644f8222a1e7af573131e9db2045f48e0d6386a6 |
| SHA256 | 85b44c0cad0dfd9da0d1da420e65d2a1336565574836041299624b749703533a |
| SHA512 | e5f5698271c60ac856554921c9622258de92f79a46c60583bab8d55a35fb897fe56425d41d92658f19162be736b8f54a9aaf2f7c5494f98e119785251ed22b98 |
memory/2012-44-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2012-45-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2012-46-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2012-48-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe
| MD5 | 37115f3c0c1614a487f0d113597cb27f |
| SHA1 | 3ea7c535787769fd5e7ce87c9d7c1d9d92e53915 |
| SHA256 | 275ea88dfa54c56c85812b9f0d9324a02ed6f82b6291dc933aee128382d94e5a |
| SHA512 | 81af23582e05793931acf382172d0f0b76793716f051e533985a2310a71d1f0c4950f21a75327574605d2d23038f184a60460d502c06779edb017b5ed3ffbe45 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0683978.exe
| MD5 | 37115f3c0c1614a487f0d113597cb27f |
| SHA1 | 3ea7c535787769fd5e7ce87c9d7c1d9d92e53915 |
| SHA256 | 275ea88dfa54c56c85812b9f0d9324a02ed6f82b6291dc933aee128382d94e5a |
| SHA512 | 81af23582e05793931acf382172d0f0b76793716f051e533985a2310a71d1f0c4950f21a75327574605d2d23038f184a60460d502c06779edb017b5ed3ffbe45 |
memory/4280-52-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4280-53-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe
| MD5 | 5ef335d8ec5c9b50adbc35a0895c19f0 |
| SHA1 | 4c574dc5d646c42c7c507fdfe8c96ac42d653e90 |
| SHA256 | 927dffce1baf35a6af33e8f645de335f9f53b2707b563438603cb7dd16c29844 |
| SHA512 | 492adfdd9fe7c39ecc7dafb145b47f72915294270f4ac0dfedefecac67d55daec9c4f7b582539cf275e1ff1d6867aac9aa00bebf6845a3771bdf6c0e0cbff9b0 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7015979.exe
| MD5 | 5ef335d8ec5c9b50adbc35a0895c19f0 |
| SHA1 | 4c574dc5d646c42c7c507fdfe8c96ac42d653e90 |
| SHA256 | 927dffce1baf35a6af33e8f645de335f9f53b2707b563438603cb7dd16c29844 |
| SHA512 | 492adfdd9fe7c39ecc7dafb145b47f72915294270f4ac0dfedefecac67d55daec9c4f7b582539cf275e1ff1d6867aac9aa00bebf6845a3771bdf6c0e0cbff9b0 |
memory/1872-57-0x00000000000A0000-0x00000000000D0000-memory.dmp
memory/1872-58-0x00000000734B0000-0x0000000073C60000-memory.dmp
memory/1872-59-0x0000000005010000-0x0000000005628000-memory.dmp
memory/1872-60-0x0000000004B00000-0x0000000004C0A000-memory.dmp
memory/1872-62-0x00000000048A0000-0x00000000048B0000-memory.dmp
memory/1872-61-0x0000000004A30000-0x0000000004A42000-memory.dmp
memory/1872-63-0x0000000004A90000-0x0000000004ACC000-memory.dmp
memory/768-64-0x0000000000400000-0x0000000000525000-memory.dmp
memory/3192-65-0x0000000002AF0000-0x0000000002B06000-memory.dmp
memory/4280-66-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4832-69-0x00000000734B0000-0x0000000073C60000-memory.dmp
memory/4832-71-0x00000000734B0000-0x0000000073C60000-memory.dmp
memory/1872-72-0x00000000734B0000-0x0000000073C60000-memory.dmp
memory/1872-73-0x00000000048A0000-0x00000000048B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\wivdter
| MD5 | 89d41e1cf478a3d3c2c701a27a5692b2 |
| SHA1 | 691e20583ef80cb9a2fd3258560e7f02481d12fd |
| SHA256 | dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac |
| SHA512 | 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc |
C:\Users\Admin\AppData\Roaming\wivdter
| MD5 | 89d41e1cf478a3d3c2c701a27a5692b2 |
| SHA1 | 691e20583ef80cb9a2fd3258560e7f02481d12fd |
| SHA256 | dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac |
| SHA512 | 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc |