Malware Analysis Report

2025-03-15 01:43

Sample ID 230910-ka77esff9z
Target 42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762
SHA256 42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762

Threat Level: Known bad

The file 42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762 was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

SmokeLoader

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 08:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 08:24

Reported

2023-09-10 08:27

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007147.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4360 wrote to memory of 1864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007147.exe
PID 4360 wrote to memory of 1864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007147.exe
PID 4360 wrote to memory of 1864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007147.exe
PID 1864 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007147.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe
PID 1864 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007147.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe
PID 1864 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007147.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe
PID 2888 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe
PID 2888 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe
PID 2888 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe
PID 968 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe
PID 968 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe
PID 968 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe
PID 4296 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe
PID 4296 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe
PID 4296 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe
PID 3040 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3040 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3040 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3040 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3040 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3040 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3040 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3040 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4296 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe
PID 4296 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe
PID 4296 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe
PID 2452 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2452 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2452 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 968 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7063354.exe
PID 968 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7063354.exe
PID 968 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7063354.exe
PID 768 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7063354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7063354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7063354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7063354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7063354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7063354.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d0340547.exe
PID 2888 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d0340547.exe
PID 2888 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d0340547.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762.exe

"C:\Users\Admin\AppData\Local\Temp\42561a127e818edbcb0b5b44455b8b05e24e0a1b8575c8a252d7c622c0623762.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3148 -ip 3148

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007147.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007147.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 236

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3040 -ip 3040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2452 -ip 2452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1772 -ip 1772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 556

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7063354.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7063354.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 768 -ip 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d0340547.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d0340547.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

memory/4360-0-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4360-1-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4360-2-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4360-3-0x0000000000400000-0x0000000000526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007147.exe

MD5 13e17745debbbb7fe3c9ec0830f9d821
SHA1 155989256b198e0252ed8986c82346c370b80424
SHA256 aa0e4dcc6b7f6bf03ad70bff3cce351e6608983f2cd98c436fc46c999badc4f0
SHA512 4b024f1760533c0733473888e25f35665a80b0a8d1b95741a4fb7550dcbd93f537ca7376c629d820a4df0f16cde33835baa7a0139fa0da2987ea26d5f2e21e10

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3007147.exe

MD5 13e17745debbbb7fe3c9ec0830f9d821
SHA1 155989256b198e0252ed8986c82346c370b80424
SHA256 aa0e4dcc6b7f6bf03ad70bff3cce351e6608983f2cd98c436fc46c999badc4f0
SHA512 4b024f1760533c0733473888e25f35665a80b0a8d1b95741a4fb7550dcbd93f537ca7376c629d820a4df0f16cde33835baa7a0139fa0da2987ea26d5f2e21e10

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe

MD5 ad2e07eea9e51522855414b53ba64dc1
SHA1 32f6965ebf828c680960cacea4e1d3c949fe736f
SHA256 8a0b050a618ec654b9ab093bbd0b841d812bda055e5ed35df813aef720206cfa
SHA512 67155b5628c48d08e2a10ee8a13b8e824bbe1f80192053eff35939c1b6a5b15c00c1d5fde0f33d7fec56e5f803d30fd263f3da109cdffd48a23bc81ea86d525d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1228102.exe

MD5 ad2e07eea9e51522855414b53ba64dc1
SHA1 32f6965ebf828c680960cacea4e1d3c949fe736f
SHA256 8a0b050a618ec654b9ab093bbd0b841d812bda055e5ed35df813aef720206cfa
SHA512 67155b5628c48d08e2a10ee8a13b8e824bbe1f80192053eff35939c1b6a5b15c00c1d5fde0f33d7fec56e5f803d30fd263f3da109cdffd48a23bc81ea86d525d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe

MD5 bd8013eacd7a0b8e1a0324677c7498b8
SHA1 776905eb8b061b1e6ea5f28752905a5af7f88b03
SHA256 cd518a4a96143136b3af4ca503cf72b1eae0fc8b69c352d1679437d5f0f63070
SHA512 f42c5ed4290902fbd530a3bb9ac83e941e2c4476ce41880e0bc49f86b3b70937f10d3c9d7c3ed19c732ac8b458691c826d1308e01dd3987f87a7b52292de6b24

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5515168.exe

MD5 bd8013eacd7a0b8e1a0324677c7498b8
SHA1 776905eb8b061b1e6ea5f28752905a5af7f88b03
SHA256 cd518a4a96143136b3af4ca503cf72b1eae0fc8b69c352d1679437d5f0f63070
SHA512 f42c5ed4290902fbd530a3bb9ac83e941e2c4476ce41880e0bc49f86b3b70937f10d3c9d7c3ed19c732ac8b458691c826d1308e01dd3987f87a7b52292de6b24

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe

MD5 4ca45cbf8be0dd7005a461de8d8573e4
SHA1 b19b5aeb6cf70bf93362553d3a484bdc06c453a1
SHA256 748320352439cd7892b931c195d09583133c59edfdc2cea4b8e966334b3cfa75
SHA512 a757206c8599058df42e4eb942d9b63d32df1d41c41c071927d1daa94a9ec93018a268ac907693a8e76e10995869bca54763cacb5fd0c6c58e0902ae6fa33f13

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7957880.exe

MD5 4ca45cbf8be0dd7005a461de8d8573e4
SHA1 b19b5aeb6cf70bf93362553d3a484bdc06c453a1
SHA256 748320352439cd7892b931c195d09583133c59edfdc2cea4b8e966334b3cfa75
SHA512 a757206c8599058df42e4eb942d9b63d32df1d41c41c071927d1daa94a9ec93018a268ac907693a8e76e10995869bca54763cacb5fd0c6c58e0902ae6fa33f13

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe

MD5 fd4d72a24e61c864f3962fc38a145f3c
SHA1 05291ffc451af7805863d8d8232085c017257054
SHA256 7ad7e0ddd757523249c498038d9b23f4ddc46653720faa9dd79a4fa57c7ab292
SHA512 7aedd0a764856f27a99b5e24be8f3d3a2f6c52c4ad3a3b4831155b26cdd0e0b6c13a1eee90997b9ed52f4c5bbdfebe5e8d71999ce92162afcff7f5ba258f228a

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8472458.exe

MD5 fd4d72a24e61c864f3962fc38a145f3c
SHA1 05291ffc451af7805863d8d8232085c017257054
SHA256 7ad7e0ddd757523249c498038d9b23f4ddc46653720faa9dd79a4fa57c7ab292
SHA512 7aedd0a764856f27a99b5e24be8f3d3a2f6c52c4ad3a3b4831155b26cdd0e0b6c13a1eee90997b9ed52f4c5bbdfebe5e8d71999ce92162afcff7f5ba258f228a

memory/4340-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4340-40-0x00000000735B0000-0x0000000073D60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe

MD5 46d6a911b1d36f62888e3eb832c25869
SHA1 3f316b710f2dee9a7a963777b16506ef8c764d20
SHA256 e719d3c4caf90950717e150c8725fdc8efd16ab89cba1bbacaf3f95804bbab54
SHA512 3cb5c3396c7b757148676101c0e12fa4c1b0f5fc65f48187be127c92ff17deb247af268fe4fa68e0421a5d13810819a9dff85e4e6eda5b2ae7f040587a4e8829

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7076773.exe

MD5 46d6a911b1d36f62888e3eb832c25869
SHA1 3f316b710f2dee9a7a963777b16506ef8c764d20
SHA256 e719d3c4caf90950717e150c8725fdc8efd16ab89cba1bbacaf3f95804bbab54
SHA512 3cb5c3396c7b757148676101c0e12fa4c1b0f5fc65f48187be127c92ff17deb247af268fe4fa68e0421a5d13810819a9dff85e4e6eda5b2ae7f040587a4e8829

memory/1772-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1772-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1772-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1772-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7063354.exe

MD5 1f0df6bdd30acf5b9f316b91e2defa53
SHA1 21ec019c2e00084fbb056d60cf19bb28f62403d3
SHA256 e01d80466692c34ada8c00047ae16bbf6740cbe3e0459ebb4b1f8d319f2729b4
SHA512 0b633aaf4b100aadd571ead27486f78a27fa22fc7dd7d2317fa516103fd92f81ee6fc4c18b451dd400b12756ff9be63441a22f2fe94a6d127235484d596e99a4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7063354.exe

MD5 1f0df6bdd30acf5b9f316b91e2defa53
SHA1 21ec019c2e00084fbb056d60cf19bb28f62403d3
SHA256 e01d80466692c34ada8c00047ae16bbf6740cbe3e0459ebb4b1f8d319f2729b4
SHA512 0b633aaf4b100aadd571ead27486f78a27fa22fc7dd7d2317fa516103fd92f81ee6fc4c18b451dd400b12756ff9be63441a22f2fe94a6d127235484d596e99a4

memory/3116-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3116-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d0340547.exe

MD5 a84608fba19ac34a5587b1e2fea7bf8e
SHA1 69eeb1e21be4c7fc41868dd1c43c7a2e3286ef61
SHA256 e2c6423d9dacebf490d1eb264b4f5850d9275ebdf101835d110dc3aab8496b7c
SHA512 c3ebd9eba16e644fce47e5c8d984bc789d80ee4e5cfbbe3350cf457273152c97f116bc35ed6c438615fea2ded0fd1217dc5e8e43958cffc10a5b5c1c390b6cb0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d0340547.exe

MD5 a84608fba19ac34a5587b1e2fea7bf8e
SHA1 69eeb1e21be4c7fc41868dd1c43c7a2e3286ef61
SHA256 e2c6423d9dacebf490d1eb264b4f5850d9275ebdf101835d110dc3aab8496b7c
SHA512 c3ebd9eba16e644fce47e5c8d984bc789d80ee4e5cfbbe3350cf457273152c97f116bc35ed6c438615fea2ded0fd1217dc5e8e43958cffc10a5b5c1c390b6cb0

memory/4380-57-0x0000000000570000-0x00000000005A0000-memory.dmp

memory/4380-58-0x00000000735B0000-0x0000000073D60000-memory.dmp

memory/4380-59-0x0000000005670000-0x0000000005C88000-memory.dmp

memory/4380-60-0x0000000005160000-0x000000000526A000-memory.dmp

memory/4380-61-0x0000000005050000-0x0000000005062000-memory.dmp

memory/4380-62-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/4380-63-0x00000000050B0000-0x00000000050EC000-memory.dmp

memory/4360-64-0x0000000000400000-0x0000000000526000-memory.dmp

memory/3176-65-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

memory/3116-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4340-69-0x00000000735B0000-0x0000000073D60000-memory.dmp

memory/4340-71-0x00000000735B0000-0x0000000073D60000-memory.dmp

memory/4380-72-0x00000000735B0000-0x0000000073D60000-memory.dmp

memory/4380-73-0x0000000004F40000-0x0000000004F50000-memory.dmp