Malware Analysis Report

2025-03-15 01:41

Sample ID 230910-knpx1afg9w
Target 01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e
SHA256 01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e

Threat Level: Known bad

The file 01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

SmokeLoader

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 08:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 08:45

Reported

2023-09-10 08:47

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9126994.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4548 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4548 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4548 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4548 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4548 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4548 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4548 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4548 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4548 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4548 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4548 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4548 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4932 wrote to memory of 4944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9126994.exe
PID 4932 wrote to memory of 4944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9126994.exe
PID 4932 wrote to memory of 4944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9126994.exe
PID 4944 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9126994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe
PID 4944 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9126994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe
PID 4944 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9126994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe
PID 3892 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe
PID 3892 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe
PID 3892 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe
PID 1800 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe
PID 1800 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe
PID 1800 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe
PID 216 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe
PID 216 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe
PID 216 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe
PID 4764 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 216 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe
PID 216 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe
PID 216 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe
PID 3756 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3756 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1800 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6141387.exe
PID 1800 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6141387.exe
PID 1800 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6141387.exe
PID 4968 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6141387.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6141387.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6141387.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6141387.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6141387.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6141387.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3892 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5523549.exe
PID 3892 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5523549.exe
PID 3892 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5523549.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe

"C:\Users\Admin\AppData\Local\Temp\01a6290e41d10f5be128fd9b7a1441ef83b9e7dd2451dd45fa8d76d3b217cf0e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4548 -ip 4548

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9126994.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9126994.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 260

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3756 -ip 3756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4728 -ip 4728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6141387.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6141387.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4968 -ip 4968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5523549.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5523549.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

memory/4932-0-0x0000000000400000-0x0000000000525000-memory.dmp

memory/4932-1-0x0000000000400000-0x0000000000525000-memory.dmp

memory/4932-2-0x0000000000400000-0x0000000000525000-memory.dmp

memory/4932-3-0x0000000000400000-0x0000000000525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9126994.exe

MD5 5c7d89eca2a9ccb3ec8c2cc18004adb4
SHA1 bbc32c9ee000f8252390661929baf88d5c20a304
SHA256 4393d1f859dcff49adf7eef5fd4bb9c906b50fb8d5c8b8869b9d833fdb7b4f2a
SHA512 933d19c0a79d681eb69f4efdd0ea5ebdb3caddec35818a71756110c7ad86817873608b880c83fd99ca4305d6312b93d9714f8a0b1d6a9a32c0d30808750c8983

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9126994.exe

MD5 5c7d89eca2a9ccb3ec8c2cc18004adb4
SHA1 bbc32c9ee000f8252390661929baf88d5c20a304
SHA256 4393d1f859dcff49adf7eef5fd4bb9c906b50fb8d5c8b8869b9d833fdb7b4f2a
SHA512 933d19c0a79d681eb69f4efdd0ea5ebdb3caddec35818a71756110c7ad86817873608b880c83fd99ca4305d6312b93d9714f8a0b1d6a9a32c0d30808750c8983

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe

MD5 d1cc84f216b78927c2dba1af950b87fd
SHA1 6580df72a065ca17e09fd5da8671249fc7d675bf
SHA256 a96c40349b7e1d54807b361c6a23c02cb35cff492f1425773fe8f3a759cd5d70
SHA512 047b5b392cb063008d204d572c9ab7deef4c51aad8ad1b6dd71027174da5bb26c58441365f9f090df03755b5448b2854a1053d2dc4d2960730f18af2398ee024

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1580636.exe

MD5 d1cc84f216b78927c2dba1af950b87fd
SHA1 6580df72a065ca17e09fd5da8671249fc7d675bf
SHA256 a96c40349b7e1d54807b361c6a23c02cb35cff492f1425773fe8f3a759cd5d70
SHA512 047b5b392cb063008d204d572c9ab7deef4c51aad8ad1b6dd71027174da5bb26c58441365f9f090df03755b5448b2854a1053d2dc4d2960730f18af2398ee024

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe

MD5 690daee9c107d404910f79699237104f
SHA1 4ebb592525fb664b7e654aade6c30040075eb6b0
SHA256 674d14a13520fde987c6315ea1da8a5b5fc14bbcfcc1f1d7256f3b6c4f68ff8e
SHA512 052196fbc52fac485beaa1a02d080f8c80016b8c7ca6e4e7a4a80e3a774ef07f9b0d287243f4b10455f37192ac2d21f558a68031030a5952eb006cd0161382eb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2600722.exe

MD5 690daee9c107d404910f79699237104f
SHA1 4ebb592525fb664b7e654aade6c30040075eb6b0
SHA256 674d14a13520fde987c6315ea1da8a5b5fc14bbcfcc1f1d7256f3b6c4f68ff8e
SHA512 052196fbc52fac485beaa1a02d080f8c80016b8c7ca6e4e7a4a80e3a774ef07f9b0d287243f4b10455f37192ac2d21f558a68031030a5952eb006cd0161382eb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe

MD5 b7d7bd401a2260b7de81dff5b585d16a
SHA1 da67e7453718e853bdf8bac67464d0507e10dd38
SHA256 397ca9f879ee1d55f45c639a5983f57cbf4b467605874c2f65bcabb597e04dd7
SHA512 73cc571580d9fa9f04b3705fe8e52056309d4068980acdb86692bf8a2e5a9e69e5a1dbe422d886cded281252b9b63b1858a02e89fafdf0a7a6c279f558c815cd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2371787.exe

MD5 b7d7bd401a2260b7de81dff5b585d16a
SHA1 da67e7453718e853bdf8bac67464d0507e10dd38
SHA256 397ca9f879ee1d55f45c639a5983f57cbf4b467605874c2f65bcabb597e04dd7
SHA512 73cc571580d9fa9f04b3705fe8e52056309d4068980acdb86692bf8a2e5a9e69e5a1dbe422d886cded281252b9b63b1858a02e89fafdf0a7a6c279f558c815cd

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe

MD5 8192d1777dd46298a5fe484a52fec298
SHA1 9a2052a5495b076417fe51182fa2a7793be7c3b5
SHA256 4b9a0f14a191a096f8aef6fa4aa4a3142acbe28e8dc716a2921f3457eb3a4759
SHA512 c7818ed6b2127d71d2ee4124dc4600f75c4e2ca0ae4ad0ae55ddb7a91aaa92d22b0be2b1982ae5fe7e94e4c136bacca25f1c0bd261e87ca9b9180e2ac6a68b31

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8671603.exe

MD5 8192d1777dd46298a5fe484a52fec298
SHA1 9a2052a5495b076417fe51182fa2a7793be7c3b5
SHA256 4b9a0f14a191a096f8aef6fa4aa4a3142acbe28e8dc716a2921f3457eb3a4759
SHA512 c7818ed6b2127d71d2ee4124dc4600f75c4e2ca0ae4ad0ae55ddb7a91aaa92d22b0be2b1982ae5fe7e94e4c136bacca25f1c0bd261e87ca9b9180e2ac6a68b31

memory/1432-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1432-40-0x00000000730D0000-0x0000000073880000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe

MD5 f7a9dfef615850052d6eb45f763042df
SHA1 df42cdb6da420f3f1ca977a7f7a0f3922360060e
SHA256 a582b5d067d43cf9d59fa26c759dc192e3cf37eb1e7307cc584200296bc2f08e
SHA512 dc2e573807c6037bef135c7c0e8e5898604ab6e4751c408d6a26b50722d6c81a235e95ccc28a4c28a58374102d373bb457389e2857663552a709070f86c1ebcb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1960215.exe

MD5 f7a9dfef615850052d6eb45f763042df
SHA1 df42cdb6da420f3f1ca977a7f7a0f3922360060e
SHA256 a582b5d067d43cf9d59fa26c759dc192e3cf37eb1e7307cc584200296bc2f08e
SHA512 dc2e573807c6037bef135c7c0e8e5898604ab6e4751c408d6a26b50722d6c81a235e95ccc28a4c28a58374102d373bb457389e2857663552a709070f86c1ebcb

memory/4728-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4728-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4728-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4728-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6141387.exe

MD5 5cee52ab566c354de76b27caee508775
SHA1 69c74968f498e438bb312e79d726dc1b448f6b2d
SHA256 f4c5006114c01ff5acf23c80ba6ef08a239008e5eadb20a265a8eea4ab8bbd56
SHA512 09d7a80401f988bd92ae41fe2370b80f8532ce1d88a73f38ebc3e05747d3ed427c886befc8c42b1fbaa9e0750bb764143d7645322f5580e28398089a84a90658

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6141387.exe

MD5 5cee52ab566c354de76b27caee508775
SHA1 69c74968f498e438bb312e79d726dc1b448f6b2d
SHA256 f4c5006114c01ff5acf23c80ba6ef08a239008e5eadb20a265a8eea4ab8bbd56
SHA512 09d7a80401f988bd92ae41fe2370b80f8532ce1d88a73f38ebc3e05747d3ed427c886befc8c42b1fbaa9e0750bb764143d7645322f5580e28398089a84a90658

memory/2424-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2424-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5523549.exe

MD5 cb8fab95cad95461fa7d3f942c406b40
SHA1 4f9bfec60606a8c808283e418f00cccd26347693
SHA256 25a19cdb582f0a08ef54a7ce3ec611f8f59ed80a15d9d0d4868f52a360ec0bd6
SHA512 5cb9d06b9c9f04424f3f8685db7778a666106f72ff2bbe0e811c51c116360dbd2e4aa858978145bfd79a09aa636ce742b78e0816b40ee51a3c72ab9be78513ec

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5523549.exe

MD5 cb8fab95cad95461fa7d3f942c406b40
SHA1 4f9bfec60606a8c808283e418f00cccd26347693
SHA256 25a19cdb582f0a08ef54a7ce3ec611f8f59ed80a15d9d0d4868f52a360ec0bd6
SHA512 5cb9d06b9c9f04424f3f8685db7778a666106f72ff2bbe0e811c51c116360dbd2e4aa858978145bfd79a09aa636ce742b78e0816b40ee51a3c72ab9be78513ec

memory/2168-57-0x0000000000250000-0x0000000000280000-memory.dmp

memory/2168-58-0x00000000730D0000-0x0000000073880000-memory.dmp

memory/2168-59-0x00000000052F0000-0x0000000005908000-memory.dmp

memory/2168-60-0x0000000004DE0000-0x0000000004EEA000-memory.dmp

memory/2168-62-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/2168-61-0x0000000002580000-0x0000000002592000-memory.dmp

memory/2168-63-0x0000000004C30000-0x0000000004C6C000-memory.dmp

memory/4932-64-0x0000000000400000-0x0000000000525000-memory.dmp

memory/3200-65-0x00000000009D0000-0x00000000009E6000-memory.dmp

memory/2424-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1432-69-0x00000000730D0000-0x0000000073880000-memory.dmp

memory/1432-71-0x00000000730D0000-0x0000000073880000-memory.dmp

memory/2168-72-0x00000000730D0000-0x0000000073880000-memory.dmp

memory/2168-73-0x0000000004CC0000-0x0000000004CD0000-memory.dmp