Malware Analysis Report

2025-03-15 01:43

Sample ID 230910-lzv4tsgb7x
Target 42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac
SHA256 42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac

Threat Level: Known bad

The file 42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

SmokeLoader

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 09:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 09:58

Reported

2023-09-10 10:01

Platform

win10v2004-20230831-en

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2097615.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2444 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2444 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2444 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2444 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2444 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2444 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2444 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2444 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2444 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2636 wrote to memory of 4768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2097615.exe
PID 2636 wrote to memory of 4768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2097615.exe
PID 2636 wrote to memory of 4768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2097615.exe
PID 4768 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2097615.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe
PID 4768 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2097615.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe
PID 4768 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2097615.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe
PID 1444 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe
PID 1444 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe
PID 1444 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe
PID 3704 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe
PID 3704 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe
PID 3704 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe
PID 1896 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe
PID 1896 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe
PID 1896 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe
PID 2716 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2716 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2716 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2716 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2716 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2716 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2716 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2716 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1896 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe
PID 1896 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe
PID 1896 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe
PID 3928 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3928 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3928 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3928 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3928 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3928 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3928 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3928 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3928 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3928 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3704 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe
PID 3704 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe
PID 3704 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe
PID 576 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 576 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 576 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 576 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 576 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 576 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 576 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 576 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 576 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1444 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1172177.exe
PID 1444 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1172177.exe
PID 1444 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1172177.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac.exe

"C:\Users\Admin\AppData\Local\Temp\42b7976198b602e32c9f97f1a18e30e4bb6e834f63d348a1ea6e6b29cf4487ac.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2444 -ip 2444

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2097615.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2097615.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 240

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2716 -ip 2716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 136

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3928 -ip 3928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1236 -ip 1236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 560

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 576 -ip 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 136

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1172177.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1172177.exe

C:\Users\Admin\AppData\Roaming\rebhuha

C:\Users\Admin\AppData\Roaming\rebhuha

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/2636-0-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2636-1-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2636-2-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2636-3-0x0000000000400000-0x0000000000525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2097615.exe

MD5 bb09831f2f1ccf36813732f901db2ef4
SHA1 e866d88baed0ece2906b437159d2028d925111cb
SHA256 d2a4893400deeceefaee217e77086cf2f76e8ff027576de39b41770b1144a8f8
SHA512 3e68a10a7631168b4f497de2066111e91bd9b9ef09b0099c83877383b1109b81e031b81afabc66d3ff9682d0a3a799610530ef0990158576854d606e61410b6f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2097615.exe

MD5 bb09831f2f1ccf36813732f901db2ef4
SHA1 e866d88baed0ece2906b437159d2028d925111cb
SHA256 d2a4893400deeceefaee217e77086cf2f76e8ff027576de39b41770b1144a8f8
SHA512 3e68a10a7631168b4f497de2066111e91bd9b9ef09b0099c83877383b1109b81e031b81afabc66d3ff9682d0a3a799610530ef0990158576854d606e61410b6f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe

MD5 9f79f9c6eed2c9ec259c827a6d6574ad
SHA1 66753f423df7205d13fa64b1e90fe3f5bec9c966
SHA256 c319bed6c301742b5dc775e65d056a855658c0c24a426a4c6f98e4db34acf6e2
SHA512 0c3483b4e55c765076385b04661578b5351a6256a95e534b93a02de839a8a21c56f911e2f29c5ea00f123ebec9948d28a0eea6f036eca92299a8e14db2210b66

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8822746.exe

MD5 9f79f9c6eed2c9ec259c827a6d6574ad
SHA1 66753f423df7205d13fa64b1e90fe3f5bec9c966
SHA256 c319bed6c301742b5dc775e65d056a855658c0c24a426a4c6f98e4db34acf6e2
SHA512 0c3483b4e55c765076385b04661578b5351a6256a95e534b93a02de839a8a21c56f911e2f29c5ea00f123ebec9948d28a0eea6f036eca92299a8e14db2210b66

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe

MD5 d40965e8324acb8174837fe176b6e7d6
SHA1 4bd8158b29115923e5409500eb108138e1143621
SHA256 062acdca60faabc1f286fc40ed05d071157cc2d558ec18d5f110d21a844185dd
SHA512 4ef0229ce789b7c5d5d56ca662376d980acf86ae8b648013b419e41f296ae4a0bdfb7e4d0ad9a17acad5771aaed0b8bdd33c292f191aa05eb9b34e7678c17d9f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1573332.exe

MD5 d40965e8324acb8174837fe176b6e7d6
SHA1 4bd8158b29115923e5409500eb108138e1143621
SHA256 062acdca60faabc1f286fc40ed05d071157cc2d558ec18d5f110d21a844185dd
SHA512 4ef0229ce789b7c5d5d56ca662376d980acf86ae8b648013b419e41f296ae4a0bdfb7e4d0ad9a17acad5771aaed0b8bdd33c292f191aa05eb9b34e7678c17d9f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe

MD5 5c010762367422fd79c827fb8a5d66ce
SHA1 3cbac973b1d3c6caf0faa3f073c83128d787667d
SHA256 e55f92db99d854d6157937cfc8918858360d960cce0514dc7c6a7cb4432f7e92
SHA512 8c354c0f3e25c511c8fbddd65549a1dc1a753359f8ff83907a66d545d60411a822f87b102434d54eb008c606e77c5d95e8bfbd7a151b24fe55a83b25319a055b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2743780.exe

MD5 5c010762367422fd79c827fb8a5d66ce
SHA1 3cbac973b1d3c6caf0faa3f073c83128d787667d
SHA256 e55f92db99d854d6157937cfc8918858360d960cce0514dc7c6a7cb4432f7e92
SHA512 8c354c0f3e25c511c8fbddd65549a1dc1a753359f8ff83907a66d545d60411a822f87b102434d54eb008c606e77c5d95e8bfbd7a151b24fe55a83b25319a055b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe

MD5 8b7811f76d46910d3789a8036675adec
SHA1 c16ea0c893f0d377c18d322a251d2b5f944d1d0b
SHA256 03f9ae7cdb453dbb32a3c137cc30d042820ee65f27892defb0acb15157b68587
SHA512 9ae8469c1c79e1ae62d0830e50f1ccf757c9bd1b0db52a61004a420d0001f6379c83418786658aecde9a53cf8058d8692ba35b122b169922aa042e5dffdb89ba

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4054441.exe

MD5 8b7811f76d46910d3789a8036675adec
SHA1 c16ea0c893f0d377c18d322a251d2b5f944d1d0b
SHA256 03f9ae7cdb453dbb32a3c137cc30d042820ee65f27892defb0acb15157b68587
SHA512 9ae8469c1c79e1ae62d0830e50f1ccf757c9bd1b0db52a61004a420d0001f6379c83418786658aecde9a53cf8058d8692ba35b122b169922aa042e5dffdb89ba

memory/4004-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4004-40-0x00000000732A0000-0x0000000073A50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe

MD5 81e0a1f005558a71d735acb91f951c08
SHA1 82e77f3c509e742af7e9becc0790be98d709ab43
SHA256 3568ae0f173360ed7f59139029b0b8c59001f04ad65ebe874d6f609d7b897e41
SHA512 ece8bef32ccd21129cb63513c7a9a89e7da28406e711f2b384733f7f7a2fcdeb5ff348a05f96ef954cae322eb3683d875b8540b6967503f2eaee517de2b9c565

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3162577.exe

MD5 81e0a1f005558a71d735acb91f951c08
SHA1 82e77f3c509e742af7e9becc0790be98d709ab43
SHA256 3568ae0f173360ed7f59139029b0b8c59001f04ad65ebe874d6f609d7b897e41
SHA512 ece8bef32ccd21129cb63513c7a9a89e7da28406e711f2b384733f7f7a2fcdeb5ff348a05f96ef954cae322eb3683d875b8540b6967503f2eaee517de2b9c565

memory/1236-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1236-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1236-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1236-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe

MD5 6f7c482838d0aad314c2d6812d6f0389
SHA1 19b239e2420b0e3953d266c6ebdb351f52f8b1c1
SHA256 c6ecbe23f66f64582238d71f33f9f4c971067d6f716e836efdeed0355a62e8aa
SHA512 e24c88b7373de9264cf91b3e71a3493b78e8db9f8718f3888f86eb3c02aeb4c8c50e1817212b3328ae6306e8c75173eb7ac4a38164e9f2a16f50274340478de7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9954102.exe

MD5 6f7c482838d0aad314c2d6812d6f0389
SHA1 19b239e2420b0e3953d266c6ebdb351f52f8b1c1
SHA256 c6ecbe23f66f64582238d71f33f9f4c971067d6f716e836efdeed0355a62e8aa
SHA512 e24c88b7373de9264cf91b3e71a3493b78e8db9f8718f3888f86eb3c02aeb4c8c50e1817212b3328ae6306e8c75173eb7ac4a38164e9f2a16f50274340478de7

memory/4512-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4512-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1172177.exe

MD5 1316410cafac9411b6e5a6c2ad8a87f7
SHA1 de6d6209f1ccd617eddb9e056408af694f172276
SHA256 b6708a199b9a7e81510ebf8c1ba8499e077c3d9e64353da35bec91b3da02fdfd
SHA512 3f2b346692c7f5f1a30325c472939e102b223ea2f1923c3a83e01b937d3c1df8fb20625e7053146222e2f2482b1cb878350df0843d972e1be2bb1d80cc9aec96

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1172177.exe

MD5 1316410cafac9411b6e5a6c2ad8a87f7
SHA1 de6d6209f1ccd617eddb9e056408af694f172276
SHA256 b6708a199b9a7e81510ebf8c1ba8499e077c3d9e64353da35bec91b3da02fdfd
SHA512 3f2b346692c7f5f1a30325c472939e102b223ea2f1923c3a83e01b937d3c1df8fb20625e7053146222e2f2482b1cb878350df0843d972e1be2bb1d80cc9aec96

memory/4272-57-0x0000000000D00000-0x0000000000D30000-memory.dmp

memory/4272-58-0x00000000732A0000-0x0000000073A50000-memory.dmp

memory/4272-59-0x000000000B150000-0x000000000B768000-memory.dmp

memory/4272-60-0x000000000ACB0000-0x000000000ADBA000-memory.dmp

memory/2636-62-0x0000000000400000-0x0000000000525000-memory.dmp

memory/4272-63-0x00000000056A0000-0x00000000056B0000-memory.dmp

memory/4272-61-0x000000000ABF0000-0x000000000AC02000-memory.dmp

memory/4272-64-0x000000000AC50000-0x000000000AC8C000-memory.dmp

memory/3212-65-0x00000000010B0000-0x00000000010C6000-memory.dmp

memory/4512-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4004-69-0x00000000732A0000-0x0000000073A50000-memory.dmp

memory/4004-71-0x00000000732A0000-0x0000000073A50000-memory.dmp

memory/4272-72-0x00000000732A0000-0x0000000073A50000-memory.dmp

memory/4272-73-0x00000000056A0000-0x00000000056B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\rebhuha

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

C:\Users\Admin\AppData\Roaming\rebhuha

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc