Malware Analysis Report

2025-03-15 01:44

Sample ID 230910-mchewsgd35
Target 9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721
SHA256 9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721

Threat Level: Known bad

The file 9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721 was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

SmokeLoader

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 10:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 10:19

Reported

2023-09-10 10:21

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8118584.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3804 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3804 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3804 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3804 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3804 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3804 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3804 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3804 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3804 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3804 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2228 wrote to memory of 4860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8118584.exe
PID 2228 wrote to memory of 4860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8118584.exe
PID 2228 wrote to memory of 4860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8118584.exe
PID 4860 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8118584.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe
PID 4860 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8118584.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe
PID 4860 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8118584.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe
PID 1288 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe
PID 1288 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe
PID 1288 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe
PID 4468 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe
PID 4468 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe
PID 4468 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe
PID 692 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe
PID 692 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe
PID 692 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe
PID 3396 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3396 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3396 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3396 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3396 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3396 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3396 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3396 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 692 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe
PID 692 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe
PID 692 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe
PID 2060 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2060 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2060 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2060 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2060 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2060 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2060 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2060 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2060 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2060 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4468 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe
PID 4468 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe
PID 4468 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe
PID 2092 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1288 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9254795.exe
PID 1288 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9254795.exe
PID 1288 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9254795.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721.exe

"C:\Users\Admin\AppData\Local\Temp\9a3aefe6191b7bfbf6788ad7b43e1a32ccdd51f12deeb37df84493c9afcac721.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3804 -ip 3804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8118584.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8118584.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 240

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3396 -ip 3396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2060 -ip 2060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4132 -ip 4132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2092 -ip 2092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9254795.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9254795.exe

C:\Users\Admin\AppData\Roaming\fejvjih

C:\Users\Admin\AppData\Roaming\fejvjih

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

memory/2228-0-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2228-1-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2228-2-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2228-3-0x0000000000400000-0x0000000000525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8118584.exe

MD5 5757b5c681bbb0283372c9ed25f24872
SHA1 d1154f29dd3e524d5b8a823f8752a96a6376db7f
SHA256 41083148201f0ce1bbbff5ff9bb867162a88cfb60bc597ec1fd93dbec508804e
SHA512 b1806263dff93fedd53d428aa209450add3c06718f8c5c117688c24ea74b06c1e996052d0229341968db75dab9c058aa4068d9e646c57d846e4390ddc18dbbe4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8118584.exe

MD5 5757b5c681bbb0283372c9ed25f24872
SHA1 d1154f29dd3e524d5b8a823f8752a96a6376db7f
SHA256 41083148201f0ce1bbbff5ff9bb867162a88cfb60bc597ec1fd93dbec508804e
SHA512 b1806263dff93fedd53d428aa209450add3c06718f8c5c117688c24ea74b06c1e996052d0229341968db75dab9c058aa4068d9e646c57d846e4390ddc18dbbe4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe

MD5 43344b268eee5b1a33333c26f5c62ee2
SHA1 33d0ddaa87e48ad3ad98fa1c9abc66b81d74f5c1
SHA256 9b59c5e0d409e5d96f5360f161829f08606cbd403bb517da358e25fb95a10477
SHA512 8766616bc240baf7875c34c4a64f8aa18e2bde98f18b3fd35735d0ee8e65f16e083dc2aacf350c1290a2d5dc02fe5d7ec2114c890b9dfaa2486fe491a70b1ce2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6881010.exe

MD5 43344b268eee5b1a33333c26f5c62ee2
SHA1 33d0ddaa87e48ad3ad98fa1c9abc66b81d74f5c1
SHA256 9b59c5e0d409e5d96f5360f161829f08606cbd403bb517da358e25fb95a10477
SHA512 8766616bc240baf7875c34c4a64f8aa18e2bde98f18b3fd35735d0ee8e65f16e083dc2aacf350c1290a2d5dc02fe5d7ec2114c890b9dfaa2486fe491a70b1ce2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe

MD5 eff7428a22994cc6f07b2372c1e3edeb
SHA1 0ce6d3c000322a5c34f8a2f296e2ad5ab576eb61
SHA256 154da9c5df1e8228afec5e03696d67859b5a0daf94c426ba56e84eed2345d4a5
SHA512 3677d622e41f0da1256d86c22b7a42d67e65af90761eacb3f8a18158fb7cc8e0641e4267fb1a475eee21b5c36396a33dd8694235e25063fefab2e8a2f5d80b26

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5776186.exe

MD5 eff7428a22994cc6f07b2372c1e3edeb
SHA1 0ce6d3c000322a5c34f8a2f296e2ad5ab576eb61
SHA256 154da9c5df1e8228afec5e03696d67859b5a0daf94c426ba56e84eed2345d4a5
SHA512 3677d622e41f0da1256d86c22b7a42d67e65af90761eacb3f8a18158fb7cc8e0641e4267fb1a475eee21b5c36396a33dd8694235e25063fefab2e8a2f5d80b26

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe

MD5 506622e685699fe787f54d54cefb89e9
SHA1 8a166868ae632fa4f9d46b45cc72c93e803659dc
SHA256 f29f4ef40488a231628f71b07fb085277eb47b087ffd61f5fcb813e25875a7b5
SHA512 948deeeda59b2610d5d8daa30b5153c05ffbb69abc97d27c739514ef586acf167f810d847b933d845abcd7138500508ea705f08a887856794a8a069ddf5ffac0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2584809.exe

MD5 506622e685699fe787f54d54cefb89e9
SHA1 8a166868ae632fa4f9d46b45cc72c93e803659dc
SHA256 f29f4ef40488a231628f71b07fb085277eb47b087ffd61f5fcb813e25875a7b5
SHA512 948deeeda59b2610d5d8daa30b5153c05ffbb69abc97d27c739514ef586acf167f810d847b933d845abcd7138500508ea705f08a887856794a8a069ddf5ffac0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe

MD5 e0869f859d8b489307d65bc98743a734
SHA1 38781ad0ad20a5ebb0d77a64b18ef396ec115c5e
SHA256 45d8122119985e65f39e608d868674db692347e0b57185c769bcbd13a4c05190
SHA512 240f58b1cb84cbf6c3dae09adaffc5bdfd5b46e475b4e4ab2c8db1ceaade513491d57f225327d8f061bcd04654c964139360a72360bf47ee264c033d16621eda

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5943906.exe

MD5 e0869f859d8b489307d65bc98743a734
SHA1 38781ad0ad20a5ebb0d77a64b18ef396ec115c5e
SHA256 45d8122119985e65f39e608d868674db692347e0b57185c769bcbd13a4c05190
SHA512 240f58b1cb84cbf6c3dae09adaffc5bdfd5b46e475b4e4ab2c8db1ceaade513491d57f225327d8f061bcd04654c964139360a72360bf47ee264c033d16621eda

memory/808-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/808-40-0x0000000074400000-0x0000000074BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe

MD5 6d47dbc7205f7ce941080ebfecf8ff32
SHA1 0d94e5550028cf2a366b6f46ccb7cf19a1b8be28
SHA256 67168c870c5990db63d1f5c64e7c603b0d0bb1a4a263477ca7fc53ac54f7c234
SHA512 ed9c20f5f8bd18bfdd487c9387a970970b2532c673e7b2caed099824b146c65b8356db24bd6a61f893e8407cbee9fafd4ddc7961e0b794c43dd346a85b450baa

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6230228.exe

MD5 6d47dbc7205f7ce941080ebfecf8ff32
SHA1 0d94e5550028cf2a366b6f46ccb7cf19a1b8be28
SHA256 67168c870c5990db63d1f5c64e7c603b0d0bb1a4a263477ca7fc53ac54f7c234
SHA512 ed9c20f5f8bd18bfdd487c9387a970970b2532c673e7b2caed099824b146c65b8356db24bd6a61f893e8407cbee9fafd4ddc7961e0b794c43dd346a85b450baa

memory/4132-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4132-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4132-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4132-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe

MD5 011caef556bf168b6c4616a9e3db5804
SHA1 5ab376e2070f04f3b5d67ee56d4c8775566a70dd
SHA256 beac2df06a82be290244b1a3abe88443e41fdad350ceaf1c9fd75369a5999719
SHA512 19163e045cebaaebd55764a388bf3b1fceb34cf9057a3a900f5ceaf045330f21c2d7949c0e0ae67c3ed164105a1b5106645731954a8e9c16d6110a86e0da3480

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2451197.exe

MD5 011caef556bf168b6c4616a9e3db5804
SHA1 5ab376e2070f04f3b5d67ee56d4c8775566a70dd
SHA256 beac2df06a82be290244b1a3abe88443e41fdad350ceaf1c9fd75369a5999719
SHA512 19163e045cebaaebd55764a388bf3b1fceb34cf9057a3a900f5ceaf045330f21c2d7949c0e0ae67c3ed164105a1b5106645731954a8e9c16d6110a86e0da3480

memory/5016-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5016-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9254795.exe

MD5 2ed1719ee8eb17877bdbe7eba3b2fbc4
SHA1 a9ed96e11ddd2875a0246b4580734d358d14e1e6
SHA256 518d5cf02b1d5b84063b05ea96047bf8fa8a827c30364114a4e9de8bd892b1e3
SHA512 df96ec07691e348011b47e16c100842d9e3e93660e25297af942a6baa24a3c694b83413e0a1f13a4273759936f388d2227725298634cb4ca3961310202a0ee98

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d9254795.exe

MD5 2ed1719ee8eb17877bdbe7eba3b2fbc4
SHA1 a9ed96e11ddd2875a0246b4580734d358d14e1e6
SHA256 518d5cf02b1d5b84063b05ea96047bf8fa8a827c30364114a4e9de8bd892b1e3
SHA512 df96ec07691e348011b47e16c100842d9e3e93660e25297af942a6baa24a3c694b83413e0a1f13a4273759936f388d2227725298634cb4ca3961310202a0ee98

memory/4480-57-0x0000000000D10000-0x0000000000D40000-memory.dmp

memory/4480-58-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4480-59-0x0000000005D70000-0x0000000006388000-memory.dmp

memory/4480-60-0x00000000058A0000-0x00000000059AA000-memory.dmp

memory/4480-62-0x0000000005640000-0x0000000005650000-memory.dmp

memory/4480-61-0x00000000057E0000-0x00000000057F2000-memory.dmp

memory/4480-63-0x0000000005840000-0x000000000587C000-memory.dmp

memory/2228-64-0x0000000000400000-0x0000000000525000-memory.dmp

memory/3088-65-0x0000000002260000-0x0000000002276000-memory.dmp

memory/5016-67-0x0000000000400000-0x0000000000409000-memory.dmp

memory/808-69-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/808-71-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4480-72-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4480-73-0x0000000005640000-0x0000000005650000-memory.dmp

C:\Users\Admin\AppData\Roaming\fejvjih

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

C:\Users\Admin\AppData\Roaming\fejvjih

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc