Malware Analysis Report

2025-03-15 01:44

Sample ID 230910-mkqq8sgd4v
Target fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d
SHA256 fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d

Threat Level: Known bad

The file fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

SmokeLoader

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 10:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 10:31

Reported

2023-09-10 10:34

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9408505.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 808 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 808 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4404 wrote to memory of 4476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9408505.exe
PID 4404 wrote to memory of 4476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9408505.exe
PID 4404 wrote to memory of 4476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9408505.exe
PID 4476 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9408505.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe
PID 4476 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9408505.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe
PID 4476 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9408505.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe
PID 1316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe
PID 1316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe
PID 1316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe
PID 2852 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe
PID 2852 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe
PID 2852 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe
PID 1300 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe
PID 1300 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe
PID 1300 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe
PID 3448 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3448 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1300 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe
PID 1300 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe
PID 1300 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe
PID 4456 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4456 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4456 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4456 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4456 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4456 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4456 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4456 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4456 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4456 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2852 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8937075.exe
PID 2852 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8937075.exe
PID 2852 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8937075.exe
PID 1704 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8937075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1704 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8937075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1704 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8937075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1704 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8937075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1704 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8937075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1704 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8937075.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1316 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3930471.exe
PID 1316 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3930471.exe
PID 1316 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3930471.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d.exe

"C:\Users\Admin\AppData\Local\Temp\fd15f9fc8857b6b790e7f8661addb81256cef47eaf3d68b96ddea3ad9924657d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 808 -ip 808

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9408505.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9408505.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 140

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3448 -ip 3448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8937075.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8937075.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1704 -ip 1704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3930471.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3930471.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

memory/4404-0-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4404-1-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4404-2-0x0000000000400000-0x0000000000526000-memory.dmp

memory/4404-3-0x0000000000400000-0x0000000000526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9408505.exe

MD5 c13ccdf7d24b0cd68e8b3ec75b2802a1
SHA1 308b6170fbea00446321c3ffb932bde56a2ef1b7
SHA256 96fcb75a63bd8126261faae6d8e67dc28a5ed2cabafc9d2761ed813cd4a151aa
SHA512 37607befc7029299213fdc0ed3228ab83103a6fe16ebc720d695ac7d1b0088eaff256cac8c654532bd1c3f91e94bb69ab01248aed507a37cbccc79c5f4c9c15d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9408505.exe

MD5 c13ccdf7d24b0cd68e8b3ec75b2802a1
SHA1 308b6170fbea00446321c3ffb932bde56a2ef1b7
SHA256 96fcb75a63bd8126261faae6d8e67dc28a5ed2cabafc9d2761ed813cd4a151aa
SHA512 37607befc7029299213fdc0ed3228ab83103a6fe16ebc720d695ac7d1b0088eaff256cac8c654532bd1c3f91e94bb69ab01248aed507a37cbccc79c5f4c9c15d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe

MD5 4407b11e4524c3b73b656b0e5c2d17f6
SHA1 1df4c2147c1bcc2e16c908abbd181d37d1a53291
SHA256 b6e2c6f82f5f9ee20e3d782fda37619ec684c04912e362c77299157cc9499531
SHA512 c0e165e1e49ac42cf7d90e158af67408b729621f4eb003c4e4da51d4c5446dab4dc93229ac5135e92cc904ef89b44621b8a521fd401aa2dafb8e10280d2fd4b7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5970390.exe

MD5 4407b11e4524c3b73b656b0e5c2d17f6
SHA1 1df4c2147c1bcc2e16c908abbd181d37d1a53291
SHA256 b6e2c6f82f5f9ee20e3d782fda37619ec684c04912e362c77299157cc9499531
SHA512 c0e165e1e49ac42cf7d90e158af67408b729621f4eb003c4e4da51d4c5446dab4dc93229ac5135e92cc904ef89b44621b8a521fd401aa2dafb8e10280d2fd4b7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe

MD5 32410eae5cb71cc409a002a34536c268
SHA1 93da03f20d0fb1d8a36b85d26a665b7321bc075b
SHA256 c6f9b2b047f45fc92efaeb6ca6a9693cc42604e6b4955e431bab91dbd83e0424
SHA512 5f491d93d261d62e04320c86197963f648c04cfaefa8e6ba6e68dcb32f7928260510245d3dcd20805e24e0801a397d789589c885498c163f56ce29e6ccc35ada

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3392227.exe

MD5 32410eae5cb71cc409a002a34536c268
SHA1 93da03f20d0fb1d8a36b85d26a665b7321bc075b
SHA256 c6f9b2b047f45fc92efaeb6ca6a9693cc42604e6b4955e431bab91dbd83e0424
SHA512 5f491d93d261d62e04320c86197963f648c04cfaefa8e6ba6e68dcb32f7928260510245d3dcd20805e24e0801a397d789589c885498c163f56ce29e6ccc35ada

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe

MD5 400bcb0e48908822823d9ad9b39d838f
SHA1 2892b21cc4773b3e7ebca3a682a777c9e3067c39
SHA256 424e90b9a448ee2960b1ea5de911e9a94551aeb2b8f90eb7466c8d5614352eef
SHA512 59d09286c76e34e72eb6880845399caee6876c6937b30155125c369136849b05fd5a2d5d6643ed6ba7e7f2f5ac9dd762970fa9ebdeda059d95c68b70d421177e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5822351.exe

MD5 400bcb0e48908822823d9ad9b39d838f
SHA1 2892b21cc4773b3e7ebca3a682a777c9e3067c39
SHA256 424e90b9a448ee2960b1ea5de911e9a94551aeb2b8f90eb7466c8d5614352eef
SHA512 59d09286c76e34e72eb6880845399caee6876c6937b30155125c369136849b05fd5a2d5d6643ed6ba7e7f2f5ac9dd762970fa9ebdeda059d95c68b70d421177e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe

MD5 7d87ec255c1483ac4f85721ae72d06bb
SHA1 fcaecb9e82f36be138523df24443127c958afb58
SHA256 7c6887d74d8238772446973c945bd000c2662ec796d6714b813faa32a8008564
SHA512 351cc13629ee0d469a5a8d83b4fdc2411169741e5dc4b6b59ae4bff3009e47acd58a9a842d630d73997c8164af78a76a63f3e0cc355286ceccc058552c26d1dc

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1537400.exe

MD5 7d87ec255c1483ac4f85721ae72d06bb
SHA1 fcaecb9e82f36be138523df24443127c958afb58
SHA256 7c6887d74d8238772446973c945bd000c2662ec796d6714b813faa32a8008564
SHA512 351cc13629ee0d469a5a8d83b4fdc2411169741e5dc4b6b59ae4bff3009e47acd58a9a842d630d73997c8164af78a76a63f3e0cc355286ceccc058552c26d1dc

memory/4344-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4344-40-0x00000000740D0000-0x0000000074880000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe

MD5 0bc2ad0285f93e46a1a54d8de3426d8d
SHA1 7f11b815c19a804cfb23d67e6f39ce2e5ce0cf4e
SHA256 39f476266e42738c672da64d6dbb1abe7123f18e313b9b2917d33d646487084a
SHA512 9863eea070d8d3adab873608f61cb965bcdd30b85abeafab201e0f8b4e0135b3508f00b45ce5b6ef9cce2a696b423c7c085ebb25a78a7405eea99091908899a1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7392806.exe

MD5 0bc2ad0285f93e46a1a54d8de3426d8d
SHA1 7f11b815c19a804cfb23d67e6f39ce2e5ce0cf4e
SHA256 39f476266e42738c672da64d6dbb1abe7123f18e313b9b2917d33d646487084a
SHA512 9863eea070d8d3adab873608f61cb965bcdd30b85abeafab201e0f8b4e0135b3508f00b45ce5b6ef9cce2a696b423c7c085ebb25a78a7405eea99091908899a1

memory/1228-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1228-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1228-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1228-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8937075.exe

MD5 f6ab1c26a662df560dbedd224a0c9063
SHA1 d3207a13e790f70e31eb088f1cbdcff119286dc4
SHA256 465ef47233ede59369c9df8a724aac7249918368a637297a1ccfb13731557443
SHA512 586040484662cbe61a6a2eb910952e20e3422cb5ccb9e5ff6bc72d1ffb4e695f7203ce7cbbd14189e064a82a5929ceb737da3229ada41ec56ff06c605d6a7271

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8937075.exe

MD5 f6ab1c26a662df560dbedd224a0c9063
SHA1 d3207a13e790f70e31eb088f1cbdcff119286dc4
SHA256 465ef47233ede59369c9df8a724aac7249918368a637297a1ccfb13731557443
SHA512 586040484662cbe61a6a2eb910952e20e3422cb5ccb9e5ff6bc72d1ffb4e695f7203ce7cbbd14189e064a82a5929ceb737da3229ada41ec56ff06c605d6a7271

memory/3320-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3320-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3930471.exe

MD5 9367c2d03a11afcd7217ae464f8f909e
SHA1 3ff2fed7d5332bd35545fc9366798bdb0aa4582f
SHA256 da4cbe9d98ebae315e0a10897d10f7d755d9b86da728ddd0fb53b42d70449545
SHA512 5da3d63d4894d70722ec0229ffdb11b4a56ac3ce30b155f280398a6b6b04739586e06eb9d63131e96f26dd3c9b11bd342d4008c3c78e1619b6257cd6d3ea4ba2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3930471.exe

MD5 9367c2d03a11afcd7217ae464f8f909e
SHA1 3ff2fed7d5332bd35545fc9366798bdb0aa4582f
SHA256 da4cbe9d98ebae315e0a10897d10f7d755d9b86da728ddd0fb53b42d70449545
SHA512 5da3d63d4894d70722ec0229ffdb11b4a56ac3ce30b155f280398a6b6b04739586e06eb9d63131e96f26dd3c9b11bd342d4008c3c78e1619b6257cd6d3ea4ba2

memory/3836-58-0x00000000740D0000-0x0000000074880000-memory.dmp

memory/3836-57-0x0000000000AF0000-0x0000000000B20000-memory.dmp

memory/3836-59-0x0000000005A80000-0x0000000006098000-memory.dmp

memory/3836-60-0x0000000005570000-0x000000000567A000-memory.dmp

memory/3836-61-0x0000000005480000-0x0000000005492000-memory.dmp

memory/3836-62-0x0000000005450000-0x0000000005460000-memory.dmp

memory/3836-63-0x00000000054E0000-0x000000000551C000-memory.dmp

memory/4404-64-0x0000000000400000-0x0000000000526000-memory.dmp

memory/3148-65-0x0000000002F60000-0x0000000002F76000-memory.dmp

memory/3320-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4344-69-0x00000000740D0000-0x0000000074880000-memory.dmp

memory/4344-71-0x00000000740D0000-0x0000000074880000-memory.dmp

memory/3836-72-0x00000000740D0000-0x0000000074880000-memory.dmp

memory/3836-73-0x0000000005450000-0x0000000005460000-memory.dmp