Malware Analysis Report

2025-03-15 01:38

Sample ID 230910-myxrpsge76
Target 882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0
SHA256 882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0

Threat Level: Known bad

The file 882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0 was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

SmokeLoader

RedLine

Healer

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 10:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 10:52

Reported

2023-09-10 10:55

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8362310.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2852 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2852 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2852 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2852 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2852 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2852 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2852 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2852 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2852 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2524 wrote to memory of 4312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8362310.exe
PID 2524 wrote to memory of 4312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8362310.exe
PID 2524 wrote to memory of 4312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8362310.exe
PID 4312 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8362310.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe
PID 4312 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8362310.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe
PID 4312 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8362310.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe
PID 2076 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe
PID 2076 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe
PID 2076 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe
PID 60 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe
PID 60 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe
PID 60 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe
PID 4884 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe
PID 4884 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe
PID 4884 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe
PID 3684 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3684 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3684 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3684 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3684 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3684 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3684 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3684 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4884 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe
PID 4884 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe
PID 4884 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe
PID 3856 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3856 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3856 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3856 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3856 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3856 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3856 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3856 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3856 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3856 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 60 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1225250.exe
PID 60 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1225250.exe
PID 60 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1225250.exe
PID 2076 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3362152.exe
PID 2076 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3362152.exe
PID 2076 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3362152.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0.exe

"C:\Users\Admin\AppData\Local\Temp\882bff0ac83efac81e23017cb9dd74381637546b6c36c03f81852bd0cedb6ef0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2852 -ip 2852

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8362310.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8362310.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 240

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3684 -ip 3684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 140

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3856 -ip 3856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 444 -ip 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 208

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1225250.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1225250.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4660 -ip 4660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3362152.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3362152.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

memory/2524-0-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2524-1-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2524-2-0x0000000000400000-0x0000000000525000-memory.dmp

memory/2524-3-0x0000000000400000-0x0000000000525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8362310.exe

MD5 5467a226767c056cb14fb02835004bc4
SHA1 913a92ac6ea1468acac2d17119be517d8ee988d3
SHA256 b05a87902e064b7a100cddb8dab28341d290e3d1ea4dec9ee90018918657c41e
SHA512 c7f5382b368b72fdc60969ecf1bfe332ad993c72f24ab22196b31b5df3da078e47b478dc93dc67aeccb385bf68f37846bde93725b651a17b8a9ecaadcba7a885

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8362310.exe

MD5 5467a226767c056cb14fb02835004bc4
SHA1 913a92ac6ea1468acac2d17119be517d8ee988d3
SHA256 b05a87902e064b7a100cddb8dab28341d290e3d1ea4dec9ee90018918657c41e
SHA512 c7f5382b368b72fdc60969ecf1bfe332ad993c72f24ab22196b31b5df3da078e47b478dc93dc67aeccb385bf68f37846bde93725b651a17b8a9ecaadcba7a885

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe

MD5 9e1289dc991b75fc6f51cce9c3531eec
SHA1 6c1ff2edab7146a0abec5772b2387b2dc7ab4330
SHA256 1bd241207eeaeff8ba4d62872b325ea7d3c984e9a0a7df0cc397cc862a074987
SHA512 724490de3fc4a978fbf17ab2d140f4971990f03eda2d7860d1e93a66ce3fd1cbc4e9b98179b852854073cf03cc1d4c439e96cacd69f9818a40d21b6d66bf28ea

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1091169.exe

MD5 9e1289dc991b75fc6f51cce9c3531eec
SHA1 6c1ff2edab7146a0abec5772b2387b2dc7ab4330
SHA256 1bd241207eeaeff8ba4d62872b325ea7d3c984e9a0a7df0cc397cc862a074987
SHA512 724490de3fc4a978fbf17ab2d140f4971990f03eda2d7860d1e93a66ce3fd1cbc4e9b98179b852854073cf03cc1d4c439e96cacd69f9818a40d21b6d66bf28ea

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe

MD5 b6c3f0f4e9e42c9144d33a354246466b
SHA1 14bf791225177a8fbcc4379318c24d8860abe580
SHA256 56bc5dffb9cabfc00cb14690afe0159da52e4f7b070eba486110363d59b38b42
SHA512 f5403c2a7aef2b44157a7933e51725984691bfd6a4a271b8b00533aea4407c1559224d45af17aa90a9a3f47f5d9f8bc149bdc48a1451205db2be46a8a9739c05

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8313638.exe

MD5 b6c3f0f4e9e42c9144d33a354246466b
SHA1 14bf791225177a8fbcc4379318c24d8860abe580
SHA256 56bc5dffb9cabfc00cb14690afe0159da52e4f7b070eba486110363d59b38b42
SHA512 f5403c2a7aef2b44157a7933e51725984691bfd6a4a271b8b00533aea4407c1559224d45af17aa90a9a3f47f5d9f8bc149bdc48a1451205db2be46a8a9739c05

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe

MD5 fd9c78db45d48dae37b64ad769b8f134
SHA1 3ace7f888c9f6469bca778c4eb6f33c8494f0917
SHA256 1977036b15f99ab175f2b143b7d85dc0c4cdc0dbdac0c72df9fd7dd000197b19
SHA512 e83d6fd16ba79c43778fc2b2e6bd32cddc4b777648d2a99fd4d93ee5404c416653f3e775abcebcd7ca729e4763f9756281b79a4315c476f03aa8c821c9a61276

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4133862.exe

MD5 fd9c78db45d48dae37b64ad769b8f134
SHA1 3ace7f888c9f6469bca778c4eb6f33c8494f0917
SHA256 1977036b15f99ab175f2b143b7d85dc0c4cdc0dbdac0c72df9fd7dd000197b19
SHA512 e83d6fd16ba79c43778fc2b2e6bd32cddc4b777648d2a99fd4d93ee5404c416653f3e775abcebcd7ca729e4763f9756281b79a4315c476f03aa8c821c9a61276

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe

MD5 da1448c0726d1a18340934f1ad285ee5
SHA1 68b8be71cc02952b6b3e2699fa10b7996612d795
SHA256 9626d41c17a2f87296f07da54a175b284efb4ce37cf80e04dd3a382b860677c7
SHA512 806f1823cd41cb9df39927d3fd52e855ea2e2416b24a1c348ec5f43f4a780af020876bc1b535fdfee277a908edd77ab7f98098f6a40689f10a43c6790bede09d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1572369.exe

MD5 da1448c0726d1a18340934f1ad285ee5
SHA1 68b8be71cc02952b6b3e2699fa10b7996612d795
SHA256 9626d41c17a2f87296f07da54a175b284efb4ce37cf80e04dd3a382b860677c7
SHA512 806f1823cd41cb9df39927d3fd52e855ea2e2416b24a1c348ec5f43f4a780af020876bc1b535fdfee277a908edd77ab7f98098f6a40689f10a43c6790bede09d

memory/3268-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3268-40-0x0000000074610000-0x0000000074DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe

MD5 14096b9f114471efc231ebced2c95043
SHA1 7c497319d177b002bac118717d8c05d970a6f0af
SHA256 acf69b552e4ae61d2424781af6841477e80fe60259479476b8a0b46e64397605
SHA512 4d988ba0bb6088a82a65550aec6b2100fa1781f17cc0ecea8c6734b6554e84e422cf9859b5db7779326f46f648b21e75a4eb08c8604dc218b7e6955340d5f398

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8254982.exe

MD5 14096b9f114471efc231ebced2c95043
SHA1 7c497319d177b002bac118717d8c05d970a6f0af
SHA256 acf69b552e4ae61d2424781af6841477e80fe60259479476b8a0b46e64397605
SHA512 4d988ba0bb6088a82a65550aec6b2100fa1781f17cc0ecea8c6734b6554e84e422cf9859b5db7779326f46f648b21e75a4eb08c8604dc218b7e6955340d5f398

memory/444-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/444-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/444-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/444-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1225250.exe

MD5 49a2cce2ee7c1e89c221ed4af0259a01
SHA1 e3606a4afa9c5febde403db7f799de23feb63d9d
SHA256 ab1244ab4952ddc1fbf73c6da59404c8edce2a46de1fc739a1eb5323718e4e46
SHA512 9c78a774babd24bed98c14d7c3ed92e90f78ab1d78a6f5438bc5254a11c9aeadad2f979dec010438c22b61149b251ef287615eeca6f1bab57861e9a79232b6fb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3362152.exe

MD5 854dc62cc6d3c76d559144b500a3976a
SHA1 face86043ac41b2c678c7d98d9ce7c83f681c212
SHA256 d06f99efe00be534e1976270d32e8bf6b2dda1690845c7d174f70a0d75dc179d
SHA512 474f1fb479ff3a2cff8e672aa8895ff17d79463aa547b78f22e8089630182a54335777d4010ee3f3d08581f607cd72c64f2a6f80194e5f7fe26428bf56d2d757

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d3362152.exe

MD5 854dc62cc6d3c76d559144b500a3976a
SHA1 face86043ac41b2c678c7d98d9ce7c83f681c212
SHA256 d06f99efe00be534e1976270d32e8bf6b2dda1690845c7d174f70a0d75dc179d
SHA512 474f1fb479ff3a2cff8e672aa8895ff17d79463aa547b78f22e8089630182a54335777d4010ee3f3d08581f607cd72c64f2a6f80194e5f7fe26428bf56d2d757

memory/4000-56-0x0000000000670000-0x00000000006A0000-memory.dmp

memory/4000-57-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/4000-58-0x0000000005650000-0x0000000005C68000-memory.dmp

memory/4000-59-0x0000000005140000-0x000000000524A000-memory.dmp

memory/4000-61-0x0000000005020000-0x0000000005030000-memory.dmp

memory/4000-60-0x0000000005000000-0x0000000005012000-memory.dmp

memory/4000-62-0x0000000005070000-0x00000000050AC000-memory.dmp

memory/2524-63-0x0000000000400000-0x0000000000525000-memory.dmp

memory/3248-64-0x0000000002A70000-0x0000000002A86000-memory.dmp

memory/3268-67-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/3268-69-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/4000-70-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/4000-71-0x0000000005020000-0x0000000005030000-memory.dmp