Malware Analysis Report

2025-03-15 01:42

Sample ID 230910-nkcp2sgf8x
Target fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272
SHA256 fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272

Threat Level: Known bad

The file fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272 was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

RedLine

SmokeLoader

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 11:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 11:26

Reported

2023-09-10 11:29

Platform

win10v2004-20230831-en

Max time kernel

151s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5403960.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4632 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4632 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4632 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4632 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4632 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4632 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4632 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4632 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4632 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4632 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4632 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4632 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4632 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3992 wrote to memory of 380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5403960.exe
PID 3992 wrote to memory of 380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5403960.exe
PID 3992 wrote to memory of 380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5403960.exe
PID 380 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5403960.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe
PID 380 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5403960.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe
PID 380 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5403960.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe
PID 4444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe
PID 4444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe
PID 4444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe
PID 1920 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe
PID 1920 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe
PID 1920 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe
PID 5092 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe
PID 5092 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe
PID 5092 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe
PID 4312 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4312 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe
PID 5092 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe
PID 5092 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe
PID 4852 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4852 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4852 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4852 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4852 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4852 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4852 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4852 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4852 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4852 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1920 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4005750.exe
PID 1920 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4005750.exe
PID 1920 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4005750.exe
PID 1312 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4005750.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1312 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4005750.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1312 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4005750.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1312 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4005750.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1312 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4005750.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1312 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4005750.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4444 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5287432.exe
PID 4444 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5287432.exe
PID 4444 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5287432.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe

"C:\Users\Admin\AppData\Local\Temp\fece02363e7235a9eec5b9810b0872476082872ae395403ae2940975c744b272.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4632 -ip 4632

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5403960.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5403960.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 236

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4312 -ip 4312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3360 -ip 3360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4005750.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4005750.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1312 -ip 1312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5287432.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5287432.exe

C:\Users\Admin\AppData\Roaming\chivreb

C:\Users\Admin\AppData\Roaming\chivreb

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 126.155.27.67.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/3992-0-0x0000000000400000-0x0000000000525000-memory.dmp

memory/3992-1-0x0000000000400000-0x0000000000525000-memory.dmp

memory/3992-2-0x0000000000400000-0x0000000000525000-memory.dmp

memory/3992-3-0x0000000000400000-0x0000000000525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5403960.exe

MD5 bcfc917a96ba85c11a35ddf8f1f973ba
SHA1 b66b068d46b96d351d2a7c69c2ece37622b0ae04
SHA256 7c7899516a630ca599f7317e5f3078c85f76a867a61ab8d6dcb3b5bc0b65def3
SHA512 91a66da01ec4a1eb29d99a567bf7675adebd432a2e2e110628c779ea3f138d54bb78df2e6bacee923bcea71977a6d6418e6f2bb81fbbca72a6eec90bb1576f4d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5403960.exe

MD5 bcfc917a96ba85c11a35ddf8f1f973ba
SHA1 b66b068d46b96d351d2a7c69c2ece37622b0ae04
SHA256 7c7899516a630ca599f7317e5f3078c85f76a867a61ab8d6dcb3b5bc0b65def3
SHA512 91a66da01ec4a1eb29d99a567bf7675adebd432a2e2e110628c779ea3f138d54bb78df2e6bacee923bcea71977a6d6418e6f2bb81fbbca72a6eec90bb1576f4d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe

MD5 bf28516961e74bfa5296449e98a4e7b6
SHA1 eeb0ec67fb5e47d05a6b665c7e07904c75704cc4
SHA256 078b0b704ce0ca868794ca1889b0a243af5b1487c9f8a3aeda0dda8d02196769
SHA512 b91d99f3d0b13de142f737bd5c139def24273ec88cd2ba0efebf0c1bf14adbb107d11943b535f1202331590e2346bb4f20f1dcb2fc55901beb89cf87a68557e2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9186754.exe

MD5 bf28516961e74bfa5296449e98a4e7b6
SHA1 eeb0ec67fb5e47d05a6b665c7e07904c75704cc4
SHA256 078b0b704ce0ca868794ca1889b0a243af5b1487c9f8a3aeda0dda8d02196769
SHA512 b91d99f3d0b13de142f737bd5c139def24273ec88cd2ba0efebf0c1bf14adbb107d11943b535f1202331590e2346bb4f20f1dcb2fc55901beb89cf87a68557e2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe

MD5 72fe025a7668adde17da83442cb3dd0b
SHA1 7b33c10edcb57554a1be0dad2681bb9905299617
SHA256 495335bf1954c86b4502c85d1134914faffd7fb5b3a8cb9800cb7448f12b15b3
SHA512 1e07c211c58c0c9cc3242f3d7707eec7933639caa08d55871af648d5f46ee63fd83755102ca624536b08feb8a3ac0f3074532b294b76946d53d9dd8049a096b6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8633254.exe

MD5 72fe025a7668adde17da83442cb3dd0b
SHA1 7b33c10edcb57554a1be0dad2681bb9905299617
SHA256 495335bf1954c86b4502c85d1134914faffd7fb5b3a8cb9800cb7448f12b15b3
SHA512 1e07c211c58c0c9cc3242f3d7707eec7933639caa08d55871af648d5f46ee63fd83755102ca624536b08feb8a3ac0f3074532b294b76946d53d9dd8049a096b6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe

MD5 95dd760d1fa4aa7f820d4ffae02f1941
SHA1 d64ea0018fbab3e8bd24eb599c40aee6197c3456
SHA256 c2b76683ae4ed75cab0d601a244c2b01a77f4b2b79218f616bfafd3be06d04b1
SHA512 c07485cc8730dbe3f1cda0c01a4870df7e864996986448b6880f86b1c34cbddb906de3a839273238161b9443b47116163a6b61f2a6981affb5fc66cafafbe91c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7140467.exe

MD5 95dd760d1fa4aa7f820d4ffae02f1941
SHA1 d64ea0018fbab3e8bd24eb599c40aee6197c3456
SHA256 c2b76683ae4ed75cab0d601a244c2b01a77f4b2b79218f616bfafd3be06d04b1
SHA512 c07485cc8730dbe3f1cda0c01a4870df7e864996986448b6880f86b1c34cbddb906de3a839273238161b9443b47116163a6b61f2a6981affb5fc66cafafbe91c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe

MD5 dc3373e9b2af73b97bd30566da559fcc
SHA1 4732ef55c8ad741443134995368c05c67faf0715
SHA256 7670bcf227550560c97ca14f954baefe83e32f5be3a2fab671a4ff26d7a838fd
SHA512 979193d4725bc96299041715af71b4e056ce54d6546b9d7235ecc5917a1af7cb9cf44ceb807ca1a7af564b5d1eda5f68356507833489fd7cad71978b76b96218

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9196017.exe

MD5 dc3373e9b2af73b97bd30566da559fcc
SHA1 4732ef55c8ad741443134995368c05c67faf0715
SHA256 7670bcf227550560c97ca14f954baefe83e32f5be3a2fab671a4ff26d7a838fd
SHA512 979193d4725bc96299041715af71b4e056ce54d6546b9d7235ecc5917a1af7cb9cf44ceb807ca1a7af564b5d1eda5f68356507833489fd7cad71978b76b96218

memory/5036-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/5036-40-0x0000000073A60000-0x0000000074210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe

MD5 7dc816b01a3e516f86d1dae0ef6c142e
SHA1 6e17582af801a489a787176a0dd9ece016a17f51
SHA256 7737bc0220083789a15d4c7ae2e2df4fd6b13101aeabd31ee8cf00c9e1123465
SHA512 1f73f7e2203487ea95993d120fd1e0b95d276504d0d61f5b77bb98358fd8330d7b61668c55c4e97a6c6b015fad45847cbb8ad69a204d96f0ca8e493f1f253f98

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8773424.exe

MD5 7dc816b01a3e516f86d1dae0ef6c142e
SHA1 6e17582af801a489a787176a0dd9ece016a17f51
SHA256 7737bc0220083789a15d4c7ae2e2df4fd6b13101aeabd31ee8cf00c9e1123465
SHA512 1f73f7e2203487ea95993d120fd1e0b95d276504d0d61f5b77bb98358fd8330d7b61668c55c4e97a6c6b015fad45847cbb8ad69a204d96f0ca8e493f1f253f98

memory/3360-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3360-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3360-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3360-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4005750.exe

MD5 b39032fa5295d26aef31407bbe6c2b45
SHA1 44119ca2b88079c2fac5f52880328f6113c232a5
SHA256 4d70cb0a6d2b7711332065b11c4d0508aaa3c72b303869c824f8fae1c63ecb0d
SHA512 92118a87c30b685e628c7b01605579d841452b5482c8a0b380092a38ac4e001cf6d3fd93175c255562f2558de9d9cbb3fde2dce433749d1b0b4ab38afc9252e0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4005750.exe

MD5 b39032fa5295d26aef31407bbe6c2b45
SHA1 44119ca2b88079c2fac5f52880328f6113c232a5
SHA256 4d70cb0a6d2b7711332065b11c4d0508aaa3c72b303869c824f8fae1c63ecb0d
SHA512 92118a87c30b685e628c7b01605579d841452b5482c8a0b380092a38ac4e001cf6d3fd93175c255562f2558de9d9cbb3fde2dce433749d1b0b4ab38afc9252e0

memory/3924-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3924-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5287432.exe

MD5 7252350976fbba2e238fa31ec3a3725b
SHA1 21ba1c45284462f63dab8eb2219df0cb7966f82a
SHA256 ada2a3d5e56762fa8d311289be712de194385042c92b91ebaf3a2e5c95fb822e
SHA512 f3b3bc3df1cb1099e7f18a073151ea0a4ffc3d93fdfb74a8ccb805c62fc6dd2040e590bb3ef88f92643e8d95a5425993d5ea643333b5b4ae058ad5217952fb0c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d5287432.exe

MD5 7252350976fbba2e238fa31ec3a3725b
SHA1 21ba1c45284462f63dab8eb2219df0cb7966f82a
SHA256 ada2a3d5e56762fa8d311289be712de194385042c92b91ebaf3a2e5c95fb822e
SHA512 f3b3bc3df1cb1099e7f18a073151ea0a4ffc3d93fdfb74a8ccb805c62fc6dd2040e590bb3ef88f92643e8d95a5425993d5ea643333b5b4ae058ad5217952fb0c

memory/2092-57-0x0000000000F10000-0x0000000000F40000-memory.dmp

memory/2092-58-0x0000000073A60000-0x0000000074210000-memory.dmp

memory/2092-59-0x0000000005EB0000-0x00000000064C8000-memory.dmp

memory/2092-60-0x00000000059A0000-0x0000000005AAA000-memory.dmp

memory/2092-62-0x00000000058B0000-0x00000000058C2000-memory.dmp

memory/2092-61-0x00000000031F0000-0x0000000003200000-memory.dmp

memory/2092-63-0x0000000005910000-0x000000000594C000-memory.dmp

memory/3992-64-0x0000000000400000-0x0000000000525000-memory.dmp

memory/3144-65-0x0000000001010000-0x0000000001026000-memory.dmp

memory/3924-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5036-69-0x0000000073A60000-0x0000000074210000-memory.dmp

memory/5036-71-0x0000000073A60000-0x0000000074210000-memory.dmp

memory/2092-72-0x0000000073A60000-0x0000000074210000-memory.dmp

memory/2092-73-0x00000000031F0000-0x0000000003200000-memory.dmp

C:\Users\Admin\AppData\Roaming\chivreb

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

C:\Users\Admin\AppData\Roaming\chivreb

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc