Malware Analysis Report

2025-03-15 01:40

Sample ID 230910-phq1bsha39
Target 41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e
SHA256 41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e

Threat Level: Known bad

The file 41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

RedLine

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

SmokeLoader

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 12:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 12:20

Reported

2023-09-10 12:22

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4324 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4324 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3244 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe
PID 3244 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe
PID 3244 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe
PID 4356 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe
PID 4356 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe
PID 4356 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe
PID 996 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe
PID 996 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe
PID 996 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe
PID 2152 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe
PID 2152 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe
PID 2152 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe
PID 492 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe
PID 492 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe
PID 492 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe
PID 3732 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3732 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 492 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe
PID 492 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe
PID 492 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe
PID 4208 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4208 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4208 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4208 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4208 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4208 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4208 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4208 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4208 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4208 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe
PID 2152 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe
PID 2152 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe
PID 1608 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1608 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1608 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1608 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1608 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1608 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe

"C:\Users\Admin\AppData\Local\Temp\41335a1ea9867a360ae46195ef310072a9a144636907f3577eb04b748270b43e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4324 -ip 4324

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 296

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3732 -ip 3732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4208 -ip 4208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4432 -ip 4432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1608 -ip 1608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 588

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7175829.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7175829.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

memory/3244-0-0x0000000000400000-0x0000000000526000-memory.dmp

memory/3244-1-0x0000000000400000-0x0000000000526000-memory.dmp

memory/3244-2-0x0000000000400000-0x0000000000526000-memory.dmp

memory/3244-3-0x0000000000400000-0x0000000000526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe

MD5 c7d18ba7beade6ec24a9234099b0cdbc
SHA1 bdb3089c458d000885ccc8c0d69bfe17bc8621b3
SHA256 532e2d6917b9427b7c7d124aa3d0e9e51cd0342ed2ac09d6d348b62c4edc35a9
SHA512 f3b935097d408d188e4b15bdeef4036fa874124256a7bd361385e0c9d3cac337f11dae44a56f3e1d3b76aa69b564ba0e3f1013e23f429dfa89b929d6a085af1d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe

MD5 c7d18ba7beade6ec24a9234099b0cdbc
SHA1 bdb3089c458d000885ccc8c0d69bfe17bc8621b3
SHA256 532e2d6917b9427b7c7d124aa3d0e9e51cd0342ed2ac09d6d348b62c4edc35a9
SHA512 f3b935097d408d188e4b15bdeef4036fa874124256a7bd361385e0c9d3cac337f11dae44a56f3e1d3b76aa69b564ba0e3f1013e23f429dfa89b929d6a085af1d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe

MD5 89f91de931128d3084d9590cedb439e5
SHA1 381e0db4d235b28b11e10f9428f99fef96ec76e5
SHA256 f4e4b86575a880b4e49881ad5eb255b7a915ed18cbb6b714ff2bade61f1cfea4
SHA512 227bf203736514a8bbdf9f2483cf62180945a8c13e7c3ce9e4c599630e1252cb532ca5e20e6df49bada67e9b594fa67425fa8e09496072f6b6a7deea41517f96

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe

MD5 89f91de931128d3084d9590cedb439e5
SHA1 381e0db4d235b28b11e10f9428f99fef96ec76e5
SHA256 f4e4b86575a880b4e49881ad5eb255b7a915ed18cbb6b714ff2bade61f1cfea4
SHA512 227bf203736514a8bbdf9f2483cf62180945a8c13e7c3ce9e4c599630e1252cb532ca5e20e6df49bada67e9b594fa67425fa8e09496072f6b6a7deea41517f96

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe

MD5 0f0b43691a43eb1a69861af2274a2eeb
SHA1 eac838d63a24fe53c1a31f5d8c60d0c6c19805bf
SHA256 089ff2f44999982c79eb932a32857c3c51daf19743c17f3d9fa1ded19ce829c5
SHA512 888406719d9af7b4452e111f11723b2a44c4b0fb7e545609a1ac26b3e155e344b5676d73c3d38d65d7f757117e11124bc6cff02dc08b41d4b2e3957522c383e1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe

MD5 0f0b43691a43eb1a69861af2274a2eeb
SHA1 eac838d63a24fe53c1a31f5d8c60d0c6c19805bf
SHA256 089ff2f44999982c79eb932a32857c3c51daf19743c17f3d9fa1ded19ce829c5
SHA512 888406719d9af7b4452e111f11723b2a44c4b0fb7e545609a1ac26b3e155e344b5676d73c3d38d65d7f757117e11124bc6cff02dc08b41d4b2e3957522c383e1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe

MD5 d479e9e0927685283457e36d7caa6e4e
SHA1 bef8f7dcb412f975489c2691619f0e2390f325d0
SHA256 da97cda8e6bff96ace3fc48df5b1047f714b6b9c0d68f5579e10f0cfbc502b14
SHA512 a62706bc5b5d2100d49692e3d38e8627294243028e2de693a4fd634ed30cacf0198dbf74d4a54b45ab31d3950eb3714f4268c77a5d2281ad8133f9209bb9d4a8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe

MD5 d479e9e0927685283457e36d7caa6e4e
SHA1 bef8f7dcb412f975489c2691619f0e2390f325d0
SHA256 da97cda8e6bff96ace3fc48df5b1047f714b6b9c0d68f5579e10f0cfbc502b14
SHA512 a62706bc5b5d2100d49692e3d38e8627294243028e2de693a4fd634ed30cacf0198dbf74d4a54b45ab31d3950eb3714f4268c77a5d2281ad8133f9209bb9d4a8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe

MD5 087b781e036c5222168889e3aca7d65e
SHA1 2d9f47c1fa83e0b900ba612c215723d33079acbf
SHA256 13c9d76c85fcd338493c0b117a4ed10fc5b36713da125a0ac94aa210e85933d5
SHA512 88c5a12b2a678ffc5da43a7db25ba1bb3d3b7b55ba62ecaefe408a487f0f7fd3637423ad74b945237391dadcf3d16b10d1a580336a83d92d2b00170c99de7b42

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe

MD5 087b781e036c5222168889e3aca7d65e
SHA1 2d9f47c1fa83e0b900ba612c215723d33079acbf
SHA256 13c9d76c85fcd338493c0b117a4ed10fc5b36713da125a0ac94aa210e85933d5
SHA512 88c5a12b2a678ffc5da43a7db25ba1bb3d3b7b55ba62ecaefe408a487f0f7fd3637423ad74b945237391dadcf3d16b10d1a580336a83d92d2b00170c99de7b42

memory/4716-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4716-40-0x0000000073630000-0x0000000073DE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe

MD5 829bb96e1aacdf0541355a3c118ddc9d
SHA1 9038c59b0f3567ab53af8668f365a7a7517a2a7c
SHA256 38b339582150123f7ebe82d5368c90681bcd8f9e178c0a87cebee162fc87ab9d
SHA512 9cc455c4e588e689b48ad9baa87b701cdc6c3a18e13710dc55fd085906e470a668d1cbfa7762ebfb6fbdb3da044a60f996f3c9b6789991ec731b68a852a1f5ba

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe

MD5 829bb96e1aacdf0541355a3c118ddc9d
SHA1 9038c59b0f3567ab53af8668f365a7a7517a2a7c
SHA256 38b339582150123f7ebe82d5368c90681bcd8f9e178c0a87cebee162fc87ab9d
SHA512 9cc455c4e588e689b48ad9baa87b701cdc6c3a18e13710dc55fd085906e470a668d1cbfa7762ebfb6fbdb3da044a60f996f3c9b6789991ec731b68a852a1f5ba

memory/4432-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4432-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4432-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4432-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe

MD5 354776ebdcfcb8713d9ae6d3b1c4a282
SHA1 50060200b416cf425361255159bf2ecf91a0eea2
SHA256 d1af815003f65119691c2e8c1a35bdfdb063d96e841131bf885f513660e4d820
SHA512 beb6976b5626b7bbe020555f6066de31abd45c7dab1ce0f2858951e6c569d7b0f5e5b37a6ea3af97cf66c33f94adaea26de6852a20b9fcb3c609bb5b1813d37c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe

MD5 354776ebdcfcb8713d9ae6d3b1c4a282
SHA1 50060200b416cf425361255159bf2ecf91a0eea2
SHA256 d1af815003f65119691c2e8c1a35bdfdb063d96e841131bf885f513660e4d820
SHA512 beb6976b5626b7bbe020555f6066de31abd45c7dab1ce0f2858951e6c569d7b0f5e5b37a6ea3af97cf66c33f94adaea26de6852a20b9fcb3c609bb5b1813d37c

memory/1464-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1464-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7175829.exe

MD5 49c939d9da936f8e842492daeaf82ba0
SHA1 bd16905efd94a2e8e495810b6790ab1c0c677a4e
SHA256 7c146fe3bfa087fdea7c634b488118f432693aeaed6d6be20132c526f8c52642
SHA512 d9e6d25ff5ae236d1fdefcbf87e028b9d2aede2b4969cfa67a6fbd0d70aeab5277123389a82d7cb0126396b3edb1d853ff27ec47ab4db336a0ee1264ef2d9a31

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7175829.exe

MD5 49c939d9da936f8e842492daeaf82ba0
SHA1 bd16905efd94a2e8e495810b6790ab1c0c677a4e
SHA256 7c146fe3bfa087fdea7c634b488118f432693aeaed6d6be20132c526f8c52642
SHA512 d9e6d25ff5ae236d1fdefcbf87e028b9d2aede2b4969cfa67a6fbd0d70aeab5277123389a82d7cb0126396b3edb1d853ff27ec47ab4db336a0ee1264ef2d9a31

memory/1224-58-0x0000000073630000-0x0000000073DE0000-memory.dmp

memory/1224-57-0x0000000000940000-0x0000000000970000-memory.dmp

memory/1224-59-0x00000000058A0000-0x0000000005EB8000-memory.dmp

memory/1224-60-0x0000000005390000-0x000000000549A000-memory.dmp

memory/1224-61-0x0000000005270000-0x0000000005280000-memory.dmp

memory/1224-62-0x00000000052D0000-0x00000000052E2000-memory.dmp

memory/1224-63-0x0000000005330000-0x000000000536C000-memory.dmp

memory/3244-64-0x0000000000400000-0x0000000000526000-memory.dmp

memory/3164-65-0x0000000001030000-0x0000000001046000-memory.dmp

memory/1464-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4716-69-0x0000000073630000-0x0000000073DE0000-memory.dmp

memory/4716-71-0x0000000073630000-0x0000000073DE0000-memory.dmp

memory/1224-72-0x0000000073630000-0x0000000073DE0000-memory.dmp

memory/1224-73-0x0000000005270000-0x0000000005280000-memory.dmp