Malware Analysis Report

2025-03-15 01:39

Sample ID 230910-pkep3sha6x
Target f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd
SHA256 f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd

Threat Level: Known bad

The file f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

SmokeLoader

RedLine

Detects Healer an antivirus disabler dropper

Healer

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 12:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 12:22

Reported

2023-09-10 12:25

Platform

win10v2004-20230831-en

Max time kernel

151s

Max time network

148s

Command Line

C:\Windows\System32\svchost.exe -k netsvcs -p

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0DA70C95-A030-44CA-9189-6713533771C4}.catalogItem C:\Windows\System32\svchost.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 2744 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe
PID 1864 wrote to memory of 2744 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe
PID 1864 wrote to memory of 2744 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe
PID 2744 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe
PID 2744 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe
PID 2744 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe
PID 4004 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe
PID 4004 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe
PID 4004 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe
PID 3556 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe
PID 3556 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe
PID 3556 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe
PID 756 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe
PID 756 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe
PID 756 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe
PID 4728 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4728 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 756 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe
PID 756 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe
PID 756 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe
PID 228 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 228 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 228 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 228 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 228 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 228 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 228 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 228 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 228 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 228 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3556 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe
PID 3556 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe
PID 3556 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe
PID 4884 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4884 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4884 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4884 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4884 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4884 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4004 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7175829.exe
PID 4004 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7175829.exe
PID 4004 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7175829.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Users\Admin\AppData\Local\Temp\f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd.exe

"C:\Users\Admin\AppData\Local\Temp\f1491f32887ea5bdd5684d67fbfd719c158ae247626e2f47989ce0d7822893fd.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2956 -ip 2956

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 240

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4728 -ip 4728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4316 -ip 4316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4884 -ip 4884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7175829.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7175829.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

memory/1864-7-0x0000000000400000-0x0000000000526000-memory.dmp

memory/1864-8-0x0000000000400000-0x0000000000526000-memory.dmp

memory/1864-9-0x0000000000400000-0x0000000000526000-memory.dmp

memory/1864-10-0x0000000000400000-0x0000000000526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe

MD5 c7d18ba7beade6ec24a9234099b0cdbc
SHA1 bdb3089c458d000885ccc8c0d69bfe17bc8621b3
SHA256 532e2d6917b9427b7c7d124aa3d0e9e51cd0342ed2ac09d6d348b62c4edc35a9
SHA512 f3b935097d408d188e4b15bdeef4036fa874124256a7bd361385e0c9d3cac337f11dae44a56f3e1d3b76aa69b564ba0e3f1013e23f429dfa89b929d6a085af1d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9454054.exe

MD5 c7d18ba7beade6ec24a9234099b0cdbc
SHA1 bdb3089c458d000885ccc8c0d69bfe17bc8621b3
SHA256 532e2d6917b9427b7c7d124aa3d0e9e51cd0342ed2ac09d6d348b62c4edc35a9
SHA512 f3b935097d408d188e4b15bdeef4036fa874124256a7bd361385e0c9d3cac337f11dae44a56f3e1d3b76aa69b564ba0e3f1013e23f429dfa89b929d6a085af1d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe

MD5 89f91de931128d3084d9590cedb439e5
SHA1 381e0db4d235b28b11e10f9428f99fef96ec76e5
SHA256 f4e4b86575a880b4e49881ad5eb255b7a915ed18cbb6b714ff2bade61f1cfea4
SHA512 227bf203736514a8bbdf9f2483cf62180945a8c13e7c3ce9e4c599630e1252cb532ca5e20e6df49bada67e9b594fa67425fa8e09496072f6b6a7deea41517f96

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0271799.exe

MD5 89f91de931128d3084d9590cedb439e5
SHA1 381e0db4d235b28b11e10f9428f99fef96ec76e5
SHA256 f4e4b86575a880b4e49881ad5eb255b7a915ed18cbb6b714ff2bade61f1cfea4
SHA512 227bf203736514a8bbdf9f2483cf62180945a8c13e7c3ce9e4c599630e1252cb532ca5e20e6df49bada67e9b594fa67425fa8e09496072f6b6a7deea41517f96

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe

MD5 0f0b43691a43eb1a69861af2274a2eeb
SHA1 eac838d63a24fe53c1a31f5d8c60d0c6c19805bf
SHA256 089ff2f44999982c79eb932a32857c3c51daf19743c17f3d9fa1ded19ce829c5
SHA512 888406719d9af7b4452e111f11723b2a44c4b0fb7e545609a1ac26b3e155e344b5676d73c3d38d65d7f757117e11124bc6cff02dc08b41d4b2e3957522c383e1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0248874.exe

MD5 0f0b43691a43eb1a69861af2274a2eeb
SHA1 eac838d63a24fe53c1a31f5d8c60d0c6c19805bf
SHA256 089ff2f44999982c79eb932a32857c3c51daf19743c17f3d9fa1ded19ce829c5
SHA512 888406719d9af7b4452e111f11723b2a44c4b0fb7e545609a1ac26b3e155e344b5676d73c3d38d65d7f757117e11124bc6cff02dc08b41d4b2e3957522c383e1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe

MD5 d479e9e0927685283457e36d7caa6e4e
SHA1 bef8f7dcb412f975489c2691619f0e2390f325d0
SHA256 da97cda8e6bff96ace3fc48df5b1047f714b6b9c0d68f5579e10f0cfbc502b14
SHA512 a62706bc5b5d2100d49692e3d38e8627294243028e2de693a4fd634ed30cacf0198dbf74d4a54b45ab31d3950eb3714f4268c77a5d2281ad8133f9209bb9d4a8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6897896.exe

MD5 d479e9e0927685283457e36d7caa6e4e
SHA1 bef8f7dcb412f975489c2691619f0e2390f325d0
SHA256 da97cda8e6bff96ace3fc48df5b1047f714b6b9c0d68f5579e10f0cfbc502b14
SHA512 a62706bc5b5d2100d49692e3d38e8627294243028e2de693a4fd634ed30cacf0198dbf74d4a54b45ab31d3950eb3714f4268c77a5d2281ad8133f9209bb9d4a8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe

MD5 087b781e036c5222168889e3aca7d65e
SHA1 2d9f47c1fa83e0b900ba612c215723d33079acbf
SHA256 13c9d76c85fcd338493c0b117a4ed10fc5b36713da125a0ac94aa210e85933d5
SHA512 88c5a12b2a678ffc5da43a7db25ba1bb3d3b7b55ba62ecaefe408a487f0f7fd3637423ad74b945237391dadcf3d16b10d1a580336a83d92d2b00170c99de7b42

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1293998.exe

MD5 087b781e036c5222168889e3aca7d65e
SHA1 2d9f47c1fa83e0b900ba612c215723d33079acbf
SHA256 13c9d76c85fcd338493c0b117a4ed10fc5b36713da125a0ac94aa210e85933d5
SHA512 88c5a12b2a678ffc5da43a7db25ba1bb3d3b7b55ba62ecaefe408a487f0f7fd3637423ad74b945237391dadcf3d16b10d1a580336a83d92d2b00170c99de7b42

memory/3772-46-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3772-47-0x0000000073C80000-0x0000000074430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe

MD5 829bb96e1aacdf0541355a3c118ddc9d
SHA1 9038c59b0f3567ab53af8668f365a7a7517a2a7c
SHA256 38b339582150123f7ebe82d5368c90681bcd8f9e178c0a87cebee162fc87ab9d
SHA512 9cc455c4e588e689b48ad9baa87b701cdc6c3a18e13710dc55fd085906e470a668d1cbfa7762ebfb6fbdb3da044a60f996f3c9b6789991ec731b68a852a1f5ba

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5644305.exe

MD5 829bb96e1aacdf0541355a3c118ddc9d
SHA1 9038c59b0f3567ab53af8668f365a7a7517a2a7c
SHA256 38b339582150123f7ebe82d5368c90681bcd8f9e178c0a87cebee162fc87ab9d
SHA512 9cc455c4e588e689b48ad9baa87b701cdc6c3a18e13710dc55fd085906e470a668d1cbfa7762ebfb6fbdb3da044a60f996f3c9b6789991ec731b68a852a1f5ba

memory/4316-51-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4316-52-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4316-53-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4316-55-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe

MD5 354776ebdcfcb8713d9ae6d3b1c4a282
SHA1 50060200b416cf425361255159bf2ecf91a0eea2
SHA256 d1af815003f65119691c2e8c1a35bdfdb063d96e841131bf885f513660e4d820
SHA512 beb6976b5626b7bbe020555f6066de31abd45c7dab1ce0f2858951e6c569d7b0f5e5b37a6ea3af97cf66c33f94adaea26de6852a20b9fcb3c609bb5b1813d37c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0324537.exe

MD5 354776ebdcfcb8713d9ae6d3b1c4a282
SHA1 50060200b416cf425361255159bf2ecf91a0eea2
SHA256 d1af815003f65119691c2e8c1a35bdfdb063d96e841131bf885f513660e4d820
SHA512 beb6976b5626b7bbe020555f6066de31abd45c7dab1ce0f2858951e6c569d7b0f5e5b37a6ea3af97cf66c33f94adaea26de6852a20b9fcb3c609bb5b1813d37c

memory/4424-59-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4424-60-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7175829.exe

MD5 49c939d9da936f8e842492daeaf82ba0
SHA1 bd16905efd94a2e8e495810b6790ab1c0c677a4e
SHA256 7c146fe3bfa087fdea7c634b488118f432693aeaed6d6be20132c526f8c52642
SHA512 d9e6d25ff5ae236d1fdefcbf87e028b9d2aede2b4969cfa67a6fbd0d70aeab5277123389a82d7cb0126396b3edb1d853ff27ec47ab4db336a0ee1264ef2d9a31

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d7175829.exe

MD5 49c939d9da936f8e842492daeaf82ba0
SHA1 bd16905efd94a2e8e495810b6790ab1c0c677a4e
SHA256 7c146fe3bfa087fdea7c634b488118f432693aeaed6d6be20132c526f8c52642
SHA512 d9e6d25ff5ae236d1fdefcbf87e028b9d2aede2b4969cfa67a6fbd0d70aeab5277123389a82d7cb0126396b3edb1d853ff27ec47ab4db336a0ee1264ef2d9a31

memory/3080-64-0x0000000000EC0000-0x0000000000EF0000-memory.dmp

memory/3080-65-0x0000000073C80000-0x0000000074430000-memory.dmp

memory/3080-66-0x0000000005E50000-0x0000000006468000-memory.dmp

memory/3080-67-0x0000000005940000-0x0000000005A4A000-memory.dmp

memory/1864-68-0x0000000000400000-0x0000000000526000-memory.dmp

memory/3080-70-0x0000000005820000-0x0000000005830000-memory.dmp

memory/3080-69-0x0000000005850000-0x0000000005862000-memory.dmp

memory/3080-71-0x00000000058B0000-0x00000000058EC000-memory.dmp

memory/3284-72-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

memory/4424-74-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3772-76-0x0000000073C80000-0x0000000074430000-memory.dmp

memory/3772-78-0x0000000073C80000-0x0000000074430000-memory.dmp

memory/3080-79-0x0000000073C80000-0x0000000074430000-memory.dmp

memory/3080-80-0x0000000005820000-0x0000000005830000-memory.dmp