Malware Analysis Report

2025-08-11 01:11

Sample ID 231006-z1sxraga8y
Target NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe
SHA256 258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08
Tags
amadey mystic redline narik evasion infostealer persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08

Threat Level: Known bad

The file NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey mystic redline narik evasion infostealer persistence stealer trojan

Mystic

Detect Mystic stealer payload

RedLine

Modifies Windows Defender Real-time Protection settings

Amadey

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Windows security modification

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-06 21:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-06 21:11

Reported

2023-10-06 21:14

Platform

win7-20230831-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
PID 2196 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
PID 2196 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
PID 2196 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
PID 2196 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
PID 2196 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
PID 2196 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
PID 2384 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
PID 2384 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
PID 2384 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
PID 2384 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
PID 2384 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
PID 2384 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
PID 2384 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
PID 2672 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
PID 2672 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
PID 2672 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
PID 2672 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
PID 2672 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
PID 2672 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
PID 2672 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
PID 2676 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
PID 2676 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
PID 2676 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
PID 2676 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
PID 2676 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
PID 2676 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
PID 2676 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
PID 2532 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
PID 2532 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
PID 2532 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
PID 2532 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
PID 2532 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
PID 2532 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
PID 2532 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
PID 2532 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
PID 2532 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
PID 2532 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
PID 2532 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
PID 2532 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
PID 2532 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
PID 2532 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
PID 1760 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 1760 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 1760 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 1760 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 1760 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 1760 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 1760 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 2676 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
PID 2676 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
PID 2676 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
PID 2676 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
PID 2676 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
PID 2676 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
PID 2676 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
PID 2988 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "saves.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "saves.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\b40d11255d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\b40d11255d" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {EC1FDBC5-1905-438E-BF66-CC2EA7447612} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Network

Country Destination Domain Proto
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.18:80 tcp
FI 77.91.68.18:80 tcp
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe

MD5 1326d041aa44fb00fde0f3ff4b940252
SHA1 d1631b8b913884fba4fe1428bb42e1f9fedef1b9
SHA256 f508fa0df612f869a82986fe6cfb1d4962fd2beb5be340f2482619dc87450e10
SHA512 56ae57520f07696edef963fc1fb7cedcd0579307594c9a22c7cc6285611b17b7aa0e03ceeddc63348742f9f060bb1488b1b9a9c9f996be37c778fd1daea45209

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe

MD5 1326d041aa44fb00fde0f3ff4b940252
SHA1 d1631b8b913884fba4fe1428bb42e1f9fedef1b9
SHA256 f508fa0df612f869a82986fe6cfb1d4962fd2beb5be340f2482619dc87450e10
SHA512 56ae57520f07696edef963fc1fb7cedcd0579307594c9a22c7cc6285611b17b7aa0e03ceeddc63348742f9f060bb1488b1b9a9c9f996be37c778fd1daea45209

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe

MD5 1326d041aa44fb00fde0f3ff4b940252
SHA1 d1631b8b913884fba4fe1428bb42e1f9fedef1b9
SHA256 f508fa0df612f869a82986fe6cfb1d4962fd2beb5be340f2482619dc87450e10
SHA512 56ae57520f07696edef963fc1fb7cedcd0579307594c9a22c7cc6285611b17b7aa0e03ceeddc63348742f9f060bb1488b1b9a9c9f996be37c778fd1daea45209

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe

MD5 1326d041aa44fb00fde0f3ff4b940252
SHA1 d1631b8b913884fba4fe1428bb42e1f9fedef1b9
SHA256 f508fa0df612f869a82986fe6cfb1d4962fd2beb5be340f2482619dc87450e10
SHA512 56ae57520f07696edef963fc1fb7cedcd0579307594c9a22c7cc6285611b17b7aa0e03ceeddc63348742f9f060bb1488b1b9a9c9f996be37c778fd1daea45209

\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe

MD5 a93c5d287e56407996271af285f49574
SHA1 c3e663a3abe2fda35278c2978edf31ccc8ed8d73
SHA256 e826631141be2e88e3e3bc1f9da0243c1c76deff9004daf2411b8cc9e94ab706
SHA512 8ed163005f78cd1c6bc539d6101a66aed0471bac210ee67b2f2c0f6d8555389bb99c127379d5c259bb3bc837d1b71b17962f14c0dea8e1e5cb776e56ec8af17f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe

MD5 a93c5d287e56407996271af285f49574
SHA1 c3e663a3abe2fda35278c2978edf31ccc8ed8d73
SHA256 e826631141be2e88e3e3bc1f9da0243c1c76deff9004daf2411b8cc9e94ab706
SHA512 8ed163005f78cd1c6bc539d6101a66aed0471bac210ee67b2f2c0f6d8555389bb99c127379d5c259bb3bc837d1b71b17962f14c0dea8e1e5cb776e56ec8af17f

\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe

MD5 a93c5d287e56407996271af285f49574
SHA1 c3e663a3abe2fda35278c2978edf31ccc8ed8d73
SHA256 e826631141be2e88e3e3bc1f9da0243c1c76deff9004daf2411b8cc9e94ab706
SHA512 8ed163005f78cd1c6bc539d6101a66aed0471bac210ee67b2f2c0f6d8555389bb99c127379d5c259bb3bc837d1b71b17962f14c0dea8e1e5cb776e56ec8af17f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe

MD5 a93c5d287e56407996271af285f49574
SHA1 c3e663a3abe2fda35278c2978edf31ccc8ed8d73
SHA256 e826631141be2e88e3e3bc1f9da0243c1c76deff9004daf2411b8cc9e94ab706
SHA512 8ed163005f78cd1c6bc539d6101a66aed0471bac210ee67b2f2c0f6d8555389bb99c127379d5c259bb3bc837d1b71b17962f14c0dea8e1e5cb776e56ec8af17f

\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe

MD5 6077cc199d4e2f9c86beec00e7bbb937
SHA1 c31c7d8aaa49b89f26e2082622dfedd1f2097334
SHA256 9e785b5b370f382a4b06dd931f4d1c2e6a1eb2f333300cec612f44aa87f82194
SHA512 6580e62a57493ea44c13be930f7053e173a7916c408368aa23a44568afd62b7231e1f91ca876c08f5ca7dd97918ba4955387fffc1eda89ea66aa243fe5ff16f6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe

MD5 6077cc199d4e2f9c86beec00e7bbb937
SHA1 c31c7d8aaa49b89f26e2082622dfedd1f2097334
SHA256 9e785b5b370f382a4b06dd931f4d1c2e6a1eb2f333300cec612f44aa87f82194
SHA512 6580e62a57493ea44c13be930f7053e173a7916c408368aa23a44568afd62b7231e1f91ca876c08f5ca7dd97918ba4955387fffc1eda89ea66aa243fe5ff16f6

\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe

MD5 6077cc199d4e2f9c86beec00e7bbb937
SHA1 c31c7d8aaa49b89f26e2082622dfedd1f2097334
SHA256 9e785b5b370f382a4b06dd931f4d1c2e6a1eb2f333300cec612f44aa87f82194
SHA512 6580e62a57493ea44c13be930f7053e173a7916c408368aa23a44568afd62b7231e1f91ca876c08f5ca7dd97918ba4955387fffc1eda89ea66aa243fe5ff16f6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe

MD5 6077cc199d4e2f9c86beec00e7bbb937
SHA1 c31c7d8aaa49b89f26e2082622dfedd1f2097334
SHA256 9e785b5b370f382a4b06dd931f4d1c2e6a1eb2f333300cec612f44aa87f82194
SHA512 6580e62a57493ea44c13be930f7053e173a7916c408368aa23a44568afd62b7231e1f91ca876c08f5ca7dd97918ba4955387fffc1eda89ea66aa243fe5ff16f6

\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe

MD5 3540d25b56177dda7adaed9c7c55419c
SHA1 b60e9c97356d3f635fd27bcc661d47c3788fbdad
SHA256 2045406198370d0a3c9c86a1a00103b64f302dd67234ac5ee45334b27729c9ba
SHA512 ddbf60f473c5a794c25857f416b5a06b78a2408982d15d457bbf7d8a8b4a9c0e7f0208412f2773bc4e765316ec48a6c17678638c179c7538c56f0a4ba49dcc9b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe

MD5 3540d25b56177dda7adaed9c7c55419c
SHA1 b60e9c97356d3f635fd27bcc661d47c3788fbdad
SHA256 2045406198370d0a3c9c86a1a00103b64f302dd67234ac5ee45334b27729c9ba
SHA512 ddbf60f473c5a794c25857f416b5a06b78a2408982d15d457bbf7d8a8b4a9c0e7f0208412f2773bc4e765316ec48a6c17678638c179c7538c56f0a4ba49dcc9b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe

MD5 3540d25b56177dda7adaed9c7c55419c
SHA1 b60e9c97356d3f635fd27bcc661d47c3788fbdad
SHA256 2045406198370d0a3c9c86a1a00103b64f302dd67234ac5ee45334b27729c9ba
SHA512 ddbf60f473c5a794c25857f416b5a06b78a2408982d15d457bbf7d8a8b4a9c0e7f0208412f2773bc4e765316ec48a6c17678638c179c7538c56f0a4ba49dcc9b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe

MD5 3540d25b56177dda7adaed9c7c55419c
SHA1 b60e9c97356d3f635fd27bcc661d47c3788fbdad
SHA256 2045406198370d0a3c9c86a1a00103b64f302dd67234ac5ee45334b27729c9ba
SHA512 ddbf60f473c5a794c25857f416b5a06b78a2408982d15d457bbf7d8a8b4a9c0e7f0208412f2773bc4e765316ec48a6c17678638c179c7538c56f0a4ba49dcc9b

\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe

MD5 f2bf8b2fc3c72130ca7f9b4ef37d5401
SHA1 250c988944513882c6420ed87b379e4e2ce8fad5
SHA256 2137c61de9b15a3d865402abe0c04a4a2f5520b2311a35b8cf9b2b6d6c7bfb60
SHA512 f08d3896d327755ba61aa7e9e2af17a1d2a09ef58d0bf44093684304394aa0e994a5766620acb963964994f48d7148c60b98046106c9dd47b3a38d922af2a23c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe

MD5 f2bf8b2fc3c72130ca7f9b4ef37d5401
SHA1 250c988944513882c6420ed87b379e4e2ce8fad5
SHA256 2137c61de9b15a3d865402abe0c04a4a2f5520b2311a35b8cf9b2b6d6c7bfb60
SHA512 f08d3896d327755ba61aa7e9e2af17a1d2a09ef58d0bf44093684304394aa0e994a5766620acb963964994f48d7148c60b98046106c9dd47b3a38d922af2a23c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe

MD5 f2bf8b2fc3c72130ca7f9b4ef37d5401
SHA1 250c988944513882c6420ed87b379e4e2ce8fad5
SHA256 2137c61de9b15a3d865402abe0c04a4a2f5520b2311a35b8cf9b2b6d6c7bfb60
SHA512 f08d3896d327755ba61aa7e9e2af17a1d2a09ef58d0bf44093684304394aa0e994a5766620acb963964994f48d7148c60b98046106c9dd47b3a38d922af2a23c

\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe

MD5 f2bf8b2fc3c72130ca7f9b4ef37d5401
SHA1 250c988944513882c6420ed87b379e4e2ce8fad5
SHA256 2137c61de9b15a3d865402abe0c04a4a2f5520b2311a35b8cf9b2b6d6c7bfb60
SHA512 f08d3896d327755ba61aa7e9e2af17a1d2a09ef58d0bf44093684304394aa0e994a5766620acb963964994f48d7148c60b98046106c9dd47b3a38d922af2a23c

memory/2548-50-0x00000000021E0000-0x00000000021FE000-memory.dmp

memory/2548-51-0x0000000002200000-0x000000000221C000-memory.dmp

memory/2548-52-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-53-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-55-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-57-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-59-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-61-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-63-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-65-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-67-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-69-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-71-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-73-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-75-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-77-0x0000000002200000-0x0000000002216000-memory.dmp

memory/2548-79-0x0000000002200000-0x0000000002216000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe

MD5 8544ec1985bb2c11609d3b9b1f3414ad
SHA1 d9506ff660c9a34558fd5c1da6b2461a7d4d4a5f
SHA256 a54bef2813593d07b788e735460dca3971ab41728f53eb59ae6dcebf4b4d50f5
SHA512 3d490bbf813b6daaa4045cdc54cafe742eb67106ed92740669d6752972bba1297d84c60f5847e265d4202555a996757de91ae46b1dd936d5d5fd4245d5159716

\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe

MD5 8544ec1985bb2c11609d3b9b1f3414ad
SHA1 d9506ff660c9a34558fd5c1da6b2461a7d4d4a5f
SHA256 a54bef2813593d07b788e735460dca3971ab41728f53eb59ae6dcebf4b4d50f5
SHA512 3d490bbf813b6daaa4045cdc54cafe742eb67106ed92740669d6752972bba1297d84c60f5847e265d4202555a996757de91ae46b1dd936d5d5fd4245d5159716

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe

MD5 8544ec1985bb2c11609d3b9b1f3414ad
SHA1 d9506ff660c9a34558fd5c1da6b2461a7d4d4a5f
SHA256 a54bef2813593d07b788e735460dca3971ab41728f53eb59ae6dcebf4b4d50f5
SHA512 3d490bbf813b6daaa4045cdc54cafe742eb67106ed92740669d6752972bba1297d84c60f5847e265d4202555a996757de91ae46b1dd936d5d5fd4245d5159716

\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe

MD5 8544ec1985bb2c11609d3b9b1f3414ad
SHA1 d9506ff660c9a34558fd5c1da6b2461a7d4d4a5f
SHA256 a54bef2813593d07b788e735460dca3971ab41728f53eb59ae6dcebf4b4d50f5
SHA512 3d490bbf813b6daaa4045cdc54cafe742eb67106ed92740669d6752972bba1297d84c60f5847e265d4202555a996757de91ae46b1dd936d5d5fd4245d5159716

\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe

MD5 a2ebe50025245ba272e63bac2641825c
SHA1 9d129602dc760a2adf6a91295a6e3c02d197256c
SHA256 487b8a42566ff95216432dcfb2ad04d0162882813f772bf3d7446e11573654b4
SHA512 f730d24b72c1145a7880dd410023efae573a052720b7c7c3eebf9cc96c48ac5e9bd99a98bfd7f8a7233e17ee316e8b242ac217cc272230915957d5792150ab8b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe

MD5 a2ebe50025245ba272e63bac2641825c
SHA1 9d129602dc760a2adf6a91295a6e3c02d197256c
SHA256 487b8a42566ff95216432dcfb2ad04d0162882813f772bf3d7446e11573654b4
SHA512 f730d24b72c1145a7880dd410023efae573a052720b7c7c3eebf9cc96c48ac5e9bd99a98bfd7f8a7233e17ee316e8b242ac217cc272230915957d5792150ab8b

\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe

MD5 a2ebe50025245ba272e63bac2641825c
SHA1 9d129602dc760a2adf6a91295a6e3c02d197256c
SHA256 487b8a42566ff95216432dcfb2ad04d0162882813f772bf3d7446e11573654b4
SHA512 f730d24b72c1145a7880dd410023efae573a052720b7c7c3eebf9cc96c48ac5e9bd99a98bfd7f8a7233e17ee316e8b242ac217cc272230915957d5792150ab8b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe

MD5 a2ebe50025245ba272e63bac2641825c
SHA1 9d129602dc760a2adf6a91295a6e3c02d197256c
SHA256 487b8a42566ff95216432dcfb2ad04d0162882813f772bf3d7446e11573654b4
SHA512 f730d24b72c1145a7880dd410023efae573a052720b7c7c3eebf9cc96c48ac5e9bd99a98bfd7f8a7233e17ee316e8b242ac217cc272230915957d5792150ab8b

memory/1944-107-0x00000000010F0000-0x0000000001120000-memory.dmp

memory/1944-108-0x0000000000260000-0x0000000000266000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-06 21:11

Reported

2023-10-06 21:14

Platform

win10v2004-20230915-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
PID 4708 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
PID 4708 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
PID 4788 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
PID 4788 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
PID 4788 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
PID 1988 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
PID 1988 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
PID 1988 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
PID 3728 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
PID 3728 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
PID 3728 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
PID 4172 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
PID 4172 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
PID 4172 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
PID 4172 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
PID 4172 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
PID 4172 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
PID 3388 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 3388 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 3388 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 3728 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
PID 3728 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
PID 3728 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
PID 1988 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe
PID 1988 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe
PID 1988 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe
PID 4428 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe
PID 4428 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe
PID 4428 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe
PID 4428 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 4120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 4120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 4120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2220 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "saves.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "saves.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\b40d11255d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\b40d11255d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.68.18:80 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.18:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe

MD5 1326d041aa44fb00fde0f3ff4b940252
SHA1 d1631b8b913884fba4fe1428bb42e1f9fedef1b9
SHA256 f508fa0df612f869a82986fe6cfb1d4962fd2beb5be340f2482619dc87450e10
SHA512 56ae57520f07696edef963fc1fb7cedcd0579307594c9a22c7cc6285611b17b7aa0e03ceeddc63348742f9f060bb1488b1b9a9c9f996be37c778fd1daea45209

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe

MD5 1326d041aa44fb00fde0f3ff4b940252
SHA1 d1631b8b913884fba4fe1428bb42e1f9fedef1b9
SHA256 f508fa0df612f869a82986fe6cfb1d4962fd2beb5be340f2482619dc87450e10
SHA512 56ae57520f07696edef963fc1fb7cedcd0579307594c9a22c7cc6285611b17b7aa0e03ceeddc63348742f9f060bb1488b1b9a9c9f996be37c778fd1daea45209

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe

MD5 a93c5d287e56407996271af285f49574
SHA1 c3e663a3abe2fda35278c2978edf31ccc8ed8d73
SHA256 e826631141be2e88e3e3bc1f9da0243c1c76deff9004daf2411b8cc9e94ab706
SHA512 8ed163005f78cd1c6bc539d6101a66aed0471bac210ee67b2f2c0f6d8555389bb99c127379d5c259bb3bc837d1b71b17962f14c0dea8e1e5cb776e56ec8af17f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe

MD5 a93c5d287e56407996271af285f49574
SHA1 c3e663a3abe2fda35278c2978edf31ccc8ed8d73
SHA256 e826631141be2e88e3e3bc1f9da0243c1c76deff9004daf2411b8cc9e94ab706
SHA512 8ed163005f78cd1c6bc539d6101a66aed0471bac210ee67b2f2c0f6d8555389bb99c127379d5c259bb3bc837d1b71b17962f14c0dea8e1e5cb776e56ec8af17f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe

MD5 6077cc199d4e2f9c86beec00e7bbb937
SHA1 c31c7d8aaa49b89f26e2082622dfedd1f2097334
SHA256 9e785b5b370f382a4b06dd931f4d1c2e6a1eb2f333300cec612f44aa87f82194
SHA512 6580e62a57493ea44c13be930f7053e173a7916c408368aa23a44568afd62b7231e1f91ca876c08f5ca7dd97918ba4955387fffc1eda89ea66aa243fe5ff16f6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe

MD5 6077cc199d4e2f9c86beec00e7bbb937
SHA1 c31c7d8aaa49b89f26e2082622dfedd1f2097334
SHA256 9e785b5b370f382a4b06dd931f4d1c2e6a1eb2f333300cec612f44aa87f82194
SHA512 6580e62a57493ea44c13be930f7053e173a7916c408368aa23a44568afd62b7231e1f91ca876c08f5ca7dd97918ba4955387fffc1eda89ea66aa243fe5ff16f6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe

MD5 3540d25b56177dda7adaed9c7c55419c
SHA1 b60e9c97356d3f635fd27bcc661d47c3788fbdad
SHA256 2045406198370d0a3c9c86a1a00103b64f302dd67234ac5ee45334b27729c9ba
SHA512 ddbf60f473c5a794c25857f416b5a06b78a2408982d15d457bbf7d8a8b4a9c0e7f0208412f2773bc4e765316ec48a6c17678638c179c7538c56f0a4ba49dcc9b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe

MD5 3540d25b56177dda7adaed9c7c55419c
SHA1 b60e9c97356d3f635fd27bcc661d47c3788fbdad
SHA256 2045406198370d0a3c9c86a1a00103b64f302dd67234ac5ee45334b27729c9ba
SHA512 ddbf60f473c5a794c25857f416b5a06b78a2408982d15d457bbf7d8a8b4a9c0e7f0208412f2773bc4e765316ec48a6c17678638c179c7538c56f0a4ba49dcc9b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe

MD5 f2bf8b2fc3c72130ca7f9b4ef37d5401
SHA1 250c988944513882c6420ed87b379e4e2ce8fad5
SHA256 2137c61de9b15a3d865402abe0c04a4a2f5520b2311a35b8cf9b2b6d6c7bfb60
SHA512 f08d3896d327755ba61aa7e9e2af17a1d2a09ef58d0bf44093684304394aa0e994a5766620acb963964994f48d7148c60b98046106c9dd47b3a38d922af2a23c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe

MD5 f2bf8b2fc3c72130ca7f9b4ef37d5401
SHA1 250c988944513882c6420ed87b379e4e2ce8fad5
SHA256 2137c61de9b15a3d865402abe0c04a4a2f5520b2311a35b8cf9b2b6d6c7bfb60
SHA512 f08d3896d327755ba61aa7e9e2af17a1d2a09ef58d0bf44093684304394aa0e994a5766620acb963964994f48d7148c60b98046106c9dd47b3a38d922af2a23c

memory/2684-36-0x0000000074250000-0x0000000074A00000-memory.dmp

memory/2684-35-0x00000000022C0000-0x00000000022DE000-memory.dmp

memory/2684-37-0x00000000022B0000-0x00000000022C0000-memory.dmp

memory/2684-38-0x00000000022B0000-0x00000000022C0000-memory.dmp

memory/2684-39-0x00000000049E0000-0x0000000004F84000-memory.dmp

memory/2684-40-0x0000000002550000-0x000000000256C000-memory.dmp

memory/2684-41-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-42-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-44-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-46-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-48-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-50-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-52-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-54-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-56-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-58-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-60-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-62-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-64-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-66-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-68-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2684-69-0x0000000074250000-0x0000000074A00000-memory.dmp

memory/2684-70-0x00000000022B0000-0x00000000022C0000-memory.dmp

memory/2684-72-0x0000000074250000-0x0000000074A00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe

MD5 8544ec1985bb2c11609d3b9b1f3414ad
SHA1 d9506ff660c9a34558fd5c1da6b2461a7d4d4a5f
SHA256 a54bef2813593d07b788e735460dca3971ab41728f53eb59ae6dcebf4b4d50f5
SHA512 3d490bbf813b6daaa4045cdc54cafe742eb67106ed92740669d6752972bba1297d84c60f5847e265d4202555a996757de91ae46b1dd936d5d5fd4245d5159716

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe

MD5 8544ec1985bb2c11609d3b9b1f3414ad
SHA1 d9506ff660c9a34558fd5c1da6b2461a7d4d4a5f
SHA256 a54bef2813593d07b788e735460dca3971ab41728f53eb59ae6dcebf4b4d50f5
SHA512 3d490bbf813b6daaa4045cdc54cafe742eb67106ed92740669d6752972bba1297d84c60f5847e265d4202555a996757de91ae46b1dd936d5d5fd4245d5159716

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe

MD5 a2ebe50025245ba272e63bac2641825c
SHA1 9d129602dc760a2adf6a91295a6e3c02d197256c
SHA256 487b8a42566ff95216432dcfb2ad04d0162882813f772bf3d7446e11573654b4
SHA512 f730d24b72c1145a7880dd410023efae573a052720b7c7c3eebf9cc96c48ac5e9bd99a98bfd7f8a7233e17ee316e8b242ac217cc272230915957d5792150ab8b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe

MD5 a2ebe50025245ba272e63bac2641825c
SHA1 9d129602dc760a2adf6a91295a6e3c02d197256c
SHA256 487b8a42566ff95216432dcfb2ad04d0162882813f772bf3d7446e11573654b4
SHA512 f730d24b72c1145a7880dd410023efae573a052720b7c7c3eebf9cc96c48ac5e9bd99a98bfd7f8a7233e17ee316e8b242ac217cc272230915957d5792150ab8b

memory/4796-91-0x0000000000FC0000-0x0000000000FF0000-memory.dmp

memory/4796-93-0x00000000731E0000-0x0000000073990000-memory.dmp

memory/4796-92-0x00000000057A0000-0x00000000057A6000-memory.dmp

memory/4796-94-0x0000000005F60000-0x0000000006578000-memory.dmp

memory/4796-95-0x0000000005A50000-0x0000000005B5A000-memory.dmp

memory/4796-97-0x0000000005830000-0x0000000005840000-memory.dmp

memory/4796-96-0x0000000005960000-0x0000000005972000-memory.dmp

memory/4796-98-0x00000000059C0000-0x00000000059FC000-memory.dmp

memory/4796-99-0x0000000005A00000-0x0000000005A4C000-memory.dmp

memory/4796-100-0x00000000731E0000-0x0000000073990000-memory.dmp

memory/4796-101-0x0000000005830000-0x0000000005840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 c8b21016e82105351dbd7846b1f35439
SHA1 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618
SHA256 cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36
SHA512 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25