Analysis Overview
SHA256
258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08
Threat Level: Known bad
The file NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe was found to be: Known bad.
Malicious Activity Summary
Mystic
Detect Mystic stealer payload
RedLine
Modifies Windows Defender Real-time Protection settings
Amadey
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Windows security modification
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-06 21:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-06 21:11
Reported
2023-10-06 21:14
Platform
win7-20230831-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Amadey
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
Mystic
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
Loads dropped DLL
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
C:\Windows\system32\taskeng.exe
taskeng.exe {EC1FDBC5-1905-438E-BF66-CC2EA7447612} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
| MD5 | 1326d041aa44fb00fde0f3ff4b940252 |
| SHA1 | d1631b8b913884fba4fe1428bb42e1f9fedef1b9 |
| SHA256 | f508fa0df612f869a82986fe6cfb1d4962fd2beb5be340f2482619dc87450e10 |
| SHA512 | 56ae57520f07696edef963fc1fb7cedcd0579307594c9a22c7cc6285611b17b7aa0e03ceeddc63348742f9f060bb1488b1b9a9c9f996be37c778fd1daea45209 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
| MD5 | 1326d041aa44fb00fde0f3ff4b940252 |
| SHA1 | d1631b8b913884fba4fe1428bb42e1f9fedef1b9 |
| SHA256 | f508fa0df612f869a82986fe6cfb1d4962fd2beb5be340f2482619dc87450e10 |
| SHA512 | 56ae57520f07696edef963fc1fb7cedcd0579307594c9a22c7cc6285611b17b7aa0e03ceeddc63348742f9f060bb1488b1b9a9c9f996be37c778fd1daea45209 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
| MD5 | 1326d041aa44fb00fde0f3ff4b940252 |
| SHA1 | d1631b8b913884fba4fe1428bb42e1f9fedef1b9 |
| SHA256 | f508fa0df612f869a82986fe6cfb1d4962fd2beb5be340f2482619dc87450e10 |
| SHA512 | 56ae57520f07696edef963fc1fb7cedcd0579307594c9a22c7cc6285611b17b7aa0e03ceeddc63348742f9f060bb1488b1b9a9c9f996be37c778fd1daea45209 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
| MD5 | 1326d041aa44fb00fde0f3ff4b940252 |
| SHA1 | d1631b8b913884fba4fe1428bb42e1f9fedef1b9 |
| SHA256 | f508fa0df612f869a82986fe6cfb1d4962fd2beb5be340f2482619dc87450e10 |
| SHA512 | 56ae57520f07696edef963fc1fb7cedcd0579307594c9a22c7cc6285611b17b7aa0e03ceeddc63348742f9f060bb1488b1b9a9c9f996be37c778fd1daea45209 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
| MD5 | a93c5d287e56407996271af285f49574 |
| SHA1 | c3e663a3abe2fda35278c2978edf31ccc8ed8d73 |
| SHA256 | e826631141be2e88e3e3bc1f9da0243c1c76deff9004daf2411b8cc9e94ab706 |
| SHA512 | 8ed163005f78cd1c6bc539d6101a66aed0471bac210ee67b2f2c0f6d8555389bb99c127379d5c259bb3bc837d1b71b17962f14c0dea8e1e5cb776e56ec8af17f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
| MD5 | a93c5d287e56407996271af285f49574 |
| SHA1 | c3e663a3abe2fda35278c2978edf31ccc8ed8d73 |
| SHA256 | e826631141be2e88e3e3bc1f9da0243c1c76deff9004daf2411b8cc9e94ab706 |
| SHA512 | 8ed163005f78cd1c6bc539d6101a66aed0471bac210ee67b2f2c0f6d8555389bb99c127379d5c259bb3bc837d1b71b17962f14c0dea8e1e5cb776e56ec8af17f |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
| MD5 | a93c5d287e56407996271af285f49574 |
| SHA1 | c3e663a3abe2fda35278c2978edf31ccc8ed8d73 |
| SHA256 | e826631141be2e88e3e3bc1f9da0243c1c76deff9004daf2411b8cc9e94ab706 |
| SHA512 | 8ed163005f78cd1c6bc539d6101a66aed0471bac210ee67b2f2c0f6d8555389bb99c127379d5c259bb3bc837d1b71b17962f14c0dea8e1e5cb776e56ec8af17f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
| MD5 | a93c5d287e56407996271af285f49574 |
| SHA1 | c3e663a3abe2fda35278c2978edf31ccc8ed8d73 |
| SHA256 | e826631141be2e88e3e3bc1f9da0243c1c76deff9004daf2411b8cc9e94ab706 |
| SHA512 | 8ed163005f78cd1c6bc539d6101a66aed0471bac210ee67b2f2c0f6d8555389bb99c127379d5c259bb3bc837d1b71b17962f14c0dea8e1e5cb776e56ec8af17f |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
| MD5 | 6077cc199d4e2f9c86beec00e7bbb937 |
| SHA1 | c31c7d8aaa49b89f26e2082622dfedd1f2097334 |
| SHA256 | 9e785b5b370f382a4b06dd931f4d1c2e6a1eb2f333300cec612f44aa87f82194 |
| SHA512 | 6580e62a57493ea44c13be930f7053e173a7916c408368aa23a44568afd62b7231e1f91ca876c08f5ca7dd97918ba4955387fffc1eda89ea66aa243fe5ff16f6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
| MD5 | 6077cc199d4e2f9c86beec00e7bbb937 |
| SHA1 | c31c7d8aaa49b89f26e2082622dfedd1f2097334 |
| SHA256 | 9e785b5b370f382a4b06dd931f4d1c2e6a1eb2f333300cec612f44aa87f82194 |
| SHA512 | 6580e62a57493ea44c13be930f7053e173a7916c408368aa23a44568afd62b7231e1f91ca876c08f5ca7dd97918ba4955387fffc1eda89ea66aa243fe5ff16f6 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
| MD5 | 6077cc199d4e2f9c86beec00e7bbb937 |
| SHA1 | c31c7d8aaa49b89f26e2082622dfedd1f2097334 |
| SHA256 | 9e785b5b370f382a4b06dd931f4d1c2e6a1eb2f333300cec612f44aa87f82194 |
| SHA512 | 6580e62a57493ea44c13be930f7053e173a7916c408368aa23a44568afd62b7231e1f91ca876c08f5ca7dd97918ba4955387fffc1eda89ea66aa243fe5ff16f6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
| MD5 | 6077cc199d4e2f9c86beec00e7bbb937 |
| SHA1 | c31c7d8aaa49b89f26e2082622dfedd1f2097334 |
| SHA256 | 9e785b5b370f382a4b06dd931f4d1c2e6a1eb2f333300cec612f44aa87f82194 |
| SHA512 | 6580e62a57493ea44c13be930f7053e173a7916c408368aa23a44568afd62b7231e1f91ca876c08f5ca7dd97918ba4955387fffc1eda89ea66aa243fe5ff16f6 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
| MD5 | 3540d25b56177dda7adaed9c7c55419c |
| SHA1 | b60e9c97356d3f635fd27bcc661d47c3788fbdad |
| SHA256 | 2045406198370d0a3c9c86a1a00103b64f302dd67234ac5ee45334b27729c9ba |
| SHA512 | ddbf60f473c5a794c25857f416b5a06b78a2408982d15d457bbf7d8a8b4a9c0e7f0208412f2773bc4e765316ec48a6c17678638c179c7538c56f0a4ba49dcc9b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
| MD5 | 3540d25b56177dda7adaed9c7c55419c |
| SHA1 | b60e9c97356d3f635fd27bcc661d47c3788fbdad |
| SHA256 | 2045406198370d0a3c9c86a1a00103b64f302dd67234ac5ee45334b27729c9ba |
| SHA512 | ddbf60f473c5a794c25857f416b5a06b78a2408982d15d457bbf7d8a8b4a9c0e7f0208412f2773bc4e765316ec48a6c17678638c179c7538c56f0a4ba49dcc9b |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
| MD5 | 3540d25b56177dda7adaed9c7c55419c |
| SHA1 | b60e9c97356d3f635fd27bcc661d47c3788fbdad |
| SHA256 | 2045406198370d0a3c9c86a1a00103b64f302dd67234ac5ee45334b27729c9ba |
| SHA512 | ddbf60f473c5a794c25857f416b5a06b78a2408982d15d457bbf7d8a8b4a9c0e7f0208412f2773bc4e765316ec48a6c17678638c179c7538c56f0a4ba49dcc9b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
| MD5 | 3540d25b56177dda7adaed9c7c55419c |
| SHA1 | b60e9c97356d3f635fd27bcc661d47c3788fbdad |
| SHA256 | 2045406198370d0a3c9c86a1a00103b64f302dd67234ac5ee45334b27729c9ba |
| SHA512 | ddbf60f473c5a794c25857f416b5a06b78a2408982d15d457bbf7d8a8b4a9c0e7f0208412f2773bc4e765316ec48a6c17678638c179c7538c56f0a4ba49dcc9b |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
| MD5 | f2bf8b2fc3c72130ca7f9b4ef37d5401 |
| SHA1 | 250c988944513882c6420ed87b379e4e2ce8fad5 |
| SHA256 | 2137c61de9b15a3d865402abe0c04a4a2f5520b2311a35b8cf9b2b6d6c7bfb60 |
| SHA512 | f08d3896d327755ba61aa7e9e2af17a1d2a09ef58d0bf44093684304394aa0e994a5766620acb963964994f48d7148c60b98046106c9dd47b3a38d922af2a23c |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
| MD5 | f2bf8b2fc3c72130ca7f9b4ef37d5401 |
| SHA1 | 250c988944513882c6420ed87b379e4e2ce8fad5 |
| SHA256 | 2137c61de9b15a3d865402abe0c04a4a2f5520b2311a35b8cf9b2b6d6c7bfb60 |
| SHA512 | f08d3896d327755ba61aa7e9e2af17a1d2a09ef58d0bf44093684304394aa0e994a5766620acb963964994f48d7148c60b98046106c9dd47b3a38d922af2a23c |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
| MD5 | f2bf8b2fc3c72130ca7f9b4ef37d5401 |
| SHA1 | 250c988944513882c6420ed87b379e4e2ce8fad5 |
| SHA256 | 2137c61de9b15a3d865402abe0c04a4a2f5520b2311a35b8cf9b2b6d6c7bfb60 |
| SHA512 | f08d3896d327755ba61aa7e9e2af17a1d2a09ef58d0bf44093684304394aa0e994a5766620acb963964994f48d7148c60b98046106c9dd47b3a38d922af2a23c |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
| MD5 | f2bf8b2fc3c72130ca7f9b4ef37d5401 |
| SHA1 | 250c988944513882c6420ed87b379e4e2ce8fad5 |
| SHA256 | 2137c61de9b15a3d865402abe0c04a4a2f5520b2311a35b8cf9b2b6d6c7bfb60 |
| SHA512 | f08d3896d327755ba61aa7e9e2af17a1d2a09ef58d0bf44093684304394aa0e994a5766620acb963964994f48d7148c60b98046106c9dd47b3a38d922af2a23c |
memory/2548-50-0x00000000021E0000-0x00000000021FE000-memory.dmp
memory/2548-51-0x0000000002200000-0x000000000221C000-memory.dmp
memory/2548-52-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-53-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-55-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-57-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-59-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-61-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-63-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-65-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-67-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-69-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-71-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-73-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-75-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-77-0x0000000002200000-0x0000000002216000-memory.dmp
memory/2548-79-0x0000000002200000-0x0000000002216000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
| MD5 | 8544ec1985bb2c11609d3b9b1f3414ad |
| SHA1 | d9506ff660c9a34558fd5c1da6b2461a7d4d4a5f |
| SHA256 | a54bef2813593d07b788e735460dca3971ab41728f53eb59ae6dcebf4b4d50f5 |
| SHA512 | 3d490bbf813b6daaa4045cdc54cafe742eb67106ed92740669d6752972bba1297d84c60f5847e265d4202555a996757de91ae46b1dd936d5d5fd4245d5159716 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
| MD5 | 8544ec1985bb2c11609d3b9b1f3414ad |
| SHA1 | d9506ff660c9a34558fd5c1da6b2461a7d4d4a5f |
| SHA256 | a54bef2813593d07b788e735460dca3971ab41728f53eb59ae6dcebf4b4d50f5 |
| SHA512 | 3d490bbf813b6daaa4045cdc54cafe742eb67106ed92740669d6752972bba1297d84c60f5847e265d4202555a996757de91ae46b1dd936d5d5fd4245d5159716 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
| MD5 | 8544ec1985bb2c11609d3b9b1f3414ad |
| SHA1 | d9506ff660c9a34558fd5c1da6b2461a7d4d4a5f |
| SHA256 | a54bef2813593d07b788e735460dca3971ab41728f53eb59ae6dcebf4b4d50f5 |
| SHA512 | 3d490bbf813b6daaa4045cdc54cafe742eb67106ed92740669d6752972bba1297d84c60f5847e265d4202555a996757de91ae46b1dd936d5d5fd4245d5159716 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
| MD5 | 8544ec1985bb2c11609d3b9b1f3414ad |
| SHA1 | d9506ff660c9a34558fd5c1da6b2461a7d4d4a5f |
| SHA256 | a54bef2813593d07b788e735460dca3971ab41728f53eb59ae6dcebf4b4d50f5 |
| SHA512 | 3d490bbf813b6daaa4045cdc54cafe742eb67106ed92740669d6752972bba1297d84c60f5847e265d4202555a996757de91ae46b1dd936d5d5fd4245d5159716 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe
| MD5 | a2ebe50025245ba272e63bac2641825c |
| SHA1 | 9d129602dc760a2adf6a91295a6e3c02d197256c |
| SHA256 | 487b8a42566ff95216432dcfb2ad04d0162882813f772bf3d7446e11573654b4 |
| SHA512 | f730d24b72c1145a7880dd410023efae573a052720b7c7c3eebf9cc96c48ac5e9bd99a98bfd7f8a7233e17ee316e8b242ac217cc272230915957d5792150ab8b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe
| MD5 | a2ebe50025245ba272e63bac2641825c |
| SHA1 | 9d129602dc760a2adf6a91295a6e3c02d197256c |
| SHA256 | 487b8a42566ff95216432dcfb2ad04d0162882813f772bf3d7446e11573654b4 |
| SHA512 | f730d24b72c1145a7880dd410023efae573a052720b7c7c3eebf9cc96c48ac5e9bd99a98bfd7f8a7233e17ee316e8b242ac217cc272230915957d5792150ab8b |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe
| MD5 | a2ebe50025245ba272e63bac2641825c |
| SHA1 | 9d129602dc760a2adf6a91295a6e3c02d197256c |
| SHA256 | 487b8a42566ff95216432dcfb2ad04d0162882813f772bf3d7446e11573654b4 |
| SHA512 | f730d24b72c1145a7880dd410023efae573a052720b7c7c3eebf9cc96c48ac5e9bd99a98bfd7f8a7233e17ee316e8b242ac217cc272230915957d5792150ab8b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe
| MD5 | a2ebe50025245ba272e63bac2641825c |
| SHA1 | 9d129602dc760a2adf6a91295a6e3c02d197256c |
| SHA256 | 487b8a42566ff95216432dcfb2ad04d0162882813f772bf3d7446e11573654b4 |
| SHA512 | f730d24b72c1145a7880dd410023efae573a052720b7c7c3eebf9cc96c48ac5e9bd99a98bfd7f8a7233e17ee316e8b242ac217cc272230915957d5792150ab8b |
memory/1944-107-0x00000000010F0000-0x0000000001120000-memory.dmp
memory/1944-108-0x0000000000260000-0x0000000000266000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-06 21:11
Reported
2023-10-06 21:14
Platform
win10v2004-20230915-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Amadey
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
Mystic
RedLine
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.258b62fe19f6ff10c41b068db793e214a242a7e1aa19424333e79e0981cdaf08_JC.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| FI | 77.91.68.18:80 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.18:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
| MD5 | 1326d041aa44fb00fde0f3ff4b940252 |
| SHA1 | d1631b8b913884fba4fe1428bb42e1f9fedef1b9 |
| SHA256 | f508fa0df612f869a82986fe6cfb1d4962fd2beb5be340f2482619dc87450e10 |
| SHA512 | 56ae57520f07696edef963fc1fb7cedcd0579307594c9a22c7cc6285611b17b7aa0e03ceeddc63348742f9f060bb1488b1b9a9c9f996be37c778fd1daea45209 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2185290.exe
| MD5 | 1326d041aa44fb00fde0f3ff4b940252 |
| SHA1 | d1631b8b913884fba4fe1428bb42e1f9fedef1b9 |
| SHA256 | f508fa0df612f869a82986fe6cfb1d4962fd2beb5be340f2482619dc87450e10 |
| SHA512 | 56ae57520f07696edef963fc1fb7cedcd0579307594c9a22c7cc6285611b17b7aa0e03ceeddc63348742f9f060bb1488b1b9a9c9f996be37c778fd1daea45209 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
| MD5 | a93c5d287e56407996271af285f49574 |
| SHA1 | c3e663a3abe2fda35278c2978edf31ccc8ed8d73 |
| SHA256 | e826631141be2e88e3e3bc1f9da0243c1c76deff9004daf2411b8cc9e94ab706 |
| SHA512 | 8ed163005f78cd1c6bc539d6101a66aed0471bac210ee67b2f2c0f6d8555389bb99c127379d5c259bb3bc837d1b71b17962f14c0dea8e1e5cb776e56ec8af17f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7490078.exe
| MD5 | a93c5d287e56407996271af285f49574 |
| SHA1 | c3e663a3abe2fda35278c2978edf31ccc8ed8d73 |
| SHA256 | e826631141be2e88e3e3bc1f9da0243c1c76deff9004daf2411b8cc9e94ab706 |
| SHA512 | 8ed163005f78cd1c6bc539d6101a66aed0471bac210ee67b2f2c0f6d8555389bb99c127379d5c259bb3bc837d1b71b17962f14c0dea8e1e5cb776e56ec8af17f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
| MD5 | 6077cc199d4e2f9c86beec00e7bbb937 |
| SHA1 | c31c7d8aaa49b89f26e2082622dfedd1f2097334 |
| SHA256 | 9e785b5b370f382a4b06dd931f4d1c2e6a1eb2f333300cec612f44aa87f82194 |
| SHA512 | 6580e62a57493ea44c13be930f7053e173a7916c408368aa23a44568afd62b7231e1f91ca876c08f5ca7dd97918ba4955387fffc1eda89ea66aa243fe5ff16f6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4280418.exe
| MD5 | 6077cc199d4e2f9c86beec00e7bbb937 |
| SHA1 | c31c7d8aaa49b89f26e2082622dfedd1f2097334 |
| SHA256 | 9e785b5b370f382a4b06dd931f4d1c2e6a1eb2f333300cec612f44aa87f82194 |
| SHA512 | 6580e62a57493ea44c13be930f7053e173a7916c408368aa23a44568afd62b7231e1f91ca876c08f5ca7dd97918ba4955387fffc1eda89ea66aa243fe5ff16f6 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
| MD5 | 3540d25b56177dda7adaed9c7c55419c |
| SHA1 | b60e9c97356d3f635fd27bcc661d47c3788fbdad |
| SHA256 | 2045406198370d0a3c9c86a1a00103b64f302dd67234ac5ee45334b27729c9ba |
| SHA512 | ddbf60f473c5a794c25857f416b5a06b78a2408982d15d457bbf7d8a8b4a9c0e7f0208412f2773bc4e765316ec48a6c17678638c179c7538c56f0a4ba49dcc9b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3187353.exe
| MD5 | 3540d25b56177dda7adaed9c7c55419c |
| SHA1 | b60e9c97356d3f635fd27bcc661d47c3788fbdad |
| SHA256 | 2045406198370d0a3c9c86a1a00103b64f302dd67234ac5ee45334b27729c9ba |
| SHA512 | ddbf60f473c5a794c25857f416b5a06b78a2408982d15d457bbf7d8a8b4a9c0e7f0208412f2773bc4e765316ec48a6c17678638c179c7538c56f0a4ba49dcc9b |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
| MD5 | f2bf8b2fc3c72130ca7f9b4ef37d5401 |
| SHA1 | 250c988944513882c6420ed87b379e4e2ce8fad5 |
| SHA256 | 2137c61de9b15a3d865402abe0c04a4a2f5520b2311a35b8cf9b2b6d6c7bfb60 |
| SHA512 | f08d3896d327755ba61aa7e9e2af17a1d2a09ef58d0bf44093684304394aa0e994a5766620acb963964994f48d7148c60b98046106c9dd47b3a38d922af2a23c |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4633585.exe
| MD5 | f2bf8b2fc3c72130ca7f9b4ef37d5401 |
| SHA1 | 250c988944513882c6420ed87b379e4e2ce8fad5 |
| SHA256 | 2137c61de9b15a3d865402abe0c04a4a2f5520b2311a35b8cf9b2b6d6c7bfb60 |
| SHA512 | f08d3896d327755ba61aa7e9e2af17a1d2a09ef58d0bf44093684304394aa0e994a5766620acb963964994f48d7148c60b98046106c9dd47b3a38d922af2a23c |
memory/2684-36-0x0000000074250000-0x0000000074A00000-memory.dmp
memory/2684-35-0x00000000022C0000-0x00000000022DE000-memory.dmp
memory/2684-37-0x00000000022B0000-0x00000000022C0000-memory.dmp
memory/2684-38-0x00000000022B0000-0x00000000022C0000-memory.dmp
memory/2684-39-0x00000000049E0000-0x0000000004F84000-memory.dmp
memory/2684-40-0x0000000002550000-0x000000000256C000-memory.dmp
memory/2684-41-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-42-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-44-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-46-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-48-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-50-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-52-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-54-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-56-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-58-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-60-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-62-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-64-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-66-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-68-0x0000000002550000-0x0000000002566000-memory.dmp
memory/2684-69-0x0000000074250000-0x0000000074A00000-memory.dmp
memory/2684-70-0x00000000022B0000-0x00000000022C0000-memory.dmp
memory/2684-72-0x0000000074250000-0x0000000074A00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2695908.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
| MD5 | 8544ec1985bb2c11609d3b9b1f3414ad |
| SHA1 | d9506ff660c9a34558fd5c1da6b2461a7d4d4a5f |
| SHA256 | a54bef2813593d07b788e735460dca3971ab41728f53eb59ae6dcebf4b4d50f5 |
| SHA512 | 3d490bbf813b6daaa4045cdc54cafe742eb67106ed92740669d6752972bba1297d84c60f5847e265d4202555a996757de91ae46b1dd936d5d5fd4245d5159716 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0524203.exe
| MD5 | 8544ec1985bb2c11609d3b9b1f3414ad |
| SHA1 | d9506ff660c9a34558fd5c1da6b2461a7d4d4a5f |
| SHA256 | a54bef2813593d07b788e735460dca3971ab41728f53eb59ae6dcebf4b4d50f5 |
| SHA512 | 3d490bbf813b6daaa4045cdc54cafe742eb67106ed92740669d6752972bba1297d84c60f5847e265d4202555a996757de91ae46b1dd936d5d5fd4245d5159716 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe
| MD5 | a2ebe50025245ba272e63bac2641825c |
| SHA1 | 9d129602dc760a2adf6a91295a6e3c02d197256c |
| SHA256 | 487b8a42566ff95216432dcfb2ad04d0162882813f772bf3d7446e11573654b4 |
| SHA512 | f730d24b72c1145a7880dd410023efae573a052720b7c7c3eebf9cc96c48ac5e9bd99a98bfd7f8a7233e17ee316e8b242ac217cc272230915957d5792150ab8b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d6884578.exe
| MD5 | a2ebe50025245ba272e63bac2641825c |
| SHA1 | 9d129602dc760a2adf6a91295a6e3c02d197256c |
| SHA256 | 487b8a42566ff95216432dcfb2ad04d0162882813f772bf3d7446e11573654b4 |
| SHA512 | f730d24b72c1145a7880dd410023efae573a052720b7c7c3eebf9cc96c48ac5e9bd99a98bfd7f8a7233e17ee316e8b242ac217cc272230915957d5792150ab8b |
memory/4796-91-0x0000000000FC0000-0x0000000000FF0000-memory.dmp
memory/4796-93-0x00000000731E0000-0x0000000073990000-memory.dmp
memory/4796-92-0x00000000057A0000-0x00000000057A6000-memory.dmp
memory/4796-94-0x0000000005F60000-0x0000000006578000-memory.dmp
memory/4796-95-0x0000000005A50000-0x0000000005B5A000-memory.dmp
memory/4796-97-0x0000000005830000-0x0000000005840000-memory.dmp
memory/4796-96-0x0000000005960000-0x0000000005972000-memory.dmp
memory/4796-98-0x00000000059C0000-0x00000000059FC000-memory.dmp
memory/4796-99-0x0000000005A00000-0x0000000005A4C000-memory.dmp
memory/4796-100-0x00000000731E0000-0x0000000073990000-memory.dmp
memory/4796-101-0x0000000005830000-0x0000000005840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | c8b21016e82105351dbd7846b1f35439 |
| SHA1 | 1e62b54e8bb9e91c9c7ff41c1e38d3c4a5ed2618 |
| SHA256 | cd80d4fbaa997cb6cbed5cc7f7adb0ca7a5cb6301b395c9ceecf78794e745d36 |
| SHA512 | 2d98369ca544cf4c1857f495f11ff5d9e8959d67c6f7629c18f6e348dfa4883b9cf4cd114ec1ddcc21a5b5d636fd98ca146740b2196c849fead27f6aaf8b7f25 |