Analysis Overview
SHA256
22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3
Threat Level: Known bad
The file NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe was found to be: Known bad.
Malicious Activity Summary
Detect Mystic stealer payload
Mystic
RedLine
Amadey
Modifies Windows Defender Real-time Protection settings
Windows security modification
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-06 21:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-06 21:08
Reported
2023-10-06 21:11
Platform
win7-20230831-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Amadey
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
Mystic
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
Loads dropped DLL
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
C:\Windows\system32\taskeng.exe
taskeng.exe {C271003E-9C68-46AD-BFA8-B1BB1B70AC1F} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
Network
| Country | Destination | Domain | Proto |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
| MD5 | dbba888150db2bb4a7b3892f0c2aab6e |
| SHA1 | 8fc323a19c8281fc99e5445f271dbe02a3ebd7f0 |
| SHA256 | 313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2 |
| SHA512 | 4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
| MD5 | dbba888150db2bb4a7b3892f0c2aab6e |
| SHA1 | 8fc323a19c8281fc99e5445f271dbe02a3ebd7f0 |
| SHA256 | 313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2 |
| SHA512 | 4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
| MD5 | dbba888150db2bb4a7b3892f0c2aab6e |
| SHA1 | 8fc323a19c8281fc99e5445f271dbe02a3ebd7f0 |
| SHA256 | 313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2 |
| SHA512 | 4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
| MD5 | dbba888150db2bb4a7b3892f0c2aab6e |
| SHA1 | 8fc323a19c8281fc99e5445f271dbe02a3ebd7f0 |
| SHA256 | 313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2 |
| SHA512 | 4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
| MD5 | e839f87fd3f5e5a6df6091450221883b |
| SHA1 | 0a9e64a9da8656af2283d7a5a60b358f5a0acbeb |
| SHA256 | 88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278 |
| SHA512 | bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
| MD5 | e839f87fd3f5e5a6df6091450221883b |
| SHA1 | 0a9e64a9da8656af2283d7a5a60b358f5a0acbeb |
| SHA256 | 88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278 |
| SHA512 | bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
| MD5 | e839f87fd3f5e5a6df6091450221883b |
| SHA1 | 0a9e64a9da8656af2283d7a5a60b358f5a0acbeb |
| SHA256 | 88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278 |
| SHA512 | bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
| MD5 | e839f87fd3f5e5a6df6091450221883b |
| SHA1 | 0a9e64a9da8656af2283d7a5a60b358f5a0acbeb |
| SHA256 | 88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278 |
| SHA512 | bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
| MD5 | 63bc13e574cfeb9622e34aad7c559d5f |
| SHA1 | 8fe8c12f3f78da28457caaa10dd20479ea0e78df |
| SHA256 | b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e |
| SHA512 | 069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
| MD5 | 63bc13e574cfeb9622e34aad7c559d5f |
| SHA1 | 8fe8c12f3f78da28457caaa10dd20479ea0e78df |
| SHA256 | b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e |
| SHA512 | 069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
| MD5 | 63bc13e574cfeb9622e34aad7c559d5f |
| SHA1 | 8fe8c12f3f78da28457caaa10dd20479ea0e78df |
| SHA256 | b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e |
| SHA512 | 069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
| MD5 | 63bc13e574cfeb9622e34aad7c559d5f |
| SHA1 | 8fe8c12f3f78da28457caaa10dd20479ea0e78df |
| SHA256 | b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e |
| SHA512 | 069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
| MD5 | 146989df77714912f43d481988710f13 |
| SHA1 | 1bcdcf2d08e9b5aed33fe500b03d1650496d608c |
| SHA256 | 50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c |
| SHA512 | 7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
| MD5 | 146989df77714912f43d481988710f13 |
| SHA1 | 1bcdcf2d08e9b5aed33fe500b03d1650496d608c |
| SHA256 | 50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c |
| SHA512 | 7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
| MD5 | 146989df77714912f43d481988710f13 |
| SHA1 | 1bcdcf2d08e9b5aed33fe500b03d1650496d608c |
| SHA256 | 50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c |
| SHA512 | 7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
| MD5 | 146989df77714912f43d481988710f13 |
| SHA1 | 1bcdcf2d08e9b5aed33fe500b03d1650496d608c |
| SHA256 | 50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c |
| SHA512 | 7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
| MD5 | 9c6be8c3e7ba9cb9317436fbeffd6a27 |
| SHA1 | 729d6a3ad58bcf305f01123f4cefe42106a7ef40 |
| SHA256 | 19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035 |
| SHA512 | cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
| MD5 | 9c6be8c3e7ba9cb9317436fbeffd6a27 |
| SHA1 | 729d6a3ad58bcf305f01123f4cefe42106a7ef40 |
| SHA256 | 19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035 |
| SHA512 | cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
| MD5 | 9c6be8c3e7ba9cb9317436fbeffd6a27 |
| SHA1 | 729d6a3ad58bcf305f01123f4cefe42106a7ef40 |
| SHA256 | 19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035 |
| SHA512 | cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
| MD5 | 9c6be8c3e7ba9cb9317436fbeffd6a27 |
| SHA1 | 729d6a3ad58bcf305f01123f4cefe42106a7ef40 |
| SHA256 | 19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035 |
| SHA512 | cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5 |
memory/2624-50-0x00000000003D0000-0x00000000003EE000-memory.dmp
memory/2624-51-0x0000000000540000-0x000000000055C000-memory.dmp
memory/2624-52-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-53-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-55-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-57-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-59-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-61-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-63-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-65-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-67-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-69-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-71-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-73-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-75-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-77-0x0000000000540000-0x0000000000556000-memory.dmp
memory/2624-79-0x0000000000540000-0x0000000000556000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
| MD5 | ffbf7f9ca30baf18f24f8134b2f9c0b6 |
| SHA1 | c2c058c8e9be043a0f51f6aa933b12b86b9f8f72 |
| SHA256 | cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425 |
| SHA512 | 090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
| MD5 | ffbf7f9ca30baf18f24f8134b2f9c0b6 |
| SHA1 | c2c058c8e9be043a0f51f6aa933b12b86b9f8f72 |
| SHA256 | cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425 |
| SHA512 | 090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507 |
\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
| MD5 | ffbf7f9ca30baf18f24f8134b2f9c0b6 |
| SHA1 | c2c058c8e9be043a0f51f6aa933b12b86b9f8f72 |
| SHA256 | cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425 |
| SHA512 | 090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
| MD5 | ffbf7f9ca30baf18f24f8134b2f9c0b6 |
| SHA1 | c2c058c8e9be043a0f51f6aa933b12b86b9f8f72 |
| SHA256 | cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425 |
| SHA512 | 090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
| MD5 | b262404fe9049079c2e05db9b17079fe |
| SHA1 | b1092a6ab4c9b6800c2417780e53d23580f63870 |
| SHA256 | 5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46 |
| SHA512 | 4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
| MD5 | b262404fe9049079c2e05db9b17079fe |
| SHA1 | b1092a6ab4c9b6800c2417780e53d23580f63870 |
| SHA256 | 5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46 |
| SHA512 | 4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
| MD5 | b262404fe9049079c2e05db9b17079fe |
| SHA1 | b1092a6ab4c9b6800c2417780e53d23580f63870 |
| SHA256 | 5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46 |
| SHA512 | 4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
| MD5 | b262404fe9049079c2e05db9b17079fe |
| SHA1 | b1092a6ab4c9b6800c2417780e53d23580f63870 |
| SHA256 | 5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46 |
| SHA512 | 4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4 |
memory/2892-107-0x0000000001060000-0x0000000001090000-memory.dmp
memory/2892-108-0x0000000000600000-0x0000000000606000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-06 21:08
Reported
2023-10-06 21:11
Platform
win10v2004-20230915-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Amadey
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
Mystic
RedLine
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.68.18:80 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
| MD5 | dbba888150db2bb4a7b3892f0c2aab6e |
| SHA1 | 8fc323a19c8281fc99e5445f271dbe02a3ebd7f0 |
| SHA256 | 313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2 |
| SHA512 | 4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
| MD5 | dbba888150db2bb4a7b3892f0c2aab6e |
| SHA1 | 8fc323a19c8281fc99e5445f271dbe02a3ebd7f0 |
| SHA256 | 313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2 |
| SHA512 | 4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
| MD5 | e839f87fd3f5e5a6df6091450221883b |
| SHA1 | 0a9e64a9da8656af2283d7a5a60b358f5a0acbeb |
| SHA256 | 88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278 |
| SHA512 | bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
| MD5 | e839f87fd3f5e5a6df6091450221883b |
| SHA1 | 0a9e64a9da8656af2283d7a5a60b358f5a0acbeb |
| SHA256 | 88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278 |
| SHA512 | bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
| MD5 | 63bc13e574cfeb9622e34aad7c559d5f |
| SHA1 | 8fe8c12f3f78da28457caaa10dd20479ea0e78df |
| SHA256 | b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e |
| SHA512 | 069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
| MD5 | 63bc13e574cfeb9622e34aad7c559d5f |
| SHA1 | 8fe8c12f3f78da28457caaa10dd20479ea0e78df |
| SHA256 | b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e |
| SHA512 | 069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
| MD5 | 146989df77714912f43d481988710f13 |
| SHA1 | 1bcdcf2d08e9b5aed33fe500b03d1650496d608c |
| SHA256 | 50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c |
| SHA512 | 7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
| MD5 | 146989df77714912f43d481988710f13 |
| SHA1 | 1bcdcf2d08e9b5aed33fe500b03d1650496d608c |
| SHA256 | 50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c |
| SHA512 | 7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
| MD5 | 9c6be8c3e7ba9cb9317436fbeffd6a27 |
| SHA1 | 729d6a3ad58bcf305f01123f4cefe42106a7ef40 |
| SHA256 | 19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035 |
| SHA512 | cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
| MD5 | 9c6be8c3e7ba9cb9317436fbeffd6a27 |
| SHA1 | 729d6a3ad58bcf305f01123f4cefe42106a7ef40 |
| SHA256 | 19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035 |
| SHA512 | cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5 |
memory/1068-35-0x0000000002240000-0x000000000225E000-memory.dmp
memory/1068-36-0x0000000073C40000-0x00000000743F0000-memory.dmp
memory/1068-37-0x0000000004A70000-0x0000000004A80000-memory.dmp
memory/1068-38-0x0000000004A70000-0x0000000004A80000-memory.dmp
memory/1068-39-0x0000000004A80000-0x0000000005024000-memory.dmp
memory/1068-40-0x0000000004990000-0x00000000049AC000-memory.dmp
memory/1068-41-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-42-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-44-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-46-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-48-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-50-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-52-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-54-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-56-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-58-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-60-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-62-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-64-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-66-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-68-0x0000000004990000-0x00000000049A6000-memory.dmp
memory/1068-69-0x0000000073C40000-0x00000000743F0000-memory.dmp
memory/1068-70-0x0000000004A70000-0x0000000004A80000-memory.dmp
memory/1068-71-0x0000000004A70000-0x0000000004A80000-memory.dmp
memory/1068-73-0x0000000073C40000-0x00000000743F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
| MD5 | ffbf7f9ca30baf18f24f8134b2f9c0b6 |
| SHA1 | c2c058c8e9be043a0f51f6aa933b12b86b9f8f72 |
| SHA256 | cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425 |
| SHA512 | 090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
| MD5 | ffbf7f9ca30baf18f24f8134b2f9c0b6 |
| SHA1 | c2c058c8e9be043a0f51f6aa933b12b86b9f8f72 |
| SHA256 | cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425 |
| SHA512 | 090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
| MD5 | b262404fe9049079c2e05db9b17079fe |
| SHA1 | b1092a6ab4c9b6800c2417780e53d23580f63870 |
| SHA256 | 5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46 |
| SHA512 | 4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
| MD5 | b262404fe9049079c2e05db9b17079fe |
| SHA1 | b1092a6ab4c9b6800c2417780e53d23580f63870 |
| SHA256 | 5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46 |
| SHA512 | 4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4 |
memory/2872-92-0x0000000000070000-0x00000000000A0000-memory.dmp
memory/2872-93-0x0000000072BD0000-0x0000000073380000-memory.dmp
memory/2872-94-0x00000000020D0000-0x00000000020D6000-memory.dmp
memory/2872-95-0x0000000004FC0000-0x00000000055D8000-memory.dmp
memory/2872-96-0x0000000004AC0000-0x0000000004BCA000-memory.dmp
memory/2872-98-0x0000000004990000-0x00000000049A0000-memory.dmp
memory/2872-97-0x0000000004A00000-0x0000000004A12000-memory.dmp
memory/2872-99-0x0000000004A60000-0x0000000004A9C000-memory.dmp
memory/2872-100-0x0000000004BD0000-0x0000000004C1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
memory/2872-102-0x0000000072BD0000-0x0000000073380000-memory.dmp
memory/2872-103-0x0000000004990000-0x00000000049A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
| MD5 | 252e0dbbc9cad09238b4393b98c6dad5 |
| SHA1 | 22878b8de1eac378a8b10d5076dff6ca6240d100 |
| SHA256 | b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb |
| SHA512 | d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296 |