Malware Analysis Report

2025-08-11 01:11

Sample ID 231006-zy5tjaga7t
Target NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe
SHA256 22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3
Tags
amadey mystic redline narik evasion infostealer persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3

Threat Level: Known bad

The file NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey mystic redline narik evasion infostealer persistence stealer trojan

Detect Mystic stealer payload

Mystic

RedLine

Amadey

Modifies Windows Defender Real-time Protection settings

Windows security modification

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-06 21:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-06 21:08

Reported

2023-10-06 21:11

Platform

win7-20230831-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
PID 2820 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
PID 2820 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
PID 2820 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
PID 2820 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
PID 2820 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
PID 2820 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
PID 2236 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
PID 2236 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
PID 2236 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
PID 2236 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
PID 2236 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
PID 2236 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
PID 2236 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
PID 3064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
PID 3064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
PID 3064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
PID 3064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
PID 3064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
PID 3064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
PID 3064 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
PID 2620 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
PID 2620 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
PID 2620 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
PID 2620 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
PID 2620 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
PID 2620 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
PID 2620 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
PID 2752 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
PID 2752 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
PID 2752 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
PID 2752 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
PID 2752 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
PID 2752 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
PID 2752 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
PID 2752 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
PID 3068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 3068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 3068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 3068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 3068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 3068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 3068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 2620 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
PID 2620 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
PID 2620 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
PID 2620 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
PID 2620 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
PID 2620 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
PID 2620 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
PID 3064 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
PID 3064 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
PID 3064 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
PID 3064 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
PID 3064 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
PID 3064 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
PID 3064 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
PID 2720 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "saves.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "saves.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\b40d11255d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\b40d11255d" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {C271003E-9C68-46AD-BFA8-B1BB1B70AC1F} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Network

Country Destination Domain Proto
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.18:80 tcp
FI 77.91.68.18:80 tcp
FI 77.91.68.18:80 tcp
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe

MD5 dbba888150db2bb4a7b3892f0c2aab6e
SHA1 8fc323a19c8281fc99e5445f271dbe02a3ebd7f0
SHA256 313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2
SHA512 4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe

MD5 dbba888150db2bb4a7b3892f0c2aab6e
SHA1 8fc323a19c8281fc99e5445f271dbe02a3ebd7f0
SHA256 313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2
SHA512 4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe

MD5 dbba888150db2bb4a7b3892f0c2aab6e
SHA1 8fc323a19c8281fc99e5445f271dbe02a3ebd7f0
SHA256 313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2
SHA512 4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe

MD5 dbba888150db2bb4a7b3892f0c2aab6e
SHA1 8fc323a19c8281fc99e5445f271dbe02a3ebd7f0
SHA256 313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2
SHA512 4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9

\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe

MD5 e839f87fd3f5e5a6df6091450221883b
SHA1 0a9e64a9da8656af2283d7a5a60b358f5a0acbeb
SHA256 88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278
SHA512 bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe

MD5 e839f87fd3f5e5a6df6091450221883b
SHA1 0a9e64a9da8656af2283d7a5a60b358f5a0acbeb
SHA256 88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278
SHA512 bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464

\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe

MD5 e839f87fd3f5e5a6df6091450221883b
SHA1 0a9e64a9da8656af2283d7a5a60b358f5a0acbeb
SHA256 88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278
SHA512 bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe

MD5 e839f87fd3f5e5a6df6091450221883b
SHA1 0a9e64a9da8656af2283d7a5a60b358f5a0acbeb
SHA256 88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278
SHA512 bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464

\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe

MD5 63bc13e574cfeb9622e34aad7c559d5f
SHA1 8fe8c12f3f78da28457caaa10dd20479ea0e78df
SHA256 b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e
SHA512 069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe

MD5 63bc13e574cfeb9622e34aad7c559d5f
SHA1 8fe8c12f3f78da28457caaa10dd20479ea0e78df
SHA256 b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e
SHA512 069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31

\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe

MD5 63bc13e574cfeb9622e34aad7c559d5f
SHA1 8fe8c12f3f78da28457caaa10dd20479ea0e78df
SHA256 b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e
SHA512 069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe

MD5 63bc13e574cfeb9622e34aad7c559d5f
SHA1 8fe8c12f3f78da28457caaa10dd20479ea0e78df
SHA256 b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e
SHA512 069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31

\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe

MD5 146989df77714912f43d481988710f13
SHA1 1bcdcf2d08e9b5aed33fe500b03d1650496d608c
SHA256 50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c
SHA512 7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe

MD5 146989df77714912f43d481988710f13
SHA1 1bcdcf2d08e9b5aed33fe500b03d1650496d608c
SHA256 50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c
SHA512 7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93

\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe

MD5 146989df77714912f43d481988710f13
SHA1 1bcdcf2d08e9b5aed33fe500b03d1650496d608c
SHA256 50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c
SHA512 7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe

MD5 146989df77714912f43d481988710f13
SHA1 1bcdcf2d08e9b5aed33fe500b03d1650496d608c
SHA256 50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c
SHA512 7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93

\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe

MD5 9c6be8c3e7ba9cb9317436fbeffd6a27
SHA1 729d6a3ad58bcf305f01123f4cefe42106a7ef40
SHA256 19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035
SHA512 cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe

MD5 9c6be8c3e7ba9cb9317436fbeffd6a27
SHA1 729d6a3ad58bcf305f01123f4cefe42106a7ef40
SHA256 19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035
SHA512 cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5

\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe

MD5 9c6be8c3e7ba9cb9317436fbeffd6a27
SHA1 729d6a3ad58bcf305f01123f4cefe42106a7ef40
SHA256 19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035
SHA512 cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe

MD5 9c6be8c3e7ba9cb9317436fbeffd6a27
SHA1 729d6a3ad58bcf305f01123f4cefe42106a7ef40
SHA256 19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035
SHA512 cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5

memory/2624-50-0x00000000003D0000-0x00000000003EE000-memory.dmp

memory/2624-51-0x0000000000540000-0x000000000055C000-memory.dmp

memory/2624-52-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-53-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-55-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-57-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-59-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-61-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-63-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-65-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-67-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-69-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-71-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-73-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-75-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-77-0x0000000000540000-0x0000000000556000-memory.dmp

memory/2624-79-0x0000000000540000-0x0000000000556000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe

MD5 ffbf7f9ca30baf18f24f8134b2f9c0b6
SHA1 c2c058c8e9be043a0f51f6aa933b12b86b9f8f72
SHA256 cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425
SHA512 090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe

MD5 ffbf7f9ca30baf18f24f8134b2f9c0b6
SHA1 c2c058c8e9be043a0f51f6aa933b12b86b9f8f72
SHA256 cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425
SHA512 090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507

\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe

MD5 ffbf7f9ca30baf18f24f8134b2f9c0b6
SHA1 c2c058c8e9be043a0f51f6aa933b12b86b9f8f72
SHA256 cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425
SHA512 090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe

MD5 ffbf7f9ca30baf18f24f8134b2f9c0b6
SHA1 c2c058c8e9be043a0f51f6aa933b12b86b9f8f72
SHA256 cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425
SHA512 090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507

\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe

MD5 b262404fe9049079c2e05db9b17079fe
SHA1 b1092a6ab4c9b6800c2417780e53d23580f63870
SHA256 5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46
SHA512 4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe

MD5 b262404fe9049079c2e05db9b17079fe
SHA1 b1092a6ab4c9b6800c2417780e53d23580f63870
SHA256 5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46
SHA512 4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4

\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe

MD5 b262404fe9049079c2e05db9b17079fe
SHA1 b1092a6ab4c9b6800c2417780e53d23580f63870
SHA256 5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46
SHA512 4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe

MD5 b262404fe9049079c2e05db9b17079fe
SHA1 b1092a6ab4c9b6800c2417780e53d23580f63870
SHA256 5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46
SHA512 4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4

memory/2892-107-0x0000000001060000-0x0000000001090000-memory.dmp

memory/2892-108-0x0000000000600000-0x0000000000606000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-06 21:08

Reported

2023-10-06 21:11

Platform

win10v2004-20230915-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
PID 1816 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
PID 1816 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
PID 3656 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
PID 3656 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
PID 3656 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
PID 3712 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
PID 3712 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
PID 3712 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
PID 1800 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
PID 1800 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
PID 1800 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
PID 4456 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
PID 4456 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
PID 4456 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
PID 4456 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
PID 4456 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
PID 4456 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
PID 3944 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 3944 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 3944 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 1800 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
PID 1800 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
PID 1800 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
PID 3712 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
PID 3712 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
PID 3712 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
PID 3196 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe
PID 3196 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe
PID 3196 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe
PID 3196 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1260 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1260 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1260 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1260 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1260 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1260 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1260 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1260 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1260 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1260 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1260 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "saves.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "saves.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\b40d11255d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\b40d11255d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.18:80 tcp
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe

MD5 dbba888150db2bb4a7b3892f0c2aab6e
SHA1 8fc323a19c8281fc99e5445f271dbe02a3ebd7f0
SHA256 313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2
SHA512 4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe

MD5 dbba888150db2bb4a7b3892f0c2aab6e
SHA1 8fc323a19c8281fc99e5445f271dbe02a3ebd7f0
SHA256 313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2
SHA512 4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe

MD5 e839f87fd3f5e5a6df6091450221883b
SHA1 0a9e64a9da8656af2283d7a5a60b358f5a0acbeb
SHA256 88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278
SHA512 bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe

MD5 e839f87fd3f5e5a6df6091450221883b
SHA1 0a9e64a9da8656af2283d7a5a60b358f5a0acbeb
SHA256 88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278
SHA512 bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe

MD5 63bc13e574cfeb9622e34aad7c559d5f
SHA1 8fe8c12f3f78da28457caaa10dd20479ea0e78df
SHA256 b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e
SHA512 069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe

MD5 63bc13e574cfeb9622e34aad7c559d5f
SHA1 8fe8c12f3f78da28457caaa10dd20479ea0e78df
SHA256 b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e
SHA512 069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe

MD5 146989df77714912f43d481988710f13
SHA1 1bcdcf2d08e9b5aed33fe500b03d1650496d608c
SHA256 50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c
SHA512 7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe

MD5 146989df77714912f43d481988710f13
SHA1 1bcdcf2d08e9b5aed33fe500b03d1650496d608c
SHA256 50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c
SHA512 7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe

MD5 9c6be8c3e7ba9cb9317436fbeffd6a27
SHA1 729d6a3ad58bcf305f01123f4cefe42106a7ef40
SHA256 19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035
SHA512 cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe

MD5 9c6be8c3e7ba9cb9317436fbeffd6a27
SHA1 729d6a3ad58bcf305f01123f4cefe42106a7ef40
SHA256 19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035
SHA512 cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5

memory/1068-35-0x0000000002240000-0x000000000225E000-memory.dmp

memory/1068-36-0x0000000073C40000-0x00000000743F0000-memory.dmp

memory/1068-37-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/1068-38-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/1068-39-0x0000000004A80000-0x0000000005024000-memory.dmp

memory/1068-40-0x0000000004990000-0x00000000049AC000-memory.dmp

memory/1068-41-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-42-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-44-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-46-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-48-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-50-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-52-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-54-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-56-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-58-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-60-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-62-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-64-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-66-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-68-0x0000000004990000-0x00000000049A6000-memory.dmp

memory/1068-69-0x0000000073C40000-0x00000000743F0000-memory.dmp

memory/1068-70-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/1068-71-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/1068-73-0x0000000073C40000-0x00000000743F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe

MD5 ffbf7f9ca30baf18f24f8134b2f9c0b6
SHA1 c2c058c8e9be043a0f51f6aa933b12b86b9f8f72
SHA256 cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425
SHA512 090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe

MD5 ffbf7f9ca30baf18f24f8134b2f9c0b6
SHA1 c2c058c8e9be043a0f51f6aa933b12b86b9f8f72
SHA256 cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425
SHA512 090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe

MD5 b262404fe9049079c2e05db9b17079fe
SHA1 b1092a6ab4c9b6800c2417780e53d23580f63870
SHA256 5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46
SHA512 4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe

MD5 b262404fe9049079c2e05db9b17079fe
SHA1 b1092a6ab4c9b6800c2417780e53d23580f63870
SHA256 5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46
SHA512 4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4

memory/2872-92-0x0000000000070000-0x00000000000A0000-memory.dmp

memory/2872-93-0x0000000072BD0000-0x0000000073380000-memory.dmp

memory/2872-94-0x00000000020D0000-0x00000000020D6000-memory.dmp

memory/2872-95-0x0000000004FC0000-0x00000000055D8000-memory.dmp

memory/2872-96-0x0000000004AC0000-0x0000000004BCA000-memory.dmp

memory/2872-98-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/2872-97-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/2872-99-0x0000000004A60000-0x0000000004A9C000-memory.dmp

memory/2872-100-0x0000000004BD0000-0x0000000004C1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

memory/2872-102-0x0000000072BD0000-0x0000000073380000-memory.dmp

memory/2872-103-0x0000000004990000-0x00000000049A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 252e0dbbc9cad09238b4393b98c6dad5
SHA1 22878b8de1eac378a8b10d5076dff6ca6240d100
SHA256 b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb
SHA512 d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296