Malware Analysis Report

2025-08-11 01:11

Sample ID 231006-zzct5sga7y
Target NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe
SHA256 236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778
Tags
amadey mystic redline narik evasion infostealer persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778

Threat Level: Known bad

The file NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey mystic redline narik evasion infostealer persistence stealer trojan

Modifies Windows Defender Real-time Protection settings

Detect Mystic stealer payload

Amadey

Mystic

RedLine

Windows security modification

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-06 21:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-06 21:08

Reported

2023-10-06 21:11

Platform

win7-20230831-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe
PID 1404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe
PID 1404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe
PID 1404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe
PID 1404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe
PID 1404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe
PID 1404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe
PID 2496 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe
PID 2496 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe
PID 2496 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe
PID 2496 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe
PID 2496 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe
PID 2496 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe
PID 2496 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe
PID 2656 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe
PID 2656 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe
PID 2656 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe
PID 2656 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe
PID 2656 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe
PID 2656 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe
PID 2656 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe
PID 2548 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe
PID 2548 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe
PID 2548 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe
PID 2548 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe
PID 2548 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe
PID 2548 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe
PID 2548 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe
PID 2636 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe
PID 2636 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe
PID 2636 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe
PID 2636 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe
PID 2636 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe
PID 2636 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe
PID 2636 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe
PID 2636 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe
PID 2636 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe
PID 2636 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe
PID 2636 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe
PID 2636 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe
PID 2636 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe
PID 2636 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe
PID 2384 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 2384 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 2384 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 2384 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 2384 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 2384 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 2384 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
PID 2548 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2944141.exe
PID 2548 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2944141.exe
PID 2548 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2944141.exe
PID 2548 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2944141.exe
PID 2548 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2944141.exe
PID 2548 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2944141.exe
PID 2548 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2944141.exe
PID 2656 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8335235.exe
PID 2656 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8335235.exe
PID 2656 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8335235.exe
PID 2656 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8335235.exe
PID 2656 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8335235.exe
PID 2656 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8335235.exe
PID 2656 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8335235.exe
PID 628 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2944141.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2944141.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8335235.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8335235.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "saves.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "saves.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\b40d11255d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\b40d11255d" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {FCEDCD9A-8B86-4C54-A8C8-5B8C0FEF0151} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Network

Country Destination Domain Proto
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.18:80 tcp
FI 77.91.68.18:80 tcp
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.18:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe

MD5 1f365f79e792d3d21c05d16ba4a303a8
SHA1 cdd54394267616a3ce108a9d8c8400fedfbca351
SHA256 7a49cb10d892e408e58d3fd164f22758c299419fa500108c4f2c5c03dff005f1
SHA512 f997a5936dc06031312a29bad4ce8601d9a4685bd384ab2c642757679cc6a5a496396841aa1414a9631b09544997b97545edcfe1bd401b6a95ae8c87bedb41b9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe

MD5 1f365f79e792d3d21c05d16ba4a303a8
SHA1 cdd54394267616a3ce108a9d8c8400fedfbca351
SHA256 7a49cb10d892e408e58d3fd164f22758c299419fa500108c4f2c5c03dff005f1
SHA512 f997a5936dc06031312a29bad4ce8601d9a4685bd384ab2c642757679cc6a5a496396841aa1414a9631b09544997b97545edcfe1bd401b6a95ae8c87bedb41b9

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe

MD5 1f365f79e792d3d21c05d16ba4a303a8
SHA1 cdd54394267616a3ce108a9d8c8400fedfbca351
SHA256 7a49cb10d892e408e58d3fd164f22758c299419fa500108c4f2c5c03dff005f1
SHA512 f997a5936dc06031312a29bad4ce8601d9a4685bd384ab2c642757679cc6a5a496396841aa1414a9631b09544997b97545edcfe1bd401b6a95ae8c87bedb41b9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe

MD5 1f365f79e792d3d21c05d16ba4a303a8
SHA1 cdd54394267616a3ce108a9d8c8400fedfbca351
SHA256 7a49cb10d892e408e58d3fd164f22758c299419fa500108c4f2c5c03dff005f1
SHA512 f997a5936dc06031312a29bad4ce8601d9a4685bd384ab2c642757679cc6a5a496396841aa1414a9631b09544997b97545edcfe1bd401b6a95ae8c87bedb41b9

\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe

MD5 59cb97509d55179b699afa9c5c407ce3
SHA1 69dd84a073ed2ee6c0842a387f92c2128ccf15cd
SHA256 e10d1cc91e3636f42977e217f29c4e5fca159aa69871fa241c06d2f0db686d21
SHA512 4c2f449a4b6f6718e68d188a29460d6da2ca2f787740ed06a54ecbdda4e17519ca1b67886b20ba68f26077c2f0e88a9690abbb2cc77e5062ace93d1ca02ed4eb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe

MD5 59cb97509d55179b699afa9c5c407ce3
SHA1 69dd84a073ed2ee6c0842a387f92c2128ccf15cd
SHA256 e10d1cc91e3636f42977e217f29c4e5fca159aa69871fa241c06d2f0db686d21
SHA512 4c2f449a4b6f6718e68d188a29460d6da2ca2f787740ed06a54ecbdda4e17519ca1b67886b20ba68f26077c2f0e88a9690abbb2cc77e5062ace93d1ca02ed4eb

\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe

MD5 59cb97509d55179b699afa9c5c407ce3
SHA1 69dd84a073ed2ee6c0842a387f92c2128ccf15cd
SHA256 e10d1cc91e3636f42977e217f29c4e5fca159aa69871fa241c06d2f0db686d21
SHA512 4c2f449a4b6f6718e68d188a29460d6da2ca2f787740ed06a54ecbdda4e17519ca1b67886b20ba68f26077c2f0e88a9690abbb2cc77e5062ace93d1ca02ed4eb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe

MD5 59cb97509d55179b699afa9c5c407ce3
SHA1 69dd84a073ed2ee6c0842a387f92c2128ccf15cd
SHA256 e10d1cc91e3636f42977e217f29c4e5fca159aa69871fa241c06d2f0db686d21
SHA512 4c2f449a4b6f6718e68d188a29460d6da2ca2f787740ed06a54ecbdda4e17519ca1b67886b20ba68f26077c2f0e88a9690abbb2cc77e5062ace93d1ca02ed4eb

\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe

MD5 a438ce3d49256bac762f943a8909909a
SHA1 f7d5c973779c53eb52aebe932a9eb26ac2564d94
SHA256 f4e7f3c0c2b391a36cf5c81bb558f997c2df05200e9a38d331892694f6924e12
SHA512 af5f05e7b102060c9e5d9c99541bccc00024395365eccc2bfe312fa0ab7ab6017ce462a8acb5f8fff747e6b603d468b728800dcea5e41c50d5e486a4378a5738

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe

MD5 a438ce3d49256bac762f943a8909909a
SHA1 f7d5c973779c53eb52aebe932a9eb26ac2564d94
SHA256 f4e7f3c0c2b391a36cf5c81bb558f997c2df05200e9a38d331892694f6924e12
SHA512 af5f05e7b102060c9e5d9c99541bccc00024395365eccc2bfe312fa0ab7ab6017ce462a8acb5f8fff747e6b603d468b728800dcea5e41c50d5e486a4378a5738

\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe

MD5 a438ce3d49256bac762f943a8909909a
SHA1 f7d5c973779c53eb52aebe932a9eb26ac2564d94
SHA256 f4e7f3c0c2b391a36cf5c81bb558f997c2df05200e9a38d331892694f6924e12
SHA512 af5f05e7b102060c9e5d9c99541bccc00024395365eccc2bfe312fa0ab7ab6017ce462a8acb5f8fff747e6b603d468b728800dcea5e41c50d5e486a4378a5738

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe

MD5 a438ce3d49256bac762f943a8909909a
SHA1 f7d5c973779c53eb52aebe932a9eb26ac2564d94
SHA256 f4e7f3c0c2b391a36cf5c81bb558f997c2df05200e9a38d331892694f6924e12
SHA512 af5f05e7b102060c9e5d9c99541bccc00024395365eccc2bfe312fa0ab7ab6017ce462a8acb5f8fff747e6b603d468b728800dcea5e41c50d5e486a4378a5738

\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe

MD5 a517f984f4819aedf64cb779ec409fc5
SHA1 309614685ea8747abbe097d9e110edb1aade981d
SHA256 17a8a9702c61059064ef60847bc24c9dcaab061e41e9591b23df3be3ebbfabe4
SHA512 8b0b0335ab7ccc2b105c5f64432a64fd4ffaf0ed96be343e33032bfbe3ecdd413222ca1d6744478dbcc4a36c7d4a5ed5e270d9b43f2ecca980a90964930cd918

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe

MD5 a517f984f4819aedf64cb779ec409fc5
SHA1 309614685ea8747abbe097d9e110edb1aade981d
SHA256 17a8a9702c61059064ef60847bc24c9dcaab061e41e9591b23df3be3ebbfabe4
SHA512 8b0b0335ab7ccc2b105c5f64432a64fd4ffaf0ed96be343e33032bfbe3ecdd413222ca1d6744478dbcc4a36c7d4a5ed5e270d9b43f2ecca980a90964930cd918

\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe

MD5 a517f984f4819aedf64cb779ec409fc5
SHA1 309614685ea8747abbe097d9e110edb1aade981d
SHA256 17a8a9702c61059064ef60847bc24c9dcaab061e41e9591b23df3be3ebbfabe4
SHA512 8b0b0335ab7ccc2b105c5f64432a64fd4ffaf0ed96be343e33032bfbe3ecdd413222ca1d6744478dbcc4a36c7d4a5ed5e270d9b43f2ecca980a90964930cd918

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe

MD5 a517f984f4819aedf64cb779ec409fc5
SHA1 309614685ea8747abbe097d9e110edb1aade981d
SHA256 17a8a9702c61059064ef60847bc24c9dcaab061e41e9591b23df3be3ebbfabe4
SHA512 8b0b0335ab7ccc2b105c5f64432a64fd4ffaf0ed96be343e33032bfbe3ecdd413222ca1d6744478dbcc4a36c7d4a5ed5e270d9b43f2ecca980a90964930cd918

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe

MD5 86e60d3c6b7a574d5599904da47d3955
SHA1 b160499b6cd745df984e8dd339cdfe24625ee5fc
SHA256 a34c3205391f7311f8137f7e301d4a44456f08f5ffa825ebaf798adfdb1e3034
SHA512 4af617d3a42555807c2aadf42d17d061a9ec31799b52e461449651dd95ac8dc0150f39cf3e2ba578d64a3d475987eca79abda1a507dfa0088db61f85869ff390

\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe

MD5 86e60d3c6b7a574d5599904da47d3955
SHA1 b160499b6cd745df984e8dd339cdfe24625ee5fc
SHA256 a34c3205391f7311f8137f7e301d4a44456f08f5ffa825ebaf798adfdb1e3034
SHA512 4af617d3a42555807c2aadf42d17d061a9ec31799b52e461449651dd95ac8dc0150f39cf3e2ba578d64a3d475987eca79abda1a507dfa0088db61f85869ff390

\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe

MD5 86e60d3c6b7a574d5599904da47d3955
SHA1 b160499b6cd745df984e8dd339cdfe24625ee5fc
SHA256 a34c3205391f7311f8137f7e301d4a44456f08f5ffa825ebaf798adfdb1e3034
SHA512 4af617d3a42555807c2aadf42d17d061a9ec31799b52e461449651dd95ac8dc0150f39cf3e2ba578d64a3d475987eca79abda1a507dfa0088db61f85869ff390

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe

MD5 86e60d3c6b7a574d5599904da47d3955
SHA1 b160499b6cd745df984e8dd339cdfe24625ee5fc
SHA256 a34c3205391f7311f8137f7e301d4a44456f08f5ffa825ebaf798adfdb1e3034
SHA512 4af617d3a42555807c2aadf42d17d061a9ec31799b52e461449651dd95ac8dc0150f39cf3e2ba578d64a3d475987eca79abda1a507dfa0088db61f85869ff390

memory/2428-50-0x00000000003E0000-0x00000000003FE000-memory.dmp

memory/2428-51-0x00000000006D0000-0x00000000006EC000-memory.dmp

memory/2428-53-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-52-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-55-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-57-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-59-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-61-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-63-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-65-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-69-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-67-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-71-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-73-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-75-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-77-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/2428-79-0x00000000006D0000-0x00000000006E6000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe

MD5 92e4486245785e61dec2ee306deb394c
SHA1 c42dc7dc08b374d8297b17fef829143824b5535d
SHA256 37b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA512 58b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe

MD5 92e4486245785e61dec2ee306deb394c
SHA1 c42dc7dc08b374d8297b17fef829143824b5535d
SHA256 37b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA512 58b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4

\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe

MD5 92e4486245785e61dec2ee306deb394c
SHA1 c42dc7dc08b374d8297b17fef829143824b5535d
SHA256 37b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA512 58b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe

MD5 92e4486245785e61dec2ee306deb394c
SHA1 c42dc7dc08b374d8297b17fef829143824b5535d
SHA256 37b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA512 58b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 92e4486245785e61dec2ee306deb394c
SHA1 c42dc7dc08b374d8297b17fef829143824b5535d
SHA256 37b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA512 58b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4

\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2944141.exe

MD5 e393ea2ccb8fe1eafe6fcda0795b74e8
SHA1 9c37c6278d26b956e804345d353d96379eafff1b
SHA256 f0b135725abe26e41059d0ad4a3dc12ddbe724ff7a6b0756230fd98a23ab01cc
SHA512 b36ca772289a7f5a285ffcab057730248746702e21d976749842a0f74baeb9f6e6680d9beec8fac16a5f46757ed4c7ce933b520515ba4cefe63bc981e5fa1e1d

\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 92e4486245785e61dec2ee306deb394c
SHA1 c42dc7dc08b374d8297b17fef829143824b5535d
SHA256 37b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA512 58b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 92e4486245785e61dec2ee306deb394c
SHA1 c42dc7dc08b374d8297b17fef829143824b5535d
SHA256 37b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA512 58b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 92e4486245785e61dec2ee306deb394c
SHA1 c42dc7dc08b374d8297b17fef829143824b5535d
SHA256 37b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA512 58b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4

\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 92e4486245785e61dec2ee306deb394c
SHA1 c42dc7dc08b374d8297b17fef829143824b5535d
SHA256 37b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA512 58b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8335235.exe

MD5 ea6e38313b4ec870a4dee3f7912729d7
SHA1 bc4183f81b997e0b1882eab76c7d2fdc4192ea83
SHA256 7ef4c5e7ad222d4dd5def062dd02e3092121374ebd862600ee322339f5a7b784
SHA512 11e82684552da868660db7a0219e08fe6bdb639752e4598faa8bffe6c79c2637050f34d31463bd8c8aebbe971f48bcf2dfc84327159eee50b2eeab9e4cff7186

\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8335235.exe

MD5 ea6e38313b4ec870a4dee3f7912729d7
SHA1 bc4183f81b997e0b1882eab76c7d2fdc4192ea83
SHA256 7ef4c5e7ad222d4dd5def062dd02e3092121374ebd862600ee322339f5a7b784
SHA512 11e82684552da868660db7a0219e08fe6bdb639752e4598faa8bffe6c79c2637050f34d31463bd8c8aebbe971f48bcf2dfc84327159eee50b2eeab9e4cff7186

\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2944141.exe

MD5 e393ea2ccb8fe1eafe6fcda0795b74e8
SHA1 9c37c6278d26b956e804345d353d96379eafff1b
SHA256 f0b135725abe26e41059d0ad4a3dc12ddbe724ff7a6b0756230fd98a23ab01cc
SHA512 b36ca772289a7f5a285ffcab057730248746702e21d976749842a0f74baeb9f6e6680d9beec8fac16a5f46757ed4c7ce933b520515ba4cefe63bc981e5fa1e1d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2944141.exe

MD5 e393ea2ccb8fe1eafe6fcda0795b74e8
SHA1 9c37c6278d26b956e804345d353d96379eafff1b
SHA256 f0b135725abe26e41059d0ad4a3dc12ddbe724ff7a6b0756230fd98a23ab01cc
SHA512 b36ca772289a7f5a285ffcab057730248746702e21d976749842a0f74baeb9f6e6680d9beec8fac16a5f46757ed4c7ce933b520515ba4cefe63bc981e5fa1e1d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2944141.exe

MD5 e393ea2ccb8fe1eafe6fcda0795b74e8
SHA1 9c37c6278d26b956e804345d353d96379eafff1b
SHA256 f0b135725abe26e41059d0ad4a3dc12ddbe724ff7a6b0756230fd98a23ab01cc
SHA512 b36ca772289a7f5a285ffcab057730248746702e21d976749842a0f74baeb9f6e6680d9beec8fac16a5f46757ed4c7ce933b520515ba4cefe63bc981e5fa1e1d

\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8335235.exe

MD5 ea6e38313b4ec870a4dee3f7912729d7
SHA1 bc4183f81b997e0b1882eab76c7d2fdc4192ea83
SHA256 7ef4c5e7ad222d4dd5def062dd02e3092121374ebd862600ee322339f5a7b784
SHA512 11e82684552da868660db7a0219e08fe6bdb639752e4598faa8bffe6c79c2637050f34d31463bd8c8aebbe971f48bcf2dfc84327159eee50b2eeab9e4cff7186

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d8335235.exe

MD5 ea6e38313b4ec870a4dee3f7912729d7
SHA1 bc4183f81b997e0b1882eab76c7d2fdc4192ea83
SHA256 7ef4c5e7ad222d4dd5def062dd02e3092121374ebd862600ee322339f5a7b784
SHA512 11e82684552da868660db7a0219e08fe6bdb639752e4598faa8bffe6c79c2637050f34d31463bd8c8aebbe971f48bcf2dfc84327159eee50b2eeab9e4cff7186

memory/2764-107-0x0000000000B70000-0x0000000000BA0000-memory.dmp

memory/2764-108-0x00000000004A0000-0x00000000004A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 92e4486245785e61dec2ee306deb394c
SHA1 c42dc7dc08b374d8297b17fef829143824b5535d
SHA256 37b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA512 58b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

MD5 92e4486245785e61dec2ee306deb394c
SHA1 c42dc7dc08b374d8297b17fef829143824b5535d
SHA256 37b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA512 58b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-06 21:08

Reported

2023-10-06 21:09

Platform

win10v2004-20230915-en

Max time kernel

26s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe"

Signatures

Amadey

trojan amadey

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "229" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4116 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe
PID 4116 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe
PID 4116 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe
PID 3752 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe
PID 3752 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe
PID 3752 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe
PID 4504 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe
PID 4504 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe
PID 4504 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe
PID 2296 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe
PID 2296 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe
PID 2296 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe
PID 2776 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe
PID 2776 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe
PID 2776 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe
PID 2776 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe
PID 2776 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe
PID 2776 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe
PID 4464 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 364 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 364 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k shutdown -s -t 0

C:\Windows\SysWOW64\shutdown.exe

shutdown -s -t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa398b855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe

MD5 1f365f79e792d3d21c05d16ba4a303a8
SHA1 cdd54394267616a3ce108a9d8c8400fedfbca351
SHA256 7a49cb10d892e408e58d3fd164f22758c299419fa500108c4f2c5c03dff005f1
SHA512 f997a5936dc06031312a29bad4ce8601d9a4685bd384ab2c642757679cc6a5a496396841aa1414a9631b09544997b97545edcfe1bd401b6a95ae8c87bedb41b9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe

MD5 1f365f79e792d3d21c05d16ba4a303a8
SHA1 cdd54394267616a3ce108a9d8c8400fedfbca351
SHA256 7a49cb10d892e408e58d3fd164f22758c299419fa500108c4f2c5c03dff005f1
SHA512 f997a5936dc06031312a29bad4ce8601d9a4685bd384ab2c642757679cc6a5a496396841aa1414a9631b09544997b97545edcfe1bd401b6a95ae8c87bedb41b9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe

MD5 59cb97509d55179b699afa9c5c407ce3
SHA1 69dd84a073ed2ee6c0842a387f92c2128ccf15cd
SHA256 e10d1cc91e3636f42977e217f29c4e5fca159aa69871fa241c06d2f0db686d21
SHA512 4c2f449a4b6f6718e68d188a29460d6da2ca2f787740ed06a54ecbdda4e17519ca1b67886b20ba68f26077c2f0e88a9690abbb2cc77e5062ace93d1ca02ed4eb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe

MD5 59cb97509d55179b699afa9c5c407ce3
SHA1 69dd84a073ed2ee6c0842a387f92c2128ccf15cd
SHA256 e10d1cc91e3636f42977e217f29c4e5fca159aa69871fa241c06d2f0db686d21
SHA512 4c2f449a4b6f6718e68d188a29460d6da2ca2f787740ed06a54ecbdda4e17519ca1b67886b20ba68f26077c2f0e88a9690abbb2cc77e5062ace93d1ca02ed4eb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe

MD5 a438ce3d49256bac762f943a8909909a
SHA1 f7d5c973779c53eb52aebe932a9eb26ac2564d94
SHA256 f4e7f3c0c2b391a36cf5c81bb558f997c2df05200e9a38d331892694f6924e12
SHA512 af5f05e7b102060c9e5d9c99541bccc00024395365eccc2bfe312fa0ab7ab6017ce462a8acb5f8fff747e6b603d468b728800dcea5e41c50d5e486a4378a5738

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe

MD5 a438ce3d49256bac762f943a8909909a
SHA1 f7d5c973779c53eb52aebe932a9eb26ac2564d94
SHA256 f4e7f3c0c2b391a36cf5c81bb558f997c2df05200e9a38d331892694f6924e12
SHA512 af5f05e7b102060c9e5d9c99541bccc00024395365eccc2bfe312fa0ab7ab6017ce462a8acb5f8fff747e6b603d468b728800dcea5e41c50d5e486a4378a5738

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe

MD5 a517f984f4819aedf64cb779ec409fc5
SHA1 309614685ea8747abbe097d9e110edb1aade981d
SHA256 17a8a9702c61059064ef60847bc24c9dcaab061e41e9591b23df3be3ebbfabe4
SHA512 8b0b0335ab7ccc2b105c5f64432a64fd4ffaf0ed96be343e33032bfbe3ecdd413222ca1d6744478dbcc4a36c7d4a5ed5e270d9b43f2ecca980a90964930cd918

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe

MD5 a517f984f4819aedf64cb779ec409fc5
SHA1 309614685ea8747abbe097d9e110edb1aade981d
SHA256 17a8a9702c61059064ef60847bc24c9dcaab061e41e9591b23df3be3ebbfabe4
SHA512 8b0b0335ab7ccc2b105c5f64432a64fd4ffaf0ed96be343e33032bfbe3ecdd413222ca1d6744478dbcc4a36c7d4a5ed5e270d9b43f2ecca980a90964930cd918

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe

MD5 86e60d3c6b7a574d5599904da47d3955
SHA1 b160499b6cd745df984e8dd339cdfe24625ee5fc
SHA256 a34c3205391f7311f8137f7e301d4a44456f08f5ffa825ebaf798adfdb1e3034
SHA512 4af617d3a42555807c2aadf42d17d061a9ec31799b52e461449651dd95ac8dc0150f39cf3e2ba578d64a3d475987eca79abda1a507dfa0088db61f85869ff390

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe

MD5 86e60d3c6b7a574d5599904da47d3955
SHA1 b160499b6cd745df984e8dd339cdfe24625ee5fc
SHA256 a34c3205391f7311f8137f7e301d4a44456f08f5ffa825ebaf798adfdb1e3034
SHA512 4af617d3a42555807c2aadf42d17d061a9ec31799b52e461449651dd95ac8dc0150f39cf3e2ba578d64a3d475987eca79abda1a507dfa0088db61f85869ff390

memory/4440-35-0x0000000002360000-0x000000000237E000-memory.dmp

memory/4440-36-0x0000000073F80000-0x0000000074730000-memory.dmp

memory/4440-38-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/4440-37-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/4440-39-0x0000000004B50000-0x00000000050F4000-memory.dmp

memory/4440-40-0x0000000002500000-0x000000000251C000-memory.dmp

memory/4440-41-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-42-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-44-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-46-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-48-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-50-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-52-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-54-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-56-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-58-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-60-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-62-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-64-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-66-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-68-0x0000000002500000-0x0000000002516000-memory.dmp

memory/4440-69-0x0000000073F80000-0x0000000074730000-memory.dmp

memory/4440-70-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/4440-72-0x0000000073F80000-0x0000000074730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe

MD5 92e4486245785e61dec2ee306deb394c
SHA1 c42dc7dc08b374d8297b17fef829143824b5535d
SHA256 37b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA512 58b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe

MD5 92e4486245785e61dec2ee306deb394c
SHA1 c42dc7dc08b374d8297b17fef829143824b5535d
SHA256 37b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA512 58b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4