Malware Analysis Report

2025-01-23 11:29

Sample ID 231010-1fk7vaee68
Target 7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7
SHA256 7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7
Tags
healer mystic dropper evasion persistence stealer trojan amadey redline gruha infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7

Threat Level: Known bad

The file 7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7 was found to be: Known bad.

Malicious Activity Summary

healer mystic dropper evasion persistence stealer trojan amadey redline gruha infostealer

Mystic

Amadey

Detect Mystic stealer payload

RedLine

Healer

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Checks computer location settings

Loads dropped DLL

Windows security modification

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 21:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 21:35

Reported

2023-10-10 23:06

Platform

win7-20230831-en

Max time kernel

117s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A

Mystic

stealer mystic

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2568 set thread context of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe
PID 2364 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe
PID 2808 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe
PID 2808 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe
PID 2808 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe
PID 2808 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe
PID 2808 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe
PID 2808 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe
PID 2808 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe
PID 2304 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe
PID 2304 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe
PID 2304 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe
PID 2304 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe
PID 2304 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe
PID 2304 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe
PID 2304 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe
PID 2656 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe
PID 2656 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe
PID 2656 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe
PID 2656 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe
PID 2656 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe
PID 2656 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe
PID 2656 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe
PID 2736 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe
PID 2736 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe
PID 2736 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe
PID 2736 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe
PID 2736 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe
PID 2736 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe
PID 2736 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\SysWOW64\WerFault.exe
PID 2568 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\SysWOW64\WerFault.exe
PID 2568 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\SysWOW64\WerFault.exe
PID 2568 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\SysWOW64\WerFault.exe
PID 2568 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\SysWOW64\WerFault.exe
PID 2568 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\SysWOW64\WerFault.exe
PID 2568 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\SysWOW64\WerFault.exe
PID 1280 wrote to memory of 2984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe

"C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 36

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 268

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe

MD5 d48c7284701ea98957a0aa1025020cfa
SHA1 c016bc6cc92cbfe381160ccaceb08baf3b7e622a
SHA256 c9bd5fdd6ae6efdfdbd36e9a15890884ec509406fc1d50823221d1de80c0c521
SHA512 5f674b67630cddae49eaa494353eab883debc2933190d455fed9b4f3f753298cd56d15cf9203e8f705378517eb689a5e2b1170f80674f8c63b0749549fbd9d6d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe

MD5 d48c7284701ea98957a0aa1025020cfa
SHA1 c016bc6cc92cbfe381160ccaceb08baf3b7e622a
SHA256 c9bd5fdd6ae6efdfdbd36e9a15890884ec509406fc1d50823221d1de80c0c521
SHA512 5f674b67630cddae49eaa494353eab883debc2933190d455fed9b4f3f753298cd56d15cf9203e8f705378517eb689a5e2b1170f80674f8c63b0749549fbd9d6d

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe

MD5 d48c7284701ea98957a0aa1025020cfa
SHA1 c016bc6cc92cbfe381160ccaceb08baf3b7e622a
SHA256 c9bd5fdd6ae6efdfdbd36e9a15890884ec509406fc1d50823221d1de80c0c521
SHA512 5f674b67630cddae49eaa494353eab883debc2933190d455fed9b4f3f753298cd56d15cf9203e8f705378517eb689a5e2b1170f80674f8c63b0749549fbd9d6d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe

MD5 d48c7284701ea98957a0aa1025020cfa
SHA1 c016bc6cc92cbfe381160ccaceb08baf3b7e622a
SHA256 c9bd5fdd6ae6efdfdbd36e9a15890884ec509406fc1d50823221d1de80c0c521
SHA512 5f674b67630cddae49eaa494353eab883debc2933190d455fed9b4f3f753298cd56d15cf9203e8f705378517eb689a5e2b1170f80674f8c63b0749549fbd9d6d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe

MD5 b80e3189ca2d612605e5cb96c11420db
SHA1 f6892104b89ceea09fec22a009dfa055665f5f8a
SHA256 ee6ba14991249c53cd6974159ba562d63541549302e5ebd8280bfc7430bb6090
SHA512 be6443afa887877de687debc78d20ab59caed233012aae5ebac1c8843b93815f207b885cff35c959ec84379a84c2301ef5b316abe555ff9c114fbdb3251dae32

\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe

MD5 b80e3189ca2d612605e5cb96c11420db
SHA1 f6892104b89ceea09fec22a009dfa055665f5f8a
SHA256 ee6ba14991249c53cd6974159ba562d63541549302e5ebd8280bfc7430bb6090
SHA512 be6443afa887877de687debc78d20ab59caed233012aae5ebac1c8843b93815f207b885cff35c959ec84379a84c2301ef5b316abe555ff9c114fbdb3251dae32

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe

MD5 b80e3189ca2d612605e5cb96c11420db
SHA1 f6892104b89ceea09fec22a009dfa055665f5f8a
SHA256 ee6ba14991249c53cd6974159ba562d63541549302e5ebd8280bfc7430bb6090
SHA512 be6443afa887877de687debc78d20ab59caed233012aae5ebac1c8843b93815f207b885cff35c959ec84379a84c2301ef5b316abe555ff9c114fbdb3251dae32

\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe

MD5 c7108038186b4764606d32df3950ab2c
SHA1 317e36715b20d87505b5d5e3b3bd01c58aa461d1
SHA256 5c1b41412012d6dd94fb34bf6641374d59c28af8e8fdd07bc54cd7be785fc8dc
SHA512 a26639f41eddcc04a4b387d2e8fd7bfe97bc8aa16013bb370358930982f9c6c60eea391b13a2168d6f936b7db10bb21ca3a625e7f709e2bde3dda6a6b6a5baf6

\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe

MD5 b80e3189ca2d612605e5cb96c11420db
SHA1 f6892104b89ceea09fec22a009dfa055665f5f8a
SHA256 ee6ba14991249c53cd6974159ba562d63541549302e5ebd8280bfc7430bb6090
SHA512 be6443afa887877de687debc78d20ab59caed233012aae5ebac1c8843b93815f207b885cff35c959ec84379a84c2301ef5b316abe555ff9c114fbdb3251dae32

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe

MD5 c7108038186b4764606d32df3950ab2c
SHA1 317e36715b20d87505b5d5e3b3bd01c58aa461d1
SHA256 5c1b41412012d6dd94fb34bf6641374d59c28af8e8fdd07bc54cd7be785fc8dc
SHA512 a26639f41eddcc04a4b387d2e8fd7bfe97bc8aa16013bb370358930982f9c6c60eea391b13a2168d6f936b7db10bb21ca3a625e7f709e2bde3dda6a6b6a5baf6

\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe

MD5 c7108038186b4764606d32df3950ab2c
SHA1 317e36715b20d87505b5d5e3b3bd01c58aa461d1
SHA256 5c1b41412012d6dd94fb34bf6641374d59c28af8e8fdd07bc54cd7be785fc8dc
SHA512 a26639f41eddcc04a4b387d2e8fd7bfe97bc8aa16013bb370358930982f9c6c60eea391b13a2168d6f936b7db10bb21ca3a625e7f709e2bde3dda6a6b6a5baf6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe

MD5 c7108038186b4764606d32df3950ab2c
SHA1 317e36715b20d87505b5d5e3b3bd01c58aa461d1
SHA256 5c1b41412012d6dd94fb34bf6641374d59c28af8e8fdd07bc54cd7be785fc8dc
SHA512 a26639f41eddcc04a4b387d2e8fd7bfe97bc8aa16013bb370358930982f9c6c60eea391b13a2168d6f936b7db10bb21ca3a625e7f709e2bde3dda6a6b6a5baf6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe

MD5 6405f99a0e207aafb8d22f005388581a
SHA1 4570ab7dbb0bd2ef9e93668087a5e6e244934dc5
SHA256 1115152af0956ef4fdbdef3c04cb85bebf719ef4d60c83d9d923f6ce53b46c25
SHA512 635c0f0642a3344d36f7d7789b6aec3df0169978625fcdc905c5c33de87425befb2722a6ca13f07351a6a77b21a11516fdf8cc3fca3c295747f54a9a9223abbe

\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe

MD5 6405f99a0e207aafb8d22f005388581a
SHA1 4570ab7dbb0bd2ef9e93668087a5e6e244934dc5
SHA256 1115152af0956ef4fdbdef3c04cb85bebf719ef4d60c83d9d923f6ce53b46c25
SHA512 635c0f0642a3344d36f7d7789b6aec3df0169978625fcdc905c5c33de87425befb2722a6ca13f07351a6a77b21a11516fdf8cc3fca3c295747f54a9a9223abbe

\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe

MD5 4fd9c93c320ae8b1cce22919de97d7bc
SHA1 0cb9358cec7545e1b02411151db5b5aac490d202
SHA256 91304d353f0a65c5dec191baee663f640c6750750fdc17a0b46cc116c7983173
SHA512 35cc280be010bf92689a63c20c3ccc4eae4de33744c64d3a02bf562025d8567b222ffd0083098da74f10deff122d1a72d10451e140747b595a5bdcd616f525b7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe

MD5 4fd9c93c320ae8b1cce22919de97d7bc
SHA1 0cb9358cec7545e1b02411151db5b5aac490d202
SHA256 91304d353f0a65c5dec191baee663f640c6750750fdc17a0b46cc116c7983173
SHA512 35cc280be010bf92689a63c20c3ccc4eae4de33744c64d3a02bf562025d8567b222ffd0083098da74f10deff122d1a72d10451e140747b595a5bdcd616f525b7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe

MD5 6405f99a0e207aafb8d22f005388581a
SHA1 4570ab7dbb0bd2ef9e93668087a5e6e244934dc5
SHA256 1115152af0956ef4fdbdef3c04cb85bebf719ef4d60c83d9d923f6ce53b46c25
SHA512 635c0f0642a3344d36f7d7789b6aec3df0169978625fcdc905c5c33de87425befb2722a6ca13f07351a6a77b21a11516fdf8cc3fca3c295747f54a9a9223abbe

\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe

MD5 6405f99a0e207aafb8d22f005388581a
SHA1 4570ab7dbb0bd2ef9e93668087a5e6e244934dc5
SHA256 1115152af0956ef4fdbdef3c04cb85bebf719ef4d60c83d9d923f6ce53b46c25
SHA512 635c0f0642a3344d36f7d7789b6aec3df0169978625fcdc905c5c33de87425befb2722a6ca13f07351a6a77b21a11516fdf8cc3fca3c295747f54a9a9223abbe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe

MD5 4fd9c93c320ae8b1cce22919de97d7bc
SHA1 0cb9358cec7545e1b02411151db5b5aac490d202
SHA256 91304d353f0a65c5dec191baee663f640c6750750fdc17a0b46cc116c7983173
SHA512 35cc280be010bf92689a63c20c3ccc4eae4de33744c64d3a02bf562025d8567b222ffd0083098da74f10deff122d1a72d10451e140747b595a5bdcd616f525b7

memory/2344-48-0x0000000000F30000-0x0000000000F3A000-memory.dmp

memory/2344-49-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/2344-50-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

MD5 d09917a8f0525f1b4c1408f375923713
SHA1 3a6e07ad55843f6bac1bce9fb335ffa22e337cfa
SHA256 7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25
SHA512 c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

memory/2344-51-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

MD5 d09917a8f0525f1b4c1408f375923713
SHA1 3a6e07ad55843f6bac1bce9fb335ffa22e337cfa
SHA256 7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25
SHA512 c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

MD5 d09917a8f0525f1b4c1408f375923713
SHA1 3a6e07ad55843f6bac1bce9fb335ffa22e337cfa
SHA256 7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25
SHA512 c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

MD5 d09917a8f0525f1b4c1408f375923713
SHA1 3a6e07ad55843f6bac1bce9fb335ffa22e337cfa
SHA256 7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25
SHA512 c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

MD5 d09917a8f0525f1b4c1408f375923713
SHA1 3a6e07ad55843f6bac1bce9fb335ffa22e337cfa
SHA256 7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25
SHA512 c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

MD5 d09917a8f0525f1b4c1408f375923713
SHA1 3a6e07ad55843f6bac1bce9fb335ffa22e337cfa
SHA256 7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25
SHA512 c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

memory/1280-61-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1280-62-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1280-63-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1280-65-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1280-64-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1280-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1280-66-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1280-70-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1280-72-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1280-68-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

MD5 d09917a8f0525f1b4c1408f375923713
SHA1 3a6e07ad55843f6bac1bce9fb335ffa22e337cfa
SHA256 7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25
SHA512 c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

MD5 d09917a8f0525f1b4c1408f375923713
SHA1 3a6e07ad55843f6bac1bce9fb335ffa22e337cfa
SHA256 7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25
SHA512 c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

MD5 d09917a8f0525f1b4c1408f375923713
SHA1 3a6e07ad55843f6bac1bce9fb335ffa22e337cfa
SHA256 7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25
SHA512 c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

MD5 d09917a8f0525f1b4c1408f375923713
SHA1 3a6e07ad55843f6bac1bce9fb335ffa22e337cfa
SHA256 7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25
SHA512 c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 21:35

Reported

2023-10-10 23:06

Platform

win10v2004-20230915-en

Max time kernel

141s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4308 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe
PID 4308 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe
PID 4308 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe
PID 2792 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe
PID 2792 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe
PID 2792 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe
PID 3068 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe
PID 3068 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe
PID 3068 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe
PID 4376 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe
PID 4376 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe
PID 4376 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe
PID 2008 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe
PID 2008 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe
PID 2008 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe
PID 2008 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe
PID 2008 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe
PID 3056 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3056 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3056 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3056 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3056 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3056 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3056 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3056 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3056 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3056 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3056 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3056 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3056 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4376 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe
PID 4376 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe
PID 4376 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe
PID 1180 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1180 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1180 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1180 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1180 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1180 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1180 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1180 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3068 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe
PID 3068 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe
PID 3068 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe
PID 4904 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4904 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4904 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2792 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe
PID 2792 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe
PID 2792 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe
PID 3184 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3184 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3184 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 5060 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 5060 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 5060 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 4308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5765354.exe
PID 4308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5765354.exe
PID 4308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5765354.exe
PID 3904 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 3904 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 3904 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 3184 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3184 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe

"C:\Users\Admin\AppData\Local\Temp\7e0814e74e3bb08c84e19168154add2f70fc2bc486b337fcb2b8fd9d19105ad7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3096 -ip 3096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3056 -ip 3056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 200

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1180 -ip 1180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5765354.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5765354.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe

MD5 d48c7284701ea98957a0aa1025020cfa
SHA1 c016bc6cc92cbfe381160ccaceb08baf3b7e622a
SHA256 c9bd5fdd6ae6efdfdbd36e9a15890884ec509406fc1d50823221d1de80c0c521
SHA512 5f674b67630cddae49eaa494353eab883debc2933190d455fed9b4f3f753298cd56d15cf9203e8f705378517eb689a5e2b1170f80674f8c63b0749549fbd9d6d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5563570.exe

MD5 d48c7284701ea98957a0aa1025020cfa
SHA1 c016bc6cc92cbfe381160ccaceb08baf3b7e622a
SHA256 c9bd5fdd6ae6efdfdbd36e9a15890884ec509406fc1d50823221d1de80c0c521
SHA512 5f674b67630cddae49eaa494353eab883debc2933190d455fed9b4f3f753298cd56d15cf9203e8f705378517eb689a5e2b1170f80674f8c63b0749549fbd9d6d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe

MD5 b80e3189ca2d612605e5cb96c11420db
SHA1 f6892104b89ceea09fec22a009dfa055665f5f8a
SHA256 ee6ba14991249c53cd6974159ba562d63541549302e5ebd8280bfc7430bb6090
SHA512 be6443afa887877de687debc78d20ab59caed233012aae5ebac1c8843b93815f207b885cff35c959ec84379a84c2301ef5b316abe555ff9c114fbdb3251dae32

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5169793.exe

MD5 b80e3189ca2d612605e5cb96c11420db
SHA1 f6892104b89ceea09fec22a009dfa055665f5f8a
SHA256 ee6ba14991249c53cd6974159ba562d63541549302e5ebd8280bfc7430bb6090
SHA512 be6443afa887877de687debc78d20ab59caed233012aae5ebac1c8843b93815f207b885cff35c959ec84379a84c2301ef5b316abe555ff9c114fbdb3251dae32

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe

MD5 c7108038186b4764606d32df3950ab2c
SHA1 317e36715b20d87505b5d5e3b3bd01c58aa461d1
SHA256 5c1b41412012d6dd94fb34bf6641374d59c28af8e8fdd07bc54cd7be785fc8dc
SHA512 a26639f41eddcc04a4b387d2e8fd7bfe97bc8aa16013bb370358930982f9c6c60eea391b13a2168d6f936b7db10bb21ca3a625e7f709e2bde3dda6a6b6a5baf6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5426192.exe

MD5 c7108038186b4764606d32df3950ab2c
SHA1 317e36715b20d87505b5d5e3b3bd01c58aa461d1
SHA256 5c1b41412012d6dd94fb34bf6641374d59c28af8e8fdd07bc54cd7be785fc8dc
SHA512 a26639f41eddcc04a4b387d2e8fd7bfe97bc8aa16013bb370358930982f9c6c60eea391b13a2168d6f936b7db10bb21ca3a625e7f709e2bde3dda6a6b6a5baf6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe

MD5 6405f99a0e207aafb8d22f005388581a
SHA1 4570ab7dbb0bd2ef9e93668087a5e6e244934dc5
SHA256 1115152af0956ef4fdbdef3c04cb85bebf719ef4d60c83d9d923f6ce53b46c25
SHA512 635c0f0642a3344d36f7d7789b6aec3df0169978625fcdc905c5c33de87425befb2722a6ca13f07351a6a77b21a11516fdf8cc3fca3c295747f54a9a9223abbe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7193855.exe

MD5 6405f99a0e207aafb8d22f005388581a
SHA1 4570ab7dbb0bd2ef9e93668087a5e6e244934dc5
SHA256 1115152af0956ef4fdbdef3c04cb85bebf719ef4d60c83d9d923f6ce53b46c25
SHA512 635c0f0642a3344d36f7d7789b6aec3df0169978625fcdc905c5c33de87425befb2722a6ca13f07351a6a77b21a11516fdf8cc3fca3c295747f54a9a9223abbe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe

MD5 4fd9c93c320ae8b1cce22919de97d7bc
SHA1 0cb9358cec7545e1b02411151db5b5aac490d202
SHA256 91304d353f0a65c5dec191baee663f640c6750750fdc17a0b46cc116c7983173
SHA512 35cc280be010bf92689a63c20c3ccc4eae4de33744c64d3a02bf562025d8567b222ffd0083098da74f10deff122d1a72d10451e140747b595a5bdcd616f525b7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4793251.exe

MD5 4fd9c93c320ae8b1cce22919de97d7bc
SHA1 0cb9358cec7545e1b02411151db5b5aac490d202
SHA256 91304d353f0a65c5dec191baee663f640c6750750fdc17a0b46cc116c7983173
SHA512 35cc280be010bf92689a63c20c3ccc4eae4de33744c64d3a02bf562025d8567b222ffd0083098da74f10deff122d1a72d10451e140747b595a5bdcd616f525b7

memory/4600-35-0x0000000000ED0000-0x0000000000EDA000-memory.dmp

memory/4600-36-0x00007FFFC29B0000-0x00007FFFC3471000-memory.dmp

memory/4600-37-0x00007FFFC29B0000-0x00007FFFC3471000-memory.dmp

memory/4600-39-0x00007FFFC29B0000-0x00007FFFC3471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

MD5 d09917a8f0525f1b4c1408f375923713
SHA1 3a6e07ad55843f6bac1bce9fb335ffa22e337cfa
SHA256 7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25
SHA512 c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2918283.exe

MD5 d09917a8f0525f1b4c1408f375923713
SHA1 3a6e07ad55843f6bac1bce9fb335ffa22e337cfa
SHA256 7dd5a832f69d23b32cd851c748e958ea5e8a4d3dca3400c887a122dde53fdc25
SHA512 c4e39b13f15ed0eaf5de4e3b87a899afc19bd29279a3584e54f3b5c6bb3dddbe5ce07c140001b72823ca0bc7d17e57ea22757624f9fc04575b4183b7eee5d7b3

memory/3096-43-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3096-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3096-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3096-47-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe

MD5 490aba62f5371927f81bbb22b6084738
SHA1 331859ac1c034ec6ec6571ab091a424da5a29112
SHA256 2f5ad8bf0ef13ae1ffc967a876a04ff894e3972e5d2924e30c1514370746e502
SHA512 cacca025abdcee4f17d348d896729d22fddc4273ccc39e3564ace9ec81f72f3aea31d88de0c8f53703deb9f7f633120c5b2516509668fc185356bd2f2694f5bd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6239913.exe

MD5 490aba62f5371927f81bbb22b6084738
SHA1 331859ac1c034ec6ec6571ab091a424da5a29112
SHA256 2f5ad8bf0ef13ae1ffc967a876a04ff894e3972e5d2924e30c1514370746e502
SHA512 cacca025abdcee4f17d348d896729d22fddc4273ccc39e3564ace9ec81f72f3aea31d88de0c8f53703deb9f7f633120c5b2516509668fc185356bd2f2694f5bd

memory/4808-51-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1186371.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4808-58-0x00000000743E0000-0x0000000074B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9462835.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5765354.exe

MD5 fb3d715fd08168dc30c7bad7a28b8dc8
SHA1 efb67040c29a26ba505c9b0c4011f63f77eb4022
SHA256 b6a2c2fb93a7ee376ab4bf007ccb773b08b4d7e3b8beffcfc64e8e4066c8045e
SHA512 c8802c6e48a477968696d38aa5321320aef63c98fa57d7dc4c3cdfa923903ec47e6dfcdfd7dc0fef715638c486dd7cb10304ac39aeb3d5ea39be769446cd4ff2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5765354.exe

MD5 fb3d715fd08168dc30c7bad7a28b8dc8
SHA1 efb67040c29a26ba505c9b0c4011f63f77eb4022
SHA256 b6a2c2fb93a7ee376ab4bf007ccb773b08b4d7e3b8beffcfc64e8e4066c8045e
SHA512 c8802c6e48a477968696d38aa5321320aef63c98fa57d7dc4c3cdfa923903ec47e6dfcdfd7dc0fef715638c486dd7cb10304ac39aeb3d5ea39be769446cd4ff2

memory/4808-80-0x00000000011D0000-0x00000000011D6000-memory.dmp

memory/4808-81-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/4808-82-0x0000000005A80000-0x0000000006098000-memory.dmp

memory/4808-83-0x0000000005570000-0x000000000567A000-memory.dmp

memory/4808-84-0x0000000005450000-0x0000000005460000-memory.dmp

memory/4808-85-0x00000000053F0000-0x0000000005402000-memory.dmp

memory/4808-86-0x0000000005460000-0x000000000549C000-memory.dmp

memory/4808-87-0x00000000054B0000-0x00000000054FC000-memory.dmp

memory/4808-88-0x0000000005450000-0x0000000005460000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6d5040418450624fef735b49ec6bffe9
SHA1 5fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256 dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512 bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976