Malware Analysis Report

2025-01-23 09:14

Sample ID 231010-y6mr9abb74
Target f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde
SHA256 f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde
Tags
healer redline gruha dropper evasion infostealer persistence trojan amadey
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde

Threat Level: Known bad

The file f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde was found to be: Known bad.

Malicious Activity Summary

healer redline gruha dropper evasion infostealer persistence trojan amadey

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Amadey

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:23

Reported

2023-10-10 20:32

Platform

win7-20230831-en

Max time kernel

151s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A

RedLine

infostealer redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2516 set thread context of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe
PID 2172 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe
PID 2172 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe
PID 2172 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe
PID 2172 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe
PID 2172 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe
PID 2172 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe
PID 1352 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe
PID 1352 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe
PID 1352 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe
PID 1352 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe
PID 1352 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe
PID 1352 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe
PID 1352 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe
PID 3068 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe
PID 3068 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe
PID 3068 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe
PID 3068 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe
PID 3068 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe
PID 3068 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe
PID 3068 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe
PID 2728 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe
PID 2728 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe
PID 2728 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe
PID 2728 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe
PID 2728 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe
PID 2728 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe
PID 2728 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe
PID 2728 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe
PID 2728 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe
PID 2728 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe
PID 2728 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe
PID 2728 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe
PID 2728 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe
PID 2728 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe
PID 2516 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2516 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\SysWOW64\WerFault.exe
PID 2516 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\SysWOW64\WerFault.exe
PID 2516 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\SysWOW64\WerFault.exe
PID 2516 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\SysWOW64\WerFault.exe
PID 2516 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\SysWOW64\WerFault.exe
PID 2516 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\SysWOW64\WerFault.exe
PID 2516 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe

"C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 36

Network

Country Destination Domain Proto
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe

MD5 1556d6b6fe97175c643a1efe18243194
SHA1 4f229acbdc803f6c1fc17bf1838495821fef6565
SHA256 8c027e871baef26d729eb683296d081ba025362fb410bfaf4290d7839422d9be
SHA512 cd79d551f46e9992446747108d8750da93341287590cfb2c59c0b6d4d094d6795c25673516714f3d117265126e4ee9eae7c9442949a06cd81f327c745febf065

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe

MD5 1556d6b6fe97175c643a1efe18243194
SHA1 4f229acbdc803f6c1fc17bf1838495821fef6565
SHA256 8c027e871baef26d729eb683296d081ba025362fb410bfaf4290d7839422d9be
SHA512 cd79d551f46e9992446747108d8750da93341287590cfb2c59c0b6d4d094d6795c25673516714f3d117265126e4ee9eae7c9442949a06cd81f327c745febf065

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe

MD5 1556d6b6fe97175c643a1efe18243194
SHA1 4f229acbdc803f6c1fc17bf1838495821fef6565
SHA256 8c027e871baef26d729eb683296d081ba025362fb410bfaf4290d7839422d9be
SHA512 cd79d551f46e9992446747108d8750da93341287590cfb2c59c0b6d4d094d6795c25673516714f3d117265126e4ee9eae7c9442949a06cd81f327c745febf065

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe

MD5 1556d6b6fe97175c643a1efe18243194
SHA1 4f229acbdc803f6c1fc17bf1838495821fef6565
SHA256 8c027e871baef26d729eb683296d081ba025362fb410bfaf4290d7839422d9be
SHA512 cd79d551f46e9992446747108d8750da93341287590cfb2c59c0b6d4d094d6795c25673516714f3d117265126e4ee9eae7c9442949a06cd81f327c745febf065

\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe

MD5 712df0a25ec212d05c8ff048caf21369
SHA1 6dfad1fb1e5a94e83100013544c27012a8badebf
SHA256 68e8c9b7495f20b099d86d22cc265a4f04d8ef55dee1b0b389219ace26d64dc6
SHA512 b741c5e334d3dc8e66750082f7950b7684c44be6ea306061e770f3289f38fcc73de616bf208dfe3aa897bd116668277fa25af5798a83f99ead2e1a800c96073c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe

MD5 712df0a25ec212d05c8ff048caf21369
SHA1 6dfad1fb1e5a94e83100013544c27012a8badebf
SHA256 68e8c9b7495f20b099d86d22cc265a4f04d8ef55dee1b0b389219ace26d64dc6
SHA512 b741c5e334d3dc8e66750082f7950b7684c44be6ea306061e770f3289f38fcc73de616bf208dfe3aa897bd116668277fa25af5798a83f99ead2e1a800c96073c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe

MD5 712df0a25ec212d05c8ff048caf21369
SHA1 6dfad1fb1e5a94e83100013544c27012a8badebf
SHA256 68e8c9b7495f20b099d86d22cc265a4f04d8ef55dee1b0b389219ace26d64dc6
SHA512 b741c5e334d3dc8e66750082f7950b7684c44be6ea306061e770f3289f38fcc73de616bf208dfe3aa897bd116668277fa25af5798a83f99ead2e1a800c96073c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe

MD5 712df0a25ec212d05c8ff048caf21369
SHA1 6dfad1fb1e5a94e83100013544c27012a8badebf
SHA256 68e8c9b7495f20b099d86d22cc265a4f04d8ef55dee1b0b389219ace26d64dc6
SHA512 b741c5e334d3dc8e66750082f7950b7684c44be6ea306061e770f3289f38fcc73de616bf208dfe3aa897bd116668277fa25af5798a83f99ead2e1a800c96073c

\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe

MD5 6362dfc17229132b48802ffcd49f21be
SHA1 c785e3ed02cae435586e5239f9d15508a6b8e98d
SHA256 cfb90e137790e6f838c54d42f42401f989b60104b469c8e15246fc45970f10a6
SHA512 95c14b81015358c8fce8f71146a3149d6724b6c46012086928dbc1efc4512cccbf38bd11e2f76699d3294088e04e4f727fc89e402b9421f57b0f7b1e12b373ab

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe

MD5 6362dfc17229132b48802ffcd49f21be
SHA1 c785e3ed02cae435586e5239f9d15508a6b8e98d
SHA256 cfb90e137790e6f838c54d42f42401f989b60104b469c8e15246fc45970f10a6
SHA512 95c14b81015358c8fce8f71146a3149d6724b6c46012086928dbc1efc4512cccbf38bd11e2f76699d3294088e04e4f727fc89e402b9421f57b0f7b1e12b373ab

\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe

MD5 6362dfc17229132b48802ffcd49f21be
SHA1 c785e3ed02cae435586e5239f9d15508a6b8e98d
SHA256 cfb90e137790e6f838c54d42f42401f989b60104b469c8e15246fc45970f10a6
SHA512 95c14b81015358c8fce8f71146a3149d6724b6c46012086928dbc1efc4512cccbf38bd11e2f76699d3294088e04e4f727fc89e402b9421f57b0f7b1e12b373ab

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe

MD5 6362dfc17229132b48802ffcd49f21be
SHA1 c785e3ed02cae435586e5239f9d15508a6b8e98d
SHA256 cfb90e137790e6f838c54d42f42401f989b60104b469c8e15246fc45970f10a6
SHA512 95c14b81015358c8fce8f71146a3149d6724b6c46012086928dbc1efc4512cccbf38bd11e2f76699d3294088e04e4f727fc89e402b9421f57b0f7b1e12b373ab

\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe

MD5 573c54c5cb5b85116a69adcc9c600c29
SHA1 4aaf20f1a0caa4ec9317e6d01eb53b762bade06c
SHA256 6c27ae27403cdfeeb1065341b8c59818aaf484cd4af621236eebb9ab781b0e21
SHA512 835cf7678a6b6536810f2eedc9b62e2d3cfb6f21fbc218025c8017804f096ef7aa9475908c23596589e8a65b45cf3012862ced439b36f6ec0ccfbe7197eb52fc

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe

MD5 573c54c5cb5b85116a69adcc9c600c29
SHA1 4aaf20f1a0caa4ec9317e6d01eb53b762bade06c
SHA256 6c27ae27403cdfeeb1065341b8c59818aaf484cd4af621236eebb9ab781b0e21
SHA512 835cf7678a6b6536810f2eedc9b62e2d3cfb6f21fbc218025c8017804f096ef7aa9475908c23596589e8a65b45cf3012862ced439b36f6ec0ccfbe7197eb52fc

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe

MD5 573c54c5cb5b85116a69adcc9c600c29
SHA1 4aaf20f1a0caa4ec9317e6d01eb53b762bade06c
SHA256 6c27ae27403cdfeeb1065341b8c59818aaf484cd4af621236eebb9ab781b0e21
SHA512 835cf7678a6b6536810f2eedc9b62e2d3cfb6f21fbc218025c8017804f096ef7aa9475908c23596589e8a65b45cf3012862ced439b36f6ec0ccfbe7197eb52fc

memory/2784-38-0x00000000011D0000-0x00000000011DA000-memory.dmp

memory/2784-39-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

memory/2784-40-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

memory/2784-41-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

MD5 1b299b318f01939bf1f4bdba54a9bd7d
SHA1 95745a57d25560d46edde9a50ddf958ec1aa2494
SHA256 12f6f69d6575f9511c85c8c5e9f595ebac1e1c36dd80cc5c5b52e97352bb1c3c
SHA512 99df7af2ce0f5775c1c7d0ac904f947ae3cfc2c2f568139a458f7f7a1e87e2c9797e95fdb5f24a8582ede4b64dd7514a3d839e934c31f13d84b877d5c36ba5df

\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

MD5 1b299b318f01939bf1f4bdba54a9bd7d
SHA1 95745a57d25560d46edde9a50ddf958ec1aa2494
SHA256 12f6f69d6575f9511c85c8c5e9f595ebac1e1c36dd80cc5c5b52e97352bb1c3c
SHA512 99df7af2ce0f5775c1c7d0ac904f947ae3cfc2c2f568139a458f7f7a1e87e2c9797e95fdb5f24a8582ede4b64dd7514a3d839e934c31f13d84b877d5c36ba5df

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

MD5 1b299b318f01939bf1f4bdba54a9bd7d
SHA1 95745a57d25560d46edde9a50ddf958ec1aa2494
SHA256 12f6f69d6575f9511c85c8c5e9f595ebac1e1c36dd80cc5c5b52e97352bb1c3c
SHA512 99df7af2ce0f5775c1c7d0ac904f947ae3cfc2c2f568139a458f7f7a1e87e2c9797e95fdb5f24a8582ede4b64dd7514a3d839e934c31f13d84b877d5c36ba5df

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

MD5 1b299b318f01939bf1f4bdba54a9bd7d
SHA1 95745a57d25560d46edde9a50ddf958ec1aa2494
SHA256 12f6f69d6575f9511c85c8c5e9f595ebac1e1c36dd80cc5c5b52e97352bb1c3c
SHA512 99df7af2ce0f5775c1c7d0ac904f947ae3cfc2c2f568139a458f7f7a1e87e2c9797e95fdb5f24a8582ede4b64dd7514a3d839e934c31f13d84b877d5c36ba5df

\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

MD5 1b299b318f01939bf1f4bdba54a9bd7d
SHA1 95745a57d25560d46edde9a50ddf958ec1aa2494
SHA256 12f6f69d6575f9511c85c8c5e9f595ebac1e1c36dd80cc5c5b52e97352bb1c3c
SHA512 99df7af2ce0f5775c1c7d0ac904f947ae3cfc2c2f568139a458f7f7a1e87e2c9797e95fdb5f24a8582ede4b64dd7514a3d839e934c31f13d84b877d5c36ba5df

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

MD5 1b299b318f01939bf1f4bdba54a9bd7d
SHA1 95745a57d25560d46edde9a50ddf958ec1aa2494
SHA256 12f6f69d6575f9511c85c8c5e9f595ebac1e1c36dd80cc5c5b52e97352bb1c3c
SHA512 99df7af2ce0f5775c1c7d0ac904f947ae3cfc2c2f568139a458f7f7a1e87e2c9797e95fdb5f24a8582ede4b64dd7514a3d839e934c31f13d84b877d5c36ba5df

memory/2976-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2976-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2976-53-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2976-55-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2976-57-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2976-58-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2976-60-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2976-62-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

MD5 1b299b318f01939bf1f4bdba54a9bd7d
SHA1 95745a57d25560d46edde9a50ddf958ec1aa2494
SHA256 12f6f69d6575f9511c85c8c5e9f595ebac1e1c36dd80cc5c5b52e97352bb1c3c
SHA512 99df7af2ce0f5775c1c7d0ac904f947ae3cfc2c2f568139a458f7f7a1e87e2c9797e95fdb5f24a8582ede4b64dd7514a3d839e934c31f13d84b877d5c36ba5df

\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

MD5 1b299b318f01939bf1f4bdba54a9bd7d
SHA1 95745a57d25560d46edde9a50ddf958ec1aa2494
SHA256 12f6f69d6575f9511c85c8c5e9f595ebac1e1c36dd80cc5c5b52e97352bb1c3c
SHA512 99df7af2ce0f5775c1c7d0ac904f947ae3cfc2c2f568139a458f7f7a1e87e2c9797e95fdb5f24a8582ede4b64dd7514a3d839e934c31f13d84b877d5c36ba5df

\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

MD5 1b299b318f01939bf1f4bdba54a9bd7d
SHA1 95745a57d25560d46edde9a50ddf958ec1aa2494
SHA256 12f6f69d6575f9511c85c8c5e9f595ebac1e1c36dd80cc5c5b52e97352bb1c3c
SHA512 99df7af2ce0f5775c1c7d0ac904f947ae3cfc2c2f568139a458f7f7a1e87e2c9797e95fdb5f24a8582ede4b64dd7514a3d839e934c31f13d84b877d5c36ba5df

\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

MD5 1b299b318f01939bf1f4bdba54a9bd7d
SHA1 95745a57d25560d46edde9a50ddf958ec1aa2494
SHA256 12f6f69d6575f9511c85c8c5e9f595ebac1e1c36dd80cc5c5b52e97352bb1c3c
SHA512 99df7af2ce0f5775c1c7d0ac904f947ae3cfc2c2f568139a458f7f7a1e87e2c9797e95fdb5f24a8582ede4b64dd7514a3d839e934c31f13d84b877d5c36ba5df

memory/2976-67-0x0000000000250000-0x0000000000256000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:23

Reported

2023-10-10 20:32

Platform

win10v2004-20230915-en

Max time kernel

156s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A

RedLine

infostealer redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5520463.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6266452.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1040 set thread context of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe
PID 1316 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe
PID 1316 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe
PID 3628 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe
PID 3628 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe
PID 3628 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe
PID 4988 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe
PID 4988 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe
PID 4988 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe
PID 1100 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe
PID 1100 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe
PID 1100 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe
PID 1100 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe
PID 1100 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe
PID 1040 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4988 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5520463.exe
PID 4988 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5520463.exe
PID 4988 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5520463.exe
PID 5020 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5520463.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 5020 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5520463.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 5020 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5520463.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3628 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6266452.exe
PID 3628 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6266452.exe
PID 3628 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6266452.exe
PID 3408 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3408 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3408 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6266452.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 1968 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6266452.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 1968 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6266452.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 1316 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8621866.exe
PID 1316 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8621866.exe
PID 1316 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8621866.exe
PID 5108 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 5108 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 5108 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 5108 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 784 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 784 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 784 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 784 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 784 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 784 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5088 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5088 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5088 wrote to memory of 1044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5088 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5088 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5088 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe

"C:\Users\Admin\AppData\Local\Temp\f703b6708b86c41fb7a7f0593361a581d0c46c015de7774b4100245dbfc7ffde.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5520463.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5520463.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6266452.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6266452.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8621866.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8621866.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 182.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.1:80 77.91.124.1 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe

MD5 1556d6b6fe97175c643a1efe18243194
SHA1 4f229acbdc803f6c1fc17bf1838495821fef6565
SHA256 8c027e871baef26d729eb683296d081ba025362fb410bfaf4290d7839422d9be
SHA512 cd79d551f46e9992446747108d8750da93341287590cfb2c59c0b6d4d094d6795c25673516714f3d117265126e4ee9eae7c9442949a06cd81f327c745febf065

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3967036.exe

MD5 1556d6b6fe97175c643a1efe18243194
SHA1 4f229acbdc803f6c1fc17bf1838495821fef6565
SHA256 8c027e871baef26d729eb683296d081ba025362fb410bfaf4290d7839422d9be
SHA512 cd79d551f46e9992446747108d8750da93341287590cfb2c59c0b6d4d094d6795c25673516714f3d117265126e4ee9eae7c9442949a06cd81f327c745febf065

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe

MD5 712df0a25ec212d05c8ff048caf21369
SHA1 6dfad1fb1e5a94e83100013544c27012a8badebf
SHA256 68e8c9b7495f20b099d86d22cc265a4f04d8ef55dee1b0b389219ace26d64dc6
SHA512 b741c5e334d3dc8e66750082f7950b7684c44be6ea306061e770f3289f38fcc73de616bf208dfe3aa897bd116668277fa25af5798a83f99ead2e1a800c96073c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2675087.exe

MD5 712df0a25ec212d05c8ff048caf21369
SHA1 6dfad1fb1e5a94e83100013544c27012a8badebf
SHA256 68e8c9b7495f20b099d86d22cc265a4f04d8ef55dee1b0b389219ace26d64dc6
SHA512 b741c5e334d3dc8e66750082f7950b7684c44be6ea306061e770f3289f38fcc73de616bf208dfe3aa897bd116668277fa25af5798a83f99ead2e1a800c96073c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe

MD5 6362dfc17229132b48802ffcd49f21be
SHA1 c785e3ed02cae435586e5239f9d15508a6b8e98d
SHA256 cfb90e137790e6f838c54d42f42401f989b60104b469c8e15246fc45970f10a6
SHA512 95c14b81015358c8fce8f71146a3149d6724b6c46012086928dbc1efc4512cccbf38bd11e2f76699d3294088e04e4f727fc89e402b9421f57b0f7b1e12b373ab

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5446204.exe

MD5 6362dfc17229132b48802ffcd49f21be
SHA1 c785e3ed02cae435586e5239f9d15508a6b8e98d
SHA256 cfb90e137790e6f838c54d42f42401f989b60104b469c8e15246fc45970f10a6
SHA512 95c14b81015358c8fce8f71146a3149d6724b6c46012086928dbc1efc4512cccbf38bd11e2f76699d3294088e04e4f727fc89e402b9421f57b0f7b1e12b373ab

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe

MD5 573c54c5cb5b85116a69adcc9c600c29
SHA1 4aaf20f1a0caa4ec9317e6d01eb53b762bade06c
SHA256 6c27ae27403cdfeeb1065341b8c59818aaf484cd4af621236eebb9ab781b0e21
SHA512 835cf7678a6b6536810f2eedc9b62e2d3cfb6f21fbc218025c8017804f096ef7aa9475908c23596589e8a65b45cf3012862ced439b36f6ec0ccfbe7197eb52fc

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q2222420.exe

MD5 573c54c5cb5b85116a69adcc9c600c29
SHA1 4aaf20f1a0caa4ec9317e6d01eb53b762bade06c
SHA256 6c27ae27403cdfeeb1065341b8c59818aaf484cd4af621236eebb9ab781b0e21
SHA512 835cf7678a6b6536810f2eedc9b62e2d3cfb6f21fbc218025c8017804f096ef7aa9475908c23596589e8a65b45cf3012862ced439b36f6ec0ccfbe7197eb52fc

memory/2364-28-0x00000000009D0000-0x00000000009DA000-memory.dmp

memory/2364-29-0x00007FF889640000-0x00007FF88A101000-memory.dmp

memory/2364-30-0x00007FF889640000-0x00007FF88A101000-memory.dmp

memory/2364-32-0x00007FF889640000-0x00007FF88A101000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

MD5 1b299b318f01939bf1f4bdba54a9bd7d
SHA1 95745a57d25560d46edde9a50ddf958ec1aa2494
SHA256 12f6f69d6575f9511c85c8c5e9f595ebac1e1c36dd80cc5c5b52e97352bb1c3c
SHA512 99df7af2ce0f5775c1c7d0ac904f947ae3cfc2c2f568139a458f7f7a1e87e2c9797e95fdb5f24a8582ede4b64dd7514a3d839e934c31f13d84b877d5c36ba5df

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8504502.exe

MD5 1b299b318f01939bf1f4bdba54a9bd7d
SHA1 95745a57d25560d46edde9a50ddf958ec1aa2494
SHA256 12f6f69d6575f9511c85c8c5e9f595ebac1e1c36dd80cc5c5b52e97352bb1c3c
SHA512 99df7af2ce0f5775c1c7d0ac904f947ae3cfc2c2f568139a458f7f7a1e87e2c9797e95fdb5f24a8582ede4b64dd7514a3d839e934c31f13d84b877d5c36ba5df

memory/2028-36-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2028-37-0x0000000073F30000-0x00000000746E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5520463.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5520463.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2028-43-0x0000000002E00000-0x0000000002E06000-memory.dmp

memory/2028-44-0x0000000073F30000-0x00000000746E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6266452.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6266452.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8621866.exe

MD5 aa2faf9bf656ffa0356458284d6830c1
SHA1 53de492372bd34481e69883d8376e819f6394cba
SHA256 7ad17567c0f9f13bcb4abd417fba9b566397b45b546d8479fb55ad68aa142b50
SHA512 9b5bcdc438799de071e81fdf8539d4c93f294373612825d1a0d16922a3ee4266e4ae9a43c2168b8d8d177b04417240fa504ee764883199d2df49a1eeee71b535

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8621866.exe

MD5 aa2faf9bf656ffa0356458284d6830c1
SHA1 53de492372bd34481e69883d8376e819f6394cba
SHA256 7ad17567c0f9f13bcb4abd417fba9b566397b45b546d8479fb55ad68aa142b50
SHA512 9b5bcdc438799de071e81fdf8539d4c93f294373612825d1a0d16922a3ee4266e4ae9a43c2168b8d8d177b04417240fa504ee764883199d2df49a1eeee71b535

memory/2028-67-0x0000000005C50000-0x0000000006268000-memory.dmp

memory/2028-68-0x0000000005840000-0x000000000594A000-memory.dmp

memory/2028-69-0x0000000005520000-0x0000000005530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/2028-72-0x0000000005380000-0x0000000005392000-memory.dmp

memory/2028-73-0x00000000053E0000-0x000000000541C000-memory.dmp

memory/2028-74-0x0000000005520000-0x0000000005530000-memory.dmp

memory/2028-75-0x00000000054D0000-0x000000000551C000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6d5040418450624fef735b49ec6bffe9
SHA1 5fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256 dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512 bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4