Analysis Overview
SHA256
0690efd356ed29c86279ff4a0f431bc973d07314cbf666a1804cfb1018221be9
Threat Level: Known bad
The file 0690efd356ed29c86279ff4a0f431bc973d07314cbf666a1804cfb1018221be9 was found to be: Known bad.
Malicious Activity Summary
Amadey
Detects Healer an antivirus disabler dropper
Mystic
Detect Mystic stealer payload
Modifies Windows Defender Real-time Protection settings
RedLine
Healer
Windows security modification
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-10 20:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-10 20:26
Reported
2023-10-10 20:37
Platform
win7-20230831-en
Max time kernel
120s
Max time network
143s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
Mystic
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2673335.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2451699.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5779253.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2385855.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe | N/A |
Loads dropped DLL
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0690efd356ed29c86279ff4a0f431bc973d07314cbf666a1804cfb1018221be9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2673335.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2451699.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5779253.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2385855.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2672 set thread context of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0690efd356ed29c86279ff4a0f431bc973d07314cbf666a1804cfb1018221be9.exe
"C:\Users\Admin\AppData\Local\Temp\0690efd356ed29c86279ff4a0f431bc973d07314cbf666a1804cfb1018221be9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2673335.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2673335.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2451699.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2451699.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5779253.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5779253.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2385855.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2385855.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 268
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2673335.exe
| MD5 | 6b5e45e36d7a23e1f6f88ea7abaeb74b |
| SHA1 | 7c07487968639236d186c5ab6b87a4425f609cd7 |
| SHA256 | e5355f0283c3f78b0724a5cd0997ee9e18ca54942afada4e8a313656727ccec8 |
| SHA512 | ee02ff4d5fabd19ec119353e2dee531ea14d981a728e9a064d472767cb416363a10b4cdf751628af09692c541110d9547a046d02e2966379788a6235f6d507b6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2673335.exe
| MD5 | 6b5e45e36d7a23e1f6f88ea7abaeb74b |
| SHA1 | 7c07487968639236d186c5ab6b87a4425f609cd7 |
| SHA256 | e5355f0283c3f78b0724a5cd0997ee9e18ca54942afada4e8a313656727ccec8 |
| SHA512 | ee02ff4d5fabd19ec119353e2dee531ea14d981a728e9a064d472767cb416363a10b4cdf751628af09692c541110d9547a046d02e2966379788a6235f6d507b6 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2673335.exe
| MD5 | 6b5e45e36d7a23e1f6f88ea7abaeb74b |
| SHA1 | 7c07487968639236d186c5ab6b87a4425f609cd7 |
| SHA256 | e5355f0283c3f78b0724a5cd0997ee9e18ca54942afada4e8a313656727ccec8 |
| SHA512 | ee02ff4d5fabd19ec119353e2dee531ea14d981a728e9a064d472767cb416363a10b4cdf751628af09692c541110d9547a046d02e2966379788a6235f6d507b6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2673335.exe
| MD5 | 6b5e45e36d7a23e1f6f88ea7abaeb74b |
| SHA1 | 7c07487968639236d186c5ab6b87a4425f609cd7 |
| SHA256 | e5355f0283c3f78b0724a5cd0997ee9e18ca54942afada4e8a313656727ccec8 |
| SHA512 | ee02ff4d5fabd19ec119353e2dee531ea14d981a728e9a064d472767cb416363a10b4cdf751628af09692c541110d9547a046d02e2966379788a6235f6d507b6 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2451699.exe
| MD5 | 55ff2c875715c445c30733d7908202ee |
| SHA1 | 916f04161821c22c845417e5b49de924e9aa0737 |
| SHA256 | a86b0e334ce856e9df76a201f6181c4deff64d2eafd69ba1962bc6050b4b9ebc |
| SHA512 | b672d52ac718326bf130df6d26741c4b5a6154a15fffa089dd9ea6804515ac3613635fa10bcbb9dbe8e36b82b34183a4e0322e89a51edff26f05b4167c041eb8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2451699.exe
| MD5 | 55ff2c875715c445c30733d7908202ee |
| SHA1 | 916f04161821c22c845417e5b49de924e9aa0737 |
| SHA256 | a86b0e334ce856e9df76a201f6181c4deff64d2eafd69ba1962bc6050b4b9ebc |
| SHA512 | b672d52ac718326bf130df6d26741c4b5a6154a15fffa089dd9ea6804515ac3613635fa10bcbb9dbe8e36b82b34183a4e0322e89a51edff26f05b4167c041eb8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2451699.exe
| MD5 | 55ff2c875715c445c30733d7908202ee |
| SHA1 | 916f04161821c22c845417e5b49de924e9aa0737 |
| SHA256 | a86b0e334ce856e9df76a201f6181c4deff64d2eafd69ba1962bc6050b4b9ebc |
| SHA512 | b672d52ac718326bf130df6d26741c4b5a6154a15fffa089dd9ea6804515ac3613635fa10bcbb9dbe8e36b82b34183a4e0322e89a51edff26f05b4167c041eb8 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2451699.exe
| MD5 | 55ff2c875715c445c30733d7908202ee |
| SHA1 | 916f04161821c22c845417e5b49de924e9aa0737 |
| SHA256 | a86b0e334ce856e9df76a201f6181c4deff64d2eafd69ba1962bc6050b4b9ebc |
| SHA512 | b672d52ac718326bf130df6d26741c4b5a6154a15fffa089dd9ea6804515ac3613635fa10bcbb9dbe8e36b82b34183a4e0322e89a51edff26f05b4167c041eb8 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5779253.exe
| MD5 | 498f70984ebd7edc3c6471a4b8fde35f |
| SHA1 | 8c98593aa95b807bcaadcb19cd5242ef274d26f2 |
| SHA256 | 8919bfd15fa90e06a492b5964b36551bac794f676e46b9b1463db27cc43d9fa3 |
| SHA512 | 106e8f7f9dba7488855d88840c20a69ae602f4837b6b66176e6179ab143f39d71fa60f8c654a693aa195ef4d6b5836db0acc2160f520f45d4fd3e1fe5e7d00c7 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5779253.exe
| MD5 | 498f70984ebd7edc3c6471a4b8fde35f |
| SHA1 | 8c98593aa95b807bcaadcb19cd5242ef274d26f2 |
| SHA256 | 8919bfd15fa90e06a492b5964b36551bac794f676e46b9b1463db27cc43d9fa3 |
| SHA512 | 106e8f7f9dba7488855d88840c20a69ae602f4837b6b66176e6179ab143f39d71fa60f8c654a693aa195ef4d6b5836db0acc2160f520f45d4fd3e1fe5e7d00c7 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5779253.exe
| MD5 | 498f70984ebd7edc3c6471a4b8fde35f |
| SHA1 | 8c98593aa95b807bcaadcb19cd5242ef274d26f2 |
| SHA256 | 8919bfd15fa90e06a492b5964b36551bac794f676e46b9b1463db27cc43d9fa3 |
| SHA512 | 106e8f7f9dba7488855d88840c20a69ae602f4837b6b66176e6179ab143f39d71fa60f8c654a693aa195ef4d6b5836db0acc2160f520f45d4fd3e1fe5e7d00c7 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5779253.exe
| MD5 | 498f70984ebd7edc3c6471a4b8fde35f |
| SHA1 | 8c98593aa95b807bcaadcb19cd5242ef274d26f2 |
| SHA256 | 8919bfd15fa90e06a492b5964b36551bac794f676e46b9b1463db27cc43d9fa3 |
| SHA512 | 106e8f7f9dba7488855d88840c20a69ae602f4837b6b66176e6179ab143f39d71fa60f8c654a693aa195ef4d6b5836db0acc2160f520f45d4fd3e1fe5e7d00c7 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2385855.exe
| MD5 | c208e414fd53d8ee7fca66008c5334b7 |
| SHA1 | d364cb597e5f7b32df4af531075fe421c5c49b5b |
| SHA256 | 6731e6088259d4025cd2a6fa7bc0ee472b6a35428f9caddc994fc27e569cd187 |
| SHA512 | bfc9b8f79177715079ebbf7d974f0f1c2b4ced60303a2d623d7012a5ada01834b2ac87f55b17ea6a05fe16dfdf1c5f060ce63ff6d99feedf0fa670b6bb8107af |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2385855.exe
| MD5 | c208e414fd53d8ee7fca66008c5334b7 |
| SHA1 | d364cb597e5f7b32df4af531075fe421c5c49b5b |
| SHA256 | 6731e6088259d4025cd2a6fa7bc0ee472b6a35428f9caddc994fc27e569cd187 |
| SHA512 | bfc9b8f79177715079ebbf7d974f0f1c2b4ced60303a2d623d7012a5ada01834b2ac87f55b17ea6a05fe16dfdf1c5f060ce63ff6d99feedf0fa670b6bb8107af |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2385855.exe
| MD5 | c208e414fd53d8ee7fca66008c5334b7 |
| SHA1 | d364cb597e5f7b32df4af531075fe421c5c49b5b |
| SHA256 | 6731e6088259d4025cd2a6fa7bc0ee472b6a35428f9caddc994fc27e569cd187 |
| SHA512 | bfc9b8f79177715079ebbf7d974f0f1c2b4ced60303a2d623d7012a5ada01834b2ac87f55b17ea6a05fe16dfdf1c5f060ce63ff6d99feedf0fa670b6bb8107af |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2385855.exe
| MD5 | c208e414fd53d8ee7fca66008c5334b7 |
| SHA1 | d364cb597e5f7b32df4af531075fe421c5c49b5b |
| SHA256 | 6731e6088259d4025cd2a6fa7bc0ee472b6a35428f9caddc994fc27e569cd187 |
| SHA512 | bfc9b8f79177715079ebbf7d974f0f1c2b4ced60303a2d623d7012a5ada01834b2ac87f55b17ea6a05fe16dfdf1c5f060ce63ff6d99feedf0fa670b6bb8107af |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe
| MD5 | 8d065a934aa14e7a4c566aa07a9552f5 |
| SHA1 | 437e9f21c8c4494a592dc69156d6cfbc0ddac274 |
| SHA256 | c6bd73b444713d5dad1a46526140c5043a7ec234336a9b34c67c38e84f5b8a8b |
| SHA512 | 0454b9aee685bd730b7730fa151cf36434897779f3be758b45fbc772449cdac0bb882ac14a6dd57a2b09dc812023e80a5a7422c7ce346b0a468f9222f6c260e0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe
| MD5 | 8d065a934aa14e7a4c566aa07a9552f5 |
| SHA1 | 437e9f21c8c4494a592dc69156d6cfbc0ddac274 |
| SHA256 | c6bd73b444713d5dad1a46526140c5043a7ec234336a9b34c67c38e84f5b8a8b |
| SHA512 | 0454b9aee685bd730b7730fa151cf36434897779f3be758b45fbc772449cdac0bb882ac14a6dd57a2b09dc812023e80a5a7422c7ce346b0a468f9222f6c260e0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe
| MD5 | 8d065a934aa14e7a4c566aa07a9552f5 |
| SHA1 | 437e9f21c8c4494a592dc69156d6cfbc0ddac274 |
| SHA256 | c6bd73b444713d5dad1a46526140c5043a7ec234336a9b34c67c38e84f5b8a8b |
| SHA512 | 0454b9aee685bd730b7730fa151cf36434897779f3be758b45fbc772449cdac0bb882ac14a6dd57a2b09dc812023e80a5a7422c7ce346b0a468f9222f6c260e0 |
memory/2796-48-0x0000000000180000-0x000000000018A000-memory.dmp
memory/2796-49-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp
memory/2796-50-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp
memory/2796-51-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
| MD5 | 555a5900572bcc7f90ba500db7bd1820 |
| SHA1 | c89897ce52b7c4b2cda8544f5c3680387e01faba |
| SHA256 | 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb |
| SHA512 | 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
| MD5 | 555a5900572bcc7f90ba500db7bd1820 |
| SHA1 | c89897ce52b7c4b2cda8544f5c3680387e01faba |
| SHA256 | 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb |
| SHA512 | 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
| MD5 | 555a5900572bcc7f90ba500db7bd1820 |
| SHA1 | c89897ce52b7c4b2cda8544f5c3680387e01faba |
| SHA256 | 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb |
| SHA512 | 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
| MD5 | 555a5900572bcc7f90ba500db7bd1820 |
| SHA1 | c89897ce52b7c4b2cda8544f5c3680387e01faba |
| SHA256 | 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb |
| SHA512 | 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
| MD5 | 555a5900572bcc7f90ba500db7bd1820 |
| SHA1 | c89897ce52b7c4b2cda8544f5c3680387e01faba |
| SHA256 | 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb |
| SHA512 | 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
| MD5 | 555a5900572bcc7f90ba500db7bd1820 |
| SHA1 | c89897ce52b7c4b2cda8544f5c3680387e01faba |
| SHA256 | 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb |
| SHA512 | 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d |
memory/2572-61-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2572-62-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2572-63-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2572-64-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2572-65-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2572-66-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2572-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2572-68-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2572-70-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2572-72-0x0000000000400000-0x0000000000428000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
| MD5 | 555a5900572bcc7f90ba500db7bd1820 |
| SHA1 | c89897ce52b7c4b2cda8544f5c3680387e01faba |
| SHA256 | 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb |
| SHA512 | 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
| MD5 | 555a5900572bcc7f90ba500db7bd1820 |
| SHA1 | c89897ce52b7c4b2cda8544f5c3680387e01faba |
| SHA256 | 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb |
| SHA512 | 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
| MD5 | 555a5900572bcc7f90ba500db7bd1820 |
| SHA1 | c89897ce52b7c4b2cda8544f5c3680387e01faba |
| SHA256 | 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb |
| SHA512 | 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
| MD5 | 555a5900572bcc7f90ba500db7bd1820 |
| SHA1 | c89897ce52b7c4b2cda8544f5c3680387e01faba |
| SHA256 | 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb |
| SHA512 | 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-10 20:26
Reported
2023-10-10 20:36
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Amadey
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
Mystic
RedLine
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5340575.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5768499.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0690efd356ed29c86279ff4a0f431bc973d07314cbf666a1804cfb1018221be9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2673335.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2451699.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5779253.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2385855.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4516 set thread context of 4508 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4976 set thread context of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9582120.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0690efd356ed29c86279ff4a0f431bc973d07314cbf666a1804cfb1018221be9.exe
"C:\Users\Admin\AppData\Local\Temp\0690efd356ed29c86279ff4a0f431bc973d07314cbf666a1804cfb1018221be9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2673335.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2673335.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2451699.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2451699.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5779253.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5779253.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2385855.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2385855.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9582120.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9582120.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4976 -ip 4976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 156
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5340575.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5340575.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5768499.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5768499.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3065965.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3065965.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.68.91.77.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2673335.exe
| MD5 | 6b5e45e36d7a23e1f6f88ea7abaeb74b |
| SHA1 | 7c07487968639236d186c5ab6b87a4425f609cd7 |
| SHA256 | e5355f0283c3f78b0724a5cd0997ee9e18ca54942afada4e8a313656727ccec8 |
| SHA512 | ee02ff4d5fabd19ec119353e2dee531ea14d981a728e9a064d472767cb416363a10b4cdf751628af09692c541110d9547a046d02e2966379788a6235f6d507b6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2673335.exe
| MD5 | 6b5e45e36d7a23e1f6f88ea7abaeb74b |
| SHA1 | 7c07487968639236d186c5ab6b87a4425f609cd7 |
| SHA256 | e5355f0283c3f78b0724a5cd0997ee9e18ca54942afada4e8a313656727ccec8 |
| SHA512 | ee02ff4d5fabd19ec119353e2dee531ea14d981a728e9a064d472767cb416363a10b4cdf751628af09692c541110d9547a046d02e2966379788a6235f6d507b6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2451699.exe
| MD5 | 55ff2c875715c445c30733d7908202ee |
| SHA1 | 916f04161821c22c845417e5b49de924e9aa0737 |
| SHA256 | a86b0e334ce856e9df76a201f6181c4deff64d2eafd69ba1962bc6050b4b9ebc |
| SHA512 | b672d52ac718326bf130df6d26741c4b5a6154a15fffa089dd9ea6804515ac3613635fa10bcbb9dbe8e36b82b34183a4e0322e89a51edff26f05b4167c041eb8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2451699.exe
| MD5 | 55ff2c875715c445c30733d7908202ee |
| SHA1 | 916f04161821c22c845417e5b49de924e9aa0737 |
| SHA256 | a86b0e334ce856e9df76a201f6181c4deff64d2eafd69ba1962bc6050b4b9ebc |
| SHA512 | b672d52ac718326bf130df6d26741c4b5a6154a15fffa089dd9ea6804515ac3613635fa10bcbb9dbe8e36b82b34183a4e0322e89a51edff26f05b4167c041eb8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5779253.exe
| MD5 | 498f70984ebd7edc3c6471a4b8fde35f |
| SHA1 | 8c98593aa95b807bcaadcb19cd5242ef274d26f2 |
| SHA256 | 8919bfd15fa90e06a492b5964b36551bac794f676e46b9b1463db27cc43d9fa3 |
| SHA512 | 106e8f7f9dba7488855d88840c20a69ae602f4837b6b66176e6179ab143f39d71fa60f8c654a693aa195ef4d6b5836db0acc2160f520f45d4fd3e1fe5e7d00c7 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5779253.exe
| MD5 | 498f70984ebd7edc3c6471a4b8fde35f |
| SHA1 | 8c98593aa95b807bcaadcb19cd5242ef274d26f2 |
| SHA256 | 8919bfd15fa90e06a492b5964b36551bac794f676e46b9b1463db27cc43d9fa3 |
| SHA512 | 106e8f7f9dba7488855d88840c20a69ae602f4837b6b66176e6179ab143f39d71fa60f8c654a693aa195ef4d6b5836db0acc2160f520f45d4fd3e1fe5e7d00c7 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2385855.exe
| MD5 | c208e414fd53d8ee7fca66008c5334b7 |
| SHA1 | d364cb597e5f7b32df4af531075fe421c5c49b5b |
| SHA256 | 6731e6088259d4025cd2a6fa7bc0ee472b6a35428f9caddc994fc27e569cd187 |
| SHA512 | bfc9b8f79177715079ebbf7d974f0f1c2b4ced60303a2d623d7012a5ada01834b2ac87f55b17ea6a05fe16dfdf1c5f060ce63ff6d99feedf0fa670b6bb8107af |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2385855.exe
| MD5 | c208e414fd53d8ee7fca66008c5334b7 |
| SHA1 | d364cb597e5f7b32df4af531075fe421c5c49b5b |
| SHA256 | 6731e6088259d4025cd2a6fa7bc0ee472b6a35428f9caddc994fc27e569cd187 |
| SHA512 | bfc9b8f79177715079ebbf7d974f0f1c2b4ced60303a2d623d7012a5ada01834b2ac87f55b17ea6a05fe16dfdf1c5f060ce63ff6d99feedf0fa670b6bb8107af |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe
| MD5 | 8d065a934aa14e7a4c566aa07a9552f5 |
| SHA1 | 437e9f21c8c4494a592dc69156d6cfbc0ddac274 |
| SHA256 | c6bd73b444713d5dad1a46526140c5043a7ec234336a9b34c67c38e84f5b8a8b |
| SHA512 | 0454b9aee685bd730b7730fa151cf36434897779f3be758b45fbc772449cdac0bb882ac14a6dd57a2b09dc812023e80a5a7422c7ce346b0a468f9222f6c260e0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8696735.exe
| MD5 | 8d065a934aa14e7a4c566aa07a9552f5 |
| SHA1 | 437e9f21c8c4494a592dc69156d6cfbc0ddac274 |
| SHA256 | c6bd73b444713d5dad1a46526140c5043a7ec234336a9b34c67c38e84f5b8a8b |
| SHA512 | 0454b9aee685bd730b7730fa151cf36434897779f3be758b45fbc772449cdac0bb882ac14a6dd57a2b09dc812023e80a5a7422c7ce346b0a468f9222f6c260e0 |
memory/4680-35-0x0000000000500000-0x000000000050A000-memory.dmp
memory/4680-36-0x00007FFEDB880000-0x00007FFEDC341000-memory.dmp
memory/4680-37-0x00007FFEDB880000-0x00007FFEDC341000-memory.dmp
memory/4680-39-0x00007FFEDB880000-0x00007FFEDC341000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
| MD5 | 555a5900572bcc7f90ba500db7bd1820 |
| SHA1 | c89897ce52b7c4b2cda8544f5c3680387e01faba |
| SHA256 | 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb |
| SHA512 | 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4925822.exe
| MD5 | 555a5900572bcc7f90ba500db7bd1820 |
| SHA1 | c89897ce52b7c4b2cda8544f5c3680387e01faba |
| SHA256 | 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb |
| SHA512 | 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d |
memory/4508-43-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4508-44-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4508-45-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4508-47-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9582120.exe
| MD5 | 35d93c4255b10f763fb5775dbc0704c8 |
| SHA1 | 010f8f1a7aff837386b341df17a12681f5808959 |
| SHA256 | f30327b64ce6b643092e29ffc2d532dc27112e8058969fe3525b9a5733c9d7c3 |
| SHA512 | 55a2ac778cce5cb0fe0ca4b864c9f5b49f0bc7397a25228fbe30ebae7a72e95ee6158d21452203704e4b90fd47e5afe0c694f6a7113ae3526e831cde4c8e6e40 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9582120.exe
| MD5 | 35d93c4255b10f763fb5775dbc0704c8 |
| SHA1 | 010f8f1a7aff837386b341df17a12681f5808959 |
| SHA256 | f30327b64ce6b643092e29ffc2d532dc27112e8058969fe3525b9a5733c9d7c3 |
| SHA512 | 55a2ac778cce5cb0fe0ca4b864c9f5b49f0bc7397a25228fbe30ebae7a72e95ee6158d21452203704e4b90fd47e5afe0c694f6a7113ae3526e831cde4c8e6e40 |
memory/4684-51-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4684-52-0x0000000074280000-0x0000000074A30000-memory.dmp
memory/4684-53-0x0000000004E20000-0x0000000004E26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5340575.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5340575.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/4684-63-0x00000000054D0000-0x0000000005AE8000-memory.dmp
memory/4684-64-0x0000000004FC0000-0x00000000050CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/4684-68-0x0000000004ED0000-0x0000000004EE2000-memory.dmp
memory/4684-69-0x0000000004EA0000-0x0000000004EB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5768499.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5768499.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3065965.exe
| MD5 | 380e666168476a8907c3b9f5975a3573 |
| SHA1 | 23416122bb95356b4c16e23c2ae231830661fcfc |
| SHA256 | 5e50f6ba2aa86ce7cf40dfd071c46f971f962ebd2de277b73e1c748a206b0729 |
| SHA512 | f00e4e7254101b19415b3f9e80f1a39250a4d87ed9b636403c78ec615a58c01a3a0590309c05d9f70e7730549d9edb6a7a29ea55817f49acfaad936b0d19d99b |
memory/4684-84-0x0000000004F30000-0x0000000004F6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3065965.exe
| MD5 | 380e666168476a8907c3b9f5975a3573 |
| SHA1 | 23416122bb95356b4c16e23c2ae231830661fcfc |
| SHA256 | 5e50f6ba2aa86ce7cf40dfd071c46f971f962ebd2de277b73e1c748a206b0729 |
| SHA512 | f00e4e7254101b19415b3f9e80f1a39250a4d87ed9b636403c78ec615a58c01a3a0590309c05d9f70e7730549d9edb6a7a29ea55817f49acfaad936b0d19d99b |
memory/4684-86-0x0000000004F70000-0x0000000004FBC000-memory.dmp
memory/4684-87-0x0000000074280000-0x0000000074A30000-memory.dmp
memory/4684-88-0x0000000004EA0000-0x0000000004EB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 6d5040418450624fef735b49ec6bffe9 |
| SHA1 | 5fff6a1a620a5c4522aead8dbd0a5a52570e8773 |
| SHA256 | dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3 |
| SHA512 | bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |