Malware Analysis Report

2025-01-23 10:08

Sample ID 231010-y75pfsbc64
Target 6db00618f6f9d4823bbeb433ed8c2a63.exe
SHA256 7eb790eac974b12e6132469ebc9c6cb67c0d5ca49d29656dabfab3898a07dd91
Tags
healer mystic dropper evasion persistence stealer trojan amadey redline gruha infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7eb790eac974b12e6132469ebc9c6cb67c0d5ca49d29656dabfab3898a07dd91

Threat Level: Known bad

The file 6db00618f6f9d4823bbeb433ed8c2a63.exe was found to be: Known bad.

Malicious Activity Summary

healer mystic dropper evasion persistence stealer trojan amadey redline gruha infostealer

Healer

Detects Healer an antivirus disabler dropper

Amadey

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

RedLine

Checks computer location settings

Loads dropped DLL

Windows security modification

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:26

Reported

2023-10-10 20:36

Platform

win7-20230831-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A

Mystic

stealer mystic

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1628 set thread context of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe
PID 2200 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe
PID 2200 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe
PID 2200 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe
PID 2200 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe
PID 2200 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe
PID 2200 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe
PID 1208 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe
PID 1208 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe
PID 1208 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe
PID 1208 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe
PID 1208 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe
PID 1208 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe
PID 1208 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe
PID 2972 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe
PID 2972 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe
PID 2972 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe
PID 2972 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe
PID 2972 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe
PID 2972 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe
PID 2972 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe
PID 2712 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe
PID 2712 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe
PID 2712 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe
PID 2712 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe
PID 2712 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe
PID 2712 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe
PID 2712 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe
PID 2720 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe
PID 2720 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe
PID 2720 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe
PID 2720 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe
PID 2720 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe
PID 2720 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe
PID 2720 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe
PID 2720 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe
PID 2720 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe
PID 2720 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe
PID 2720 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe
PID 2720 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe
PID 2720 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe
PID 2720 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1628 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\SysWOW64\WerFault.exe
PID 1628 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\SysWOW64\WerFault.exe
PID 1628 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\SysWOW64\WerFault.exe
PID 1628 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\SysWOW64\WerFault.exe
PID 1628 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\SysWOW64\WerFault.exe
PID 1628 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\SysWOW64\WerFault.exe
PID 1628 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\SysWOW64\WerFault.exe
PID 2988 wrote to memory of 2920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe

"C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 36

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 268

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe

MD5 b21b4d0360587337eb497afeee2b35bb
SHA1 2f28bbb41a67b313b1e96d030a6e9de536ee4e41
SHA256 18cbca75c02aa2c0d8a27cfbcb792d591e1c9a2f6fc7208c2e78afd393e2af15
SHA512 187e876521b3804b9ba681f62f0809f09af2f138cdc1a0d782a1badb5b73e1485580d1ab71ce801f06731818593b7b59c4bcd188c2befd448993c6b4d512bf39

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe

MD5 b21b4d0360587337eb497afeee2b35bb
SHA1 2f28bbb41a67b313b1e96d030a6e9de536ee4e41
SHA256 18cbca75c02aa2c0d8a27cfbcb792d591e1c9a2f6fc7208c2e78afd393e2af15
SHA512 187e876521b3804b9ba681f62f0809f09af2f138cdc1a0d782a1badb5b73e1485580d1ab71ce801f06731818593b7b59c4bcd188c2befd448993c6b4d512bf39

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe

MD5 b21b4d0360587337eb497afeee2b35bb
SHA1 2f28bbb41a67b313b1e96d030a6e9de536ee4e41
SHA256 18cbca75c02aa2c0d8a27cfbcb792d591e1c9a2f6fc7208c2e78afd393e2af15
SHA512 187e876521b3804b9ba681f62f0809f09af2f138cdc1a0d782a1badb5b73e1485580d1ab71ce801f06731818593b7b59c4bcd188c2befd448993c6b4d512bf39

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe

MD5 b21b4d0360587337eb497afeee2b35bb
SHA1 2f28bbb41a67b313b1e96d030a6e9de536ee4e41
SHA256 18cbca75c02aa2c0d8a27cfbcb792d591e1c9a2f6fc7208c2e78afd393e2af15
SHA512 187e876521b3804b9ba681f62f0809f09af2f138cdc1a0d782a1badb5b73e1485580d1ab71ce801f06731818593b7b59c4bcd188c2befd448993c6b4d512bf39

\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe

MD5 9018364a2f223b2ca28728df215c7a41
SHA1 eef1f1ba5797a3eeb7b82b50fcfa6b01d2e1c860
SHA256 0caa544c28af8a39bb17262489af781b5852612b41b28a75916198c2415dee47
SHA512 8806c5ec98716a5239fec20fe3f62848591ea74ddd33ad93191fab682876d062f8c204a4c7149f1d4464d9497bd3c6dcf3765b302d17b6cbd436ca7159d63c22

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe

MD5 9018364a2f223b2ca28728df215c7a41
SHA1 eef1f1ba5797a3eeb7b82b50fcfa6b01d2e1c860
SHA256 0caa544c28af8a39bb17262489af781b5852612b41b28a75916198c2415dee47
SHA512 8806c5ec98716a5239fec20fe3f62848591ea74ddd33ad93191fab682876d062f8c204a4c7149f1d4464d9497bd3c6dcf3765b302d17b6cbd436ca7159d63c22

\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe

MD5 9018364a2f223b2ca28728df215c7a41
SHA1 eef1f1ba5797a3eeb7b82b50fcfa6b01d2e1c860
SHA256 0caa544c28af8a39bb17262489af781b5852612b41b28a75916198c2415dee47
SHA512 8806c5ec98716a5239fec20fe3f62848591ea74ddd33ad93191fab682876d062f8c204a4c7149f1d4464d9497bd3c6dcf3765b302d17b6cbd436ca7159d63c22

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe

MD5 9018364a2f223b2ca28728df215c7a41
SHA1 eef1f1ba5797a3eeb7b82b50fcfa6b01d2e1c860
SHA256 0caa544c28af8a39bb17262489af781b5852612b41b28a75916198c2415dee47
SHA512 8806c5ec98716a5239fec20fe3f62848591ea74ddd33ad93191fab682876d062f8c204a4c7149f1d4464d9497bd3c6dcf3765b302d17b6cbd436ca7159d63c22

\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe

MD5 f30bb8830c190bf39ad45ca18bf5ac49
SHA1 a1d99fa02456ff61bf1a82a1f3d89af9ba598f40
SHA256 4417b72a2f2695f623fe20b4b423421d11851adfbc31c24df36d075bf1c77c6e
SHA512 74163e7c8ec1b80abc09cd9481e062f2bf82a6731501ddd981487a96e5cc9f8c811ec56858e0a448329de19926570a7701d9f59770c2a3ca761525879235d979

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe

MD5 f30bb8830c190bf39ad45ca18bf5ac49
SHA1 a1d99fa02456ff61bf1a82a1f3d89af9ba598f40
SHA256 4417b72a2f2695f623fe20b4b423421d11851adfbc31c24df36d075bf1c77c6e
SHA512 74163e7c8ec1b80abc09cd9481e062f2bf82a6731501ddd981487a96e5cc9f8c811ec56858e0a448329de19926570a7701d9f59770c2a3ca761525879235d979

\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe

MD5 f30bb8830c190bf39ad45ca18bf5ac49
SHA1 a1d99fa02456ff61bf1a82a1f3d89af9ba598f40
SHA256 4417b72a2f2695f623fe20b4b423421d11851adfbc31c24df36d075bf1c77c6e
SHA512 74163e7c8ec1b80abc09cd9481e062f2bf82a6731501ddd981487a96e5cc9f8c811ec56858e0a448329de19926570a7701d9f59770c2a3ca761525879235d979

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe

MD5 f30bb8830c190bf39ad45ca18bf5ac49
SHA1 a1d99fa02456ff61bf1a82a1f3d89af9ba598f40
SHA256 4417b72a2f2695f623fe20b4b423421d11851adfbc31c24df36d075bf1c77c6e
SHA512 74163e7c8ec1b80abc09cd9481e062f2bf82a6731501ddd981487a96e5cc9f8c811ec56858e0a448329de19926570a7701d9f59770c2a3ca761525879235d979

\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe

MD5 f11b8bb1f5714f42d4b80591ab356a1e
SHA1 25c23d6c088c5eac82ac259237856f5b34fdf4a7
SHA256 61e58cff147799769ffa34523baafe5839c2019fd86767f30d041f47da850607
SHA512 4622f9c393be95b871419890fccbef1e251664d7653e062c2dcf8b4270032c1f9cd6833cbbdadc31e9e661f7a8e0c62120f08d33f75fc82ce078e57a572b0bff

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe

MD5 f11b8bb1f5714f42d4b80591ab356a1e
SHA1 25c23d6c088c5eac82ac259237856f5b34fdf4a7
SHA256 61e58cff147799769ffa34523baafe5839c2019fd86767f30d041f47da850607
SHA512 4622f9c393be95b871419890fccbef1e251664d7653e062c2dcf8b4270032c1f9cd6833cbbdadc31e9e661f7a8e0c62120f08d33f75fc82ce078e57a572b0bff

\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe

MD5 f11b8bb1f5714f42d4b80591ab356a1e
SHA1 25c23d6c088c5eac82ac259237856f5b34fdf4a7
SHA256 61e58cff147799769ffa34523baafe5839c2019fd86767f30d041f47da850607
SHA512 4622f9c393be95b871419890fccbef1e251664d7653e062c2dcf8b4270032c1f9cd6833cbbdadc31e9e661f7a8e0c62120f08d33f75fc82ce078e57a572b0bff

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe

MD5 f11b8bb1f5714f42d4b80591ab356a1e
SHA1 25c23d6c088c5eac82ac259237856f5b34fdf4a7
SHA256 61e58cff147799769ffa34523baafe5839c2019fd86767f30d041f47da850607
SHA512 4622f9c393be95b871419890fccbef1e251664d7653e062c2dcf8b4270032c1f9cd6833cbbdadc31e9e661f7a8e0c62120f08d33f75fc82ce078e57a572b0bff

\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe

MD5 b4b2e8943aed9647d55d6dc96844a677
SHA1 e6b6bed55e8bcd0610195cf65231d991386c56e7
SHA256 652d1b37140d97b84bedc5250b4571993c7a4e78ce40cdf7f34d8d7d87a0ce9e
SHA512 1ba51ef343c32712835e6c48e30bfd98b6486b6c4d3fe1cf1781b418319202a22328142716f496f589dda9156cf0e078352e04e49583d168e305b23f9c4928b2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe

MD5 b4b2e8943aed9647d55d6dc96844a677
SHA1 e6b6bed55e8bcd0610195cf65231d991386c56e7
SHA256 652d1b37140d97b84bedc5250b4571993c7a4e78ce40cdf7f34d8d7d87a0ce9e
SHA512 1ba51ef343c32712835e6c48e30bfd98b6486b6c4d3fe1cf1781b418319202a22328142716f496f589dda9156cf0e078352e04e49583d168e305b23f9c4928b2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe

MD5 b4b2e8943aed9647d55d6dc96844a677
SHA1 e6b6bed55e8bcd0610195cf65231d991386c56e7
SHA256 652d1b37140d97b84bedc5250b4571993c7a4e78ce40cdf7f34d8d7d87a0ce9e
SHA512 1ba51ef343c32712835e6c48e30bfd98b6486b6c4d3fe1cf1781b418319202a22328142716f496f589dda9156cf0e078352e04e49583d168e305b23f9c4928b2

memory/2996-48-0x0000000001040000-0x000000000104A000-memory.dmp

memory/2996-49-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

memory/2996-50-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

memory/2996-51-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

MD5 7a00a40f9f5b6527fda5ad6c67b9266a
SHA1 427e3797408a924f5231a4d32707c7bf3f063368
SHA256 bda4124e245c9080031a2f44e11daa4f9b73444b93c5bfac7d60b9e9df9187aa
SHA512 68ae4783759e5bfa16ed8c836846376dca284e8be6c3a7a047a6d4b27f6f0f94682b270ad0c0d6a0037a8d2209dd87eccae874cc477acaf191435d64be074bd8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

MD5 7a00a40f9f5b6527fda5ad6c67b9266a
SHA1 427e3797408a924f5231a4d32707c7bf3f063368
SHA256 bda4124e245c9080031a2f44e11daa4f9b73444b93c5bfac7d60b9e9df9187aa
SHA512 68ae4783759e5bfa16ed8c836846376dca284e8be6c3a7a047a6d4b27f6f0f94682b270ad0c0d6a0037a8d2209dd87eccae874cc477acaf191435d64be074bd8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

MD5 7a00a40f9f5b6527fda5ad6c67b9266a
SHA1 427e3797408a924f5231a4d32707c7bf3f063368
SHA256 bda4124e245c9080031a2f44e11daa4f9b73444b93c5bfac7d60b9e9df9187aa
SHA512 68ae4783759e5bfa16ed8c836846376dca284e8be6c3a7a047a6d4b27f6f0f94682b270ad0c0d6a0037a8d2209dd87eccae874cc477acaf191435d64be074bd8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

MD5 7a00a40f9f5b6527fda5ad6c67b9266a
SHA1 427e3797408a924f5231a4d32707c7bf3f063368
SHA256 bda4124e245c9080031a2f44e11daa4f9b73444b93c5bfac7d60b9e9df9187aa
SHA512 68ae4783759e5bfa16ed8c836846376dca284e8be6c3a7a047a6d4b27f6f0f94682b270ad0c0d6a0037a8d2209dd87eccae874cc477acaf191435d64be074bd8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

MD5 7a00a40f9f5b6527fda5ad6c67b9266a
SHA1 427e3797408a924f5231a4d32707c7bf3f063368
SHA256 bda4124e245c9080031a2f44e11daa4f9b73444b93c5bfac7d60b9e9df9187aa
SHA512 68ae4783759e5bfa16ed8c836846376dca284e8be6c3a7a047a6d4b27f6f0f94682b270ad0c0d6a0037a8d2209dd87eccae874cc477acaf191435d64be074bd8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

MD5 7a00a40f9f5b6527fda5ad6c67b9266a
SHA1 427e3797408a924f5231a4d32707c7bf3f063368
SHA256 bda4124e245c9080031a2f44e11daa4f9b73444b93c5bfac7d60b9e9df9187aa
SHA512 68ae4783759e5bfa16ed8c836846376dca284e8be6c3a7a047a6d4b27f6f0f94682b270ad0c0d6a0037a8d2209dd87eccae874cc477acaf191435d64be074bd8

memory/2988-62-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2988-61-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2988-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2988-68-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2988-66-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2988-65-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2988-64-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2988-63-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2988-70-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2988-72-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

MD5 7a00a40f9f5b6527fda5ad6c67b9266a
SHA1 427e3797408a924f5231a4d32707c7bf3f063368
SHA256 bda4124e245c9080031a2f44e11daa4f9b73444b93c5bfac7d60b9e9df9187aa
SHA512 68ae4783759e5bfa16ed8c836846376dca284e8be6c3a7a047a6d4b27f6f0f94682b270ad0c0d6a0037a8d2209dd87eccae874cc477acaf191435d64be074bd8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

MD5 7a00a40f9f5b6527fda5ad6c67b9266a
SHA1 427e3797408a924f5231a4d32707c7bf3f063368
SHA256 bda4124e245c9080031a2f44e11daa4f9b73444b93c5bfac7d60b9e9df9187aa
SHA512 68ae4783759e5bfa16ed8c836846376dca284e8be6c3a7a047a6d4b27f6f0f94682b270ad0c0d6a0037a8d2209dd87eccae874cc477acaf191435d64be074bd8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

MD5 7a00a40f9f5b6527fda5ad6c67b9266a
SHA1 427e3797408a924f5231a4d32707c7bf3f063368
SHA256 bda4124e245c9080031a2f44e11daa4f9b73444b93c5bfac7d60b9e9df9187aa
SHA512 68ae4783759e5bfa16ed8c836846376dca284e8be6c3a7a047a6d4b27f6f0f94682b270ad0c0d6a0037a8d2209dd87eccae874cc477acaf191435d64be074bd8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

MD5 7a00a40f9f5b6527fda5ad6c67b9266a
SHA1 427e3797408a924f5231a4d32707c7bf3f063368
SHA256 bda4124e245c9080031a2f44e11daa4f9b73444b93c5bfac7d60b9e9df9187aa
SHA512 68ae4783759e5bfa16ed8c836846376dca284e8be6c3a7a047a6d4b27f6f0f94682b270ad0c0d6a0037a8d2209dd87eccae874cc477acaf191435d64be074bd8

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:26

Reported

2023-10-10 20:37

Platform

win10v2004-20230915-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7237048.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4306972.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe
PID 212 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe
PID 212 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe
PID 3616 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe
PID 3616 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe
PID 3616 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe
PID 2300 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe
PID 2300 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe
PID 2300 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe
PID 4396 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe
PID 4396 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe
PID 4396 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe
PID 4672 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe
PID 4672 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe
PID 4672 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe
PID 4672 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe
PID 4672 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe
PID 4720 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4720 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4720 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4720 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4720 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4720 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4720 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4720 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4720 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4720 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4396 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe
PID 4396 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe
PID 4396 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe
PID 4356 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2300 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7237048.exe
PID 2300 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7237048.exe
PID 2300 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7237048.exe
PID 2792 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7237048.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2792 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7237048.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2792 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7237048.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3616 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4306972.exe
PID 3616 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4306972.exe
PID 3616 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4306972.exe
PID 4764 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4306972.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 4764 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4306972.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 4764 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4306972.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 3764 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3764 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3764 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 212 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8203302.exe
PID 212 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8203302.exe
PID 212 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8203302.exe
PID 3764 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 3988 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 3988 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 3988 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe

"C:\Users\Admin\AppData\Local\Temp\6db00618f6f9d4823bbeb433ed8c2a63.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4356 -ip 4356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7237048.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7237048.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4306972.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4306972.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8203302.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8203302.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 182.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe

MD5 b21b4d0360587337eb497afeee2b35bb
SHA1 2f28bbb41a67b313b1e96d030a6e9de536ee4e41
SHA256 18cbca75c02aa2c0d8a27cfbcb792d591e1c9a2f6fc7208c2e78afd393e2af15
SHA512 187e876521b3804b9ba681f62f0809f09af2f138cdc1a0d782a1badb5b73e1485580d1ab71ce801f06731818593b7b59c4bcd188c2befd448993c6b4d512bf39

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5158157.exe

MD5 b21b4d0360587337eb497afeee2b35bb
SHA1 2f28bbb41a67b313b1e96d030a6e9de536ee4e41
SHA256 18cbca75c02aa2c0d8a27cfbcb792d591e1c9a2f6fc7208c2e78afd393e2af15
SHA512 187e876521b3804b9ba681f62f0809f09af2f138cdc1a0d782a1badb5b73e1485580d1ab71ce801f06731818593b7b59c4bcd188c2befd448993c6b4d512bf39

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe

MD5 9018364a2f223b2ca28728df215c7a41
SHA1 eef1f1ba5797a3eeb7b82b50fcfa6b01d2e1c860
SHA256 0caa544c28af8a39bb17262489af781b5852612b41b28a75916198c2415dee47
SHA512 8806c5ec98716a5239fec20fe3f62848591ea74ddd33ad93191fab682876d062f8c204a4c7149f1d4464d9497bd3c6dcf3765b302d17b6cbd436ca7159d63c22

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4349802.exe

MD5 9018364a2f223b2ca28728df215c7a41
SHA1 eef1f1ba5797a3eeb7b82b50fcfa6b01d2e1c860
SHA256 0caa544c28af8a39bb17262489af781b5852612b41b28a75916198c2415dee47
SHA512 8806c5ec98716a5239fec20fe3f62848591ea74ddd33ad93191fab682876d062f8c204a4c7149f1d4464d9497bd3c6dcf3765b302d17b6cbd436ca7159d63c22

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe

MD5 f30bb8830c190bf39ad45ca18bf5ac49
SHA1 a1d99fa02456ff61bf1a82a1f3d89af9ba598f40
SHA256 4417b72a2f2695f623fe20b4b423421d11851adfbc31c24df36d075bf1c77c6e
SHA512 74163e7c8ec1b80abc09cd9481e062f2bf82a6731501ddd981487a96e5cc9f8c811ec56858e0a448329de19926570a7701d9f59770c2a3ca761525879235d979

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3629837.exe

MD5 f30bb8830c190bf39ad45ca18bf5ac49
SHA1 a1d99fa02456ff61bf1a82a1f3d89af9ba598f40
SHA256 4417b72a2f2695f623fe20b4b423421d11851adfbc31c24df36d075bf1c77c6e
SHA512 74163e7c8ec1b80abc09cd9481e062f2bf82a6731501ddd981487a96e5cc9f8c811ec56858e0a448329de19926570a7701d9f59770c2a3ca761525879235d979

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe

MD5 f11b8bb1f5714f42d4b80591ab356a1e
SHA1 25c23d6c088c5eac82ac259237856f5b34fdf4a7
SHA256 61e58cff147799769ffa34523baafe5839c2019fd86767f30d041f47da850607
SHA512 4622f9c393be95b871419890fccbef1e251664d7653e062c2dcf8b4270032c1f9cd6833cbbdadc31e9e661f7a8e0c62120f08d33f75fc82ce078e57a572b0bff

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8072502.exe

MD5 f11b8bb1f5714f42d4b80591ab356a1e
SHA1 25c23d6c088c5eac82ac259237856f5b34fdf4a7
SHA256 61e58cff147799769ffa34523baafe5839c2019fd86767f30d041f47da850607
SHA512 4622f9c393be95b871419890fccbef1e251664d7653e062c2dcf8b4270032c1f9cd6833cbbdadc31e9e661f7a8e0c62120f08d33f75fc82ce078e57a572b0bff

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe

MD5 b4b2e8943aed9647d55d6dc96844a677
SHA1 e6b6bed55e8bcd0610195cf65231d991386c56e7
SHA256 652d1b37140d97b84bedc5250b4571993c7a4e78ce40cdf7f34d8d7d87a0ce9e
SHA512 1ba51ef343c32712835e6c48e30bfd98b6486b6c4d3fe1cf1781b418319202a22328142716f496f589dda9156cf0e078352e04e49583d168e305b23f9c4928b2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4772928.exe

MD5 b4b2e8943aed9647d55d6dc96844a677
SHA1 e6b6bed55e8bcd0610195cf65231d991386c56e7
SHA256 652d1b37140d97b84bedc5250b4571993c7a4e78ce40cdf7f34d8d7d87a0ce9e
SHA512 1ba51ef343c32712835e6c48e30bfd98b6486b6c4d3fe1cf1781b418319202a22328142716f496f589dda9156cf0e078352e04e49583d168e305b23f9c4928b2

memory/3652-35-0x0000000000130000-0x000000000013A000-memory.dmp

memory/3652-36-0x00007FFFAA930000-0x00007FFFAB3F1000-memory.dmp

memory/3652-37-0x00007FFFAA930000-0x00007FFFAB3F1000-memory.dmp

memory/3652-39-0x00007FFFAA930000-0x00007FFFAB3F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

MD5 7a00a40f9f5b6527fda5ad6c67b9266a
SHA1 427e3797408a924f5231a4d32707c7bf3f063368
SHA256 bda4124e245c9080031a2f44e11daa4f9b73444b93c5bfac7d60b9e9df9187aa
SHA512 68ae4783759e5bfa16ed8c836846376dca284e8be6c3a7a047a6d4b27f6f0f94682b270ad0c0d6a0037a8d2209dd87eccae874cc477acaf191435d64be074bd8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6822897.exe

MD5 7a00a40f9f5b6527fda5ad6c67b9266a
SHA1 427e3797408a924f5231a4d32707c7bf3f063368
SHA256 bda4124e245c9080031a2f44e11daa4f9b73444b93c5bfac7d60b9e9df9187aa
SHA512 68ae4783759e5bfa16ed8c836846376dca284e8be6c3a7a047a6d4b27f6f0f94682b270ad0c0d6a0037a8d2209dd87eccae874cc477acaf191435d64be074bd8

memory/2020-43-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2020-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2020-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2020-47-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe

MD5 cb0b15c3d440662a5053364ba4d2f9da
SHA1 ea7cd302ab23ff410b20584ddb122ba0f9c00816
SHA256 f9b4dada045e54c7f8870c330ebb84e10c3d5638778d78f5389b56a1294e0265
SHA512 186308add6f722adf707a09db99a1150c99d1953e32c1599a70b2c00d6aaf961ef5554450fc64eb8a1f645dfa467a7ad486b7627f4a02546873bf1041af22f9c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6585055.exe

MD5 cb0b15c3d440662a5053364ba4d2f9da
SHA1 ea7cd302ab23ff410b20584ddb122ba0f9c00816
SHA256 f9b4dada045e54c7f8870c330ebb84e10c3d5638778d78f5389b56a1294e0265
SHA512 186308add6f722adf707a09db99a1150c99d1953e32c1599a70b2c00d6aaf961ef5554450fc64eb8a1f645dfa467a7ad486b7627f4a02546873bf1041af22f9c

memory/4160-51-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7237048.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4160-55-0x00000000057C0000-0x00000000057C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7237048.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4160-56-0x0000000073AE0000-0x0000000074290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4160-63-0x0000000005FC0000-0x00000000065D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4160-67-0x0000000005AB0000-0x0000000005BBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4306972.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/4160-74-0x0000000005890000-0x00000000058A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4306972.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/4160-70-0x0000000005850000-0x0000000005862000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8203302.exe

MD5 79cef30870491691cdc6eb92cc2547c5
SHA1 bd25de61eacdbf68d414f01b53235fbda8dc5e30
SHA256 24f00ea29970741cf2477f0b15007045251bfb94b03ca5343f3cb50c6e4bc415
SHA512 25ffe14b52058363837edaf6ccfd98ffb49c876cd9631baf9547cd088dbd009f8cb0a0c2a077e25426edb74542d77340251657da91a188a6230b8ec012029aa7

memory/4160-84-0x00000000059E0000-0x0000000005A1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8203302.exe

MD5 79cef30870491691cdc6eb92cc2547c5
SHA1 bd25de61eacdbf68d414f01b53235fbda8dc5e30
SHA256 24f00ea29970741cf2477f0b15007045251bfb94b03ca5343f3cb50c6e4bc415
SHA512 25ffe14b52058363837edaf6ccfd98ffb49c876cd9631baf9547cd088dbd009f8cb0a0c2a077e25426edb74542d77340251657da91a188a6230b8ec012029aa7

memory/4160-86-0x0000000005A20000-0x0000000005A6C000-memory.dmp

memory/4160-87-0x0000000073AE0000-0x0000000074290000-memory.dmp

memory/4160-88-0x0000000005890000-0x00000000058A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6d5040418450624fef735b49ec6bffe9
SHA1 5fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256 dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512 bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976