Malware Analysis Report

2025-01-23 10:16

Sample ID 231010-yr9y8sgf61
Target 327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04
SHA256 327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04
Tags
healer mystic dropper evasion persistence stealer trojan amadey redline gruha infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04

Threat Level: Known bad

The file 327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04 was found to be: Known bad.

Malicious Activity Summary

healer mystic dropper evasion persistence stealer trojan amadey redline gruha infostealer

Mystic

Modifies Windows Defender Real-time Protection settings

Amadey

Detect Mystic stealer payload

Detects Healer an antivirus disabler dropper

Healer

RedLine

Executes dropped EXE

Windows security modification

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:02

Reported

2023-10-10 20:06

Platform

win7-20230831-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A

Mystic

stealer mystic

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2624 set thread context of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe
PID 1728 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe
PID 1728 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe
PID 1728 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe
PID 1728 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe
PID 1728 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe
PID 1728 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe
PID 2888 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe
PID 2888 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe
PID 2888 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe
PID 2888 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe
PID 2888 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe
PID 2888 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe
PID 2888 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe
PID 2652 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe
PID 2652 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe
PID 2652 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe
PID 2652 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe
PID 2652 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe
PID 2652 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe
PID 2652 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe
PID 2808 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe
PID 2808 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe
PID 2808 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe
PID 2808 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe
PID 2808 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe
PID 2808 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe
PID 2808 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe
PID 2744 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe
PID 2744 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe
PID 2744 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe
PID 2744 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe
PID 2744 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe
PID 2744 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe
PID 2744 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe
PID 2624 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2624 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe

"C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe

MD5 2f8d085f02b56d1f00288137f1186bc7
SHA1 f66067b885ddf5e93b472d310fe1985d13125df3
SHA256 40f3f62d6a37f86318d4f25e8f105c5d5d9639147ef8160c359bbf981caa7d5d
SHA512 debbe0dbeefe426ba82c6a33c075410043ed969c8116cb0acc69c8a4c34c92cb7e823e8da1af481ad8053c360467569545f3db2ffb1018619d6a0f88be67af4e

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe

MD5 2f8d085f02b56d1f00288137f1186bc7
SHA1 f66067b885ddf5e93b472d310fe1985d13125df3
SHA256 40f3f62d6a37f86318d4f25e8f105c5d5d9639147ef8160c359bbf981caa7d5d
SHA512 debbe0dbeefe426ba82c6a33c075410043ed969c8116cb0acc69c8a4c34c92cb7e823e8da1af481ad8053c360467569545f3db2ffb1018619d6a0f88be67af4e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe

MD5 2f8d085f02b56d1f00288137f1186bc7
SHA1 f66067b885ddf5e93b472d310fe1985d13125df3
SHA256 40f3f62d6a37f86318d4f25e8f105c5d5d9639147ef8160c359bbf981caa7d5d
SHA512 debbe0dbeefe426ba82c6a33c075410043ed969c8116cb0acc69c8a4c34c92cb7e823e8da1af481ad8053c360467569545f3db2ffb1018619d6a0f88be67af4e

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe

MD5 2f8d085f02b56d1f00288137f1186bc7
SHA1 f66067b885ddf5e93b472d310fe1985d13125df3
SHA256 40f3f62d6a37f86318d4f25e8f105c5d5d9639147ef8160c359bbf981caa7d5d
SHA512 debbe0dbeefe426ba82c6a33c075410043ed969c8116cb0acc69c8a4c34c92cb7e823e8da1af481ad8053c360467569545f3db2ffb1018619d6a0f88be67af4e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe

MD5 0e177cf6c99586d652dd99dd3348ae9c
SHA1 b5fa4a30e3e413ac4ca2f3ec040d3856b9e95127
SHA256 ae9896cf5be970aafab953e05a8df6c37f5fea2d5f3fc942baec1ffb49547026
SHA512 4c143eeb09c1553eea376a65cb8f972122da9f36d8ab64d0f5304aad71bb84d4b795fbc64e3039ca65a55d95a56754e29fd899cc0082442bb9b78e58fcbbbb70

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe

MD5 0e177cf6c99586d652dd99dd3348ae9c
SHA1 b5fa4a30e3e413ac4ca2f3ec040d3856b9e95127
SHA256 ae9896cf5be970aafab953e05a8df6c37f5fea2d5f3fc942baec1ffb49547026
SHA512 4c143eeb09c1553eea376a65cb8f972122da9f36d8ab64d0f5304aad71bb84d4b795fbc64e3039ca65a55d95a56754e29fd899cc0082442bb9b78e58fcbbbb70

\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe

MD5 0e177cf6c99586d652dd99dd3348ae9c
SHA1 b5fa4a30e3e413ac4ca2f3ec040d3856b9e95127
SHA256 ae9896cf5be970aafab953e05a8df6c37f5fea2d5f3fc942baec1ffb49547026
SHA512 4c143eeb09c1553eea376a65cb8f972122da9f36d8ab64d0f5304aad71bb84d4b795fbc64e3039ca65a55d95a56754e29fd899cc0082442bb9b78e58fcbbbb70

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe

MD5 0e177cf6c99586d652dd99dd3348ae9c
SHA1 b5fa4a30e3e413ac4ca2f3ec040d3856b9e95127
SHA256 ae9896cf5be970aafab953e05a8df6c37f5fea2d5f3fc942baec1ffb49547026
SHA512 4c143eeb09c1553eea376a65cb8f972122da9f36d8ab64d0f5304aad71bb84d4b795fbc64e3039ca65a55d95a56754e29fd899cc0082442bb9b78e58fcbbbb70

\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe

MD5 2d1a4baff26cf707e9acdad761106a95
SHA1 6fd245fd5ff79a274a36fd013d0decb78d9c222b
SHA256 47091f85df9c88ecedbfaa7c9fa2d62379e8e9577ede9e41723e2ee9e3e0c6f2
SHA512 a955ad9f91da81f1785243ef7224ab7cf608bfe5228588e1e533c4d8bb86518ab9505068b6b617f4d2bd976a4005514956bedcebadaa7a04f2329865c481fc1b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe

MD5 2d1a4baff26cf707e9acdad761106a95
SHA1 6fd245fd5ff79a274a36fd013d0decb78d9c222b
SHA256 47091f85df9c88ecedbfaa7c9fa2d62379e8e9577ede9e41723e2ee9e3e0c6f2
SHA512 a955ad9f91da81f1785243ef7224ab7cf608bfe5228588e1e533c4d8bb86518ab9505068b6b617f4d2bd976a4005514956bedcebadaa7a04f2329865c481fc1b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe

MD5 2d1a4baff26cf707e9acdad761106a95
SHA1 6fd245fd5ff79a274a36fd013d0decb78d9c222b
SHA256 47091f85df9c88ecedbfaa7c9fa2d62379e8e9577ede9e41723e2ee9e3e0c6f2
SHA512 a955ad9f91da81f1785243ef7224ab7cf608bfe5228588e1e533c4d8bb86518ab9505068b6b617f4d2bd976a4005514956bedcebadaa7a04f2329865c481fc1b

\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe

MD5 2d1a4baff26cf707e9acdad761106a95
SHA1 6fd245fd5ff79a274a36fd013d0decb78d9c222b
SHA256 47091f85df9c88ecedbfaa7c9fa2d62379e8e9577ede9e41723e2ee9e3e0c6f2
SHA512 a955ad9f91da81f1785243ef7224ab7cf608bfe5228588e1e533c4d8bb86518ab9505068b6b617f4d2bd976a4005514956bedcebadaa7a04f2329865c481fc1b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe

MD5 16ef95458e0b1af8afa49cd271fa8855
SHA1 602d79bc33fd136d965cdfd5f208418d482514bc
SHA256 a7966fe7575cbc2ea16ba4ba39d2576a9638b6e78cf767688d5d6af8439e4787
SHA512 acf6a05ae10a5894d706a0da8f832a07ffa807cd694442c51d4863ca9bd07b7174e85ee0b27e65661ccb38269c6b9df26a6b9e6ddce879a50ea2cbf5a86793aa

\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe

MD5 16ef95458e0b1af8afa49cd271fa8855
SHA1 602d79bc33fd136d965cdfd5f208418d482514bc
SHA256 a7966fe7575cbc2ea16ba4ba39d2576a9638b6e78cf767688d5d6af8439e4787
SHA512 acf6a05ae10a5894d706a0da8f832a07ffa807cd694442c51d4863ca9bd07b7174e85ee0b27e65661ccb38269c6b9df26a6b9e6ddce879a50ea2cbf5a86793aa

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe

MD5 b5f4218cbe15d080c6363a645af6e56e
SHA1 ff53b250b33abb3c77d8554ed7aab2623314e0a4
SHA256 e613f801710ed43f69fa8ecefad1c9eea940b572d4fd40d87193eb78a3b3b79e
SHA512 adbd5bcb707c16f0a7d5ac5b99eae6124b8f7a569083e825357eefc07981317b157331e5d91880f59946e18d12a6dcd9adbf47f526783c7a8d6f1d9226781c55

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe

MD5 b5f4218cbe15d080c6363a645af6e56e
SHA1 ff53b250b33abb3c77d8554ed7aab2623314e0a4
SHA256 e613f801710ed43f69fa8ecefad1c9eea940b572d4fd40d87193eb78a3b3b79e
SHA512 adbd5bcb707c16f0a7d5ac5b99eae6124b8f7a569083e825357eefc07981317b157331e5d91880f59946e18d12a6dcd9adbf47f526783c7a8d6f1d9226781c55

\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe

MD5 b5f4218cbe15d080c6363a645af6e56e
SHA1 ff53b250b33abb3c77d8554ed7aab2623314e0a4
SHA256 e613f801710ed43f69fa8ecefad1c9eea940b572d4fd40d87193eb78a3b3b79e
SHA512 adbd5bcb707c16f0a7d5ac5b99eae6124b8f7a569083e825357eefc07981317b157331e5d91880f59946e18d12a6dcd9adbf47f526783c7a8d6f1d9226781c55

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe

MD5 16ef95458e0b1af8afa49cd271fa8855
SHA1 602d79bc33fd136d965cdfd5f208418d482514bc
SHA256 a7966fe7575cbc2ea16ba4ba39d2576a9638b6e78cf767688d5d6af8439e4787
SHA512 acf6a05ae10a5894d706a0da8f832a07ffa807cd694442c51d4863ca9bd07b7174e85ee0b27e65661ccb38269c6b9df26a6b9e6ddce879a50ea2cbf5a86793aa

\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe

MD5 16ef95458e0b1af8afa49cd271fa8855
SHA1 602d79bc33fd136d965cdfd5f208418d482514bc
SHA256 a7966fe7575cbc2ea16ba4ba39d2576a9638b6e78cf767688d5d6af8439e4787
SHA512 acf6a05ae10a5894d706a0da8f832a07ffa807cd694442c51d4863ca9bd07b7174e85ee0b27e65661ccb38269c6b9df26a6b9e6ddce879a50ea2cbf5a86793aa

memory/2548-48-0x0000000000A20000-0x0000000000A2A000-memory.dmp

memory/2548-49-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

memory/2548-50-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

memory/2548-51-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

MD5 bc5d6c21c9ba272735e4490ba056407e
SHA1 27f5715ab1f899cefc7935e02709f5f7392f1c5d
SHA256 1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c
SHA512 e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

MD5 bc5d6c21c9ba272735e4490ba056407e
SHA1 27f5715ab1f899cefc7935e02709f5f7392f1c5d
SHA256 1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c
SHA512 e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

MD5 bc5d6c21c9ba272735e4490ba056407e
SHA1 27f5715ab1f899cefc7935e02709f5f7392f1c5d
SHA256 1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c
SHA512 e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

MD5 bc5d6c21c9ba272735e4490ba056407e
SHA1 27f5715ab1f899cefc7935e02709f5f7392f1c5d
SHA256 1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c
SHA512 e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

MD5 bc5d6c21c9ba272735e4490ba056407e
SHA1 27f5715ab1f899cefc7935e02709f5f7392f1c5d
SHA256 1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c
SHA512 e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

MD5 bc5d6c21c9ba272735e4490ba056407e
SHA1 27f5715ab1f899cefc7935e02709f5f7392f1c5d
SHA256 1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c
SHA512 e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

memory/2980-62-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2980-68-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2980-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2980-70-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2980-72-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2980-66-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2980-65-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2980-64-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

MD5 bc5d6c21c9ba272735e4490ba056407e
SHA1 27f5715ab1f899cefc7935e02709f5f7392f1c5d
SHA256 1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c
SHA512 e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

MD5 bc5d6c21c9ba272735e4490ba056407e
SHA1 27f5715ab1f899cefc7935e02709f5f7392f1c5d
SHA256 1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c
SHA512 e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

MD5 bc5d6c21c9ba272735e4490ba056407e
SHA1 27f5715ab1f899cefc7935e02709f5f7392f1c5d
SHA256 1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c
SHA512 e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

memory/2980-63-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2980-61-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

MD5 bc5d6c21c9ba272735e4490ba056407e
SHA1 27f5715ab1f899cefc7935e02709f5f7392f1c5d
SHA256 1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c
SHA512 e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:02

Reported

2023-10-10 20:06

Platform

win10v2004-20230915-en

Max time kernel

81s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0984448.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1546825.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe
PID 1244 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe
PID 1244 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe
PID 824 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe
PID 824 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe
PID 824 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe
PID 500 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe
PID 500 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe
PID 500 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe
PID 3200 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe
PID 3200 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe
PID 3200 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe
PID 2492 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe
PID 2492 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe
PID 2492 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe
PID 2492 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe
PID 2492 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe
PID 2540 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2540 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2540 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2540 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2540 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2540 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2540 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2540 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2540 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2540 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe
PID 3200 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe
PID 3200 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe
PID 5076 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 500 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0984448.exe
PID 500 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0984448.exe
PID 500 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0984448.exe
PID 3276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0984448.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0984448.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0984448.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 824 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1546825.exe
PID 824 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1546825.exe
PID 824 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1546825.exe
PID 1632 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1546825.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 2232 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1546825.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 2232 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1546825.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 5108 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5108 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5108 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1244 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8939860.exe
PID 1244 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8939860.exe

Processes

C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe

"C:\Users\Admin\AppData\Local\Temp\327f4f6a90bc5e11b669b5e5c89f6bca0aa4d7c2dc1917152012e7c1a18dcd04.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2540 -ip 2540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 156

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0984448.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0984448.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1546825.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1546825.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8939860.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8939860.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 70.121.18.2.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe

MD5 2f8d085f02b56d1f00288137f1186bc7
SHA1 f66067b885ddf5e93b472d310fe1985d13125df3
SHA256 40f3f62d6a37f86318d4f25e8f105c5d5d9639147ef8160c359bbf981caa7d5d
SHA512 debbe0dbeefe426ba82c6a33c075410043ed969c8116cb0acc69c8a4c34c92cb7e823e8da1af481ad8053c360467569545f3db2ffb1018619d6a0f88be67af4e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1129589.exe

MD5 2f8d085f02b56d1f00288137f1186bc7
SHA1 f66067b885ddf5e93b472d310fe1985d13125df3
SHA256 40f3f62d6a37f86318d4f25e8f105c5d5d9639147ef8160c359bbf981caa7d5d
SHA512 debbe0dbeefe426ba82c6a33c075410043ed969c8116cb0acc69c8a4c34c92cb7e823e8da1af481ad8053c360467569545f3db2ffb1018619d6a0f88be67af4e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe

MD5 0e177cf6c99586d652dd99dd3348ae9c
SHA1 b5fa4a30e3e413ac4ca2f3ec040d3856b9e95127
SHA256 ae9896cf5be970aafab953e05a8df6c37f5fea2d5f3fc942baec1ffb49547026
SHA512 4c143eeb09c1553eea376a65cb8f972122da9f36d8ab64d0f5304aad71bb84d4b795fbc64e3039ca65a55d95a56754e29fd899cc0082442bb9b78e58fcbbbb70

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9394480.exe

MD5 0e177cf6c99586d652dd99dd3348ae9c
SHA1 b5fa4a30e3e413ac4ca2f3ec040d3856b9e95127
SHA256 ae9896cf5be970aafab953e05a8df6c37f5fea2d5f3fc942baec1ffb49547026
SHA512 4c143eeb09c1553eea376a65cb8f972122da9f36d8ab64d0f5304aad71bb84d4b795fbc64e3039ca65a55d95a56754e29fd899cc0082442bb9b78e58fcbbbb70

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe

MD5 2d1a4baff26cf707e9acdad761106a95
SHA1 6fd245fd5ff79a274a36fd013d0decb78d9c222b
SHA256 47091f85df9c88ecedbfaa7c9fa2d62379e8e9577ede9e41723e2ee9e3e0c6f2
SHA512 a955ad9f91da81f1785243ef7224ab7cf608bfe5228588e1e533c4d8bb86518ab9505068b6b617f4d2bd976a4005514956bedcebadaa7a04f2329865c481fc1b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0739114.exe

MD5 2d1a4baff26cf707e9acdad761106a95
SHA1 6fd245fd5ff79a274a36fd013d0decb78d9c222b
SHA256 47091f85df9c88ecedbfaa7c9fa2d62379e8e9577ede9e41723e2ee9e3e0c6f2
SHA512 a955ad9f91da81f1785243ef7224ab7cf608bfe5228588e1e533c4d8bb86518ab9505068b6b617f4d2bd976a4005514956bedcebadaa7a04f2329865c481fc1b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe

MD5 16ef95458e0b1af8afa49cd271fa8855
SHA1 602d79bc33fd136d965cdfd5f208418d482514bc
SHA256 a7966fe7575cbc2ea16ba4ba39d2576a9638b6e78cf767688d5d6af8439e4787
SHA512 acf6a05ae10a5894d706a0da8f832a07ffa807cd694442c51d4863ca9bd07b7174e85ee0b27e65661ccb38269c6b9df26a6b9e6ddce879a50ea2cbf5a86793aa

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe

MD5 b5f4218cbe15d080c6363a645af6e56e
SHA1 ff53b250b33abb3c77d8554ed7aab2623314e0a4
SHA256 e613f801710ed43f69fa8ecefad1c9eea940b572d4fd40d87193eb78a3b3b79e
SHA512 adbd5bcb707c16f0a7d5ac5b99eae6124b8f7a569083e825357eefc07981317b157331e5d91880f59946e18d12a6dcd9adbf47f526783c7a8d6f1d9226781c55

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4824987.exe

MD5 b5f4218cbe15d080c6363a645af6e56e
SHA1 ff53b250b33abb3c77d8554ed7aab2623314e0a4
SHA256 e613f801710ed43f69fa8ecefad1c9eea940b572d4fd40d87193eb78a3b3b79e
SHA512 adbd5bcb707c16f0a7d5ac5b99eae6124b8f7a569083e825357eefc07981317b157331e5d91880f59946e18d12a6dcd9adbf47f526783c7a8d6f1d9226781c55

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1133484.exe

MD5 16ef95458e0b1af8afa49cd271fa8855
SHA1 602d79bc33fd136d965cdfd5f208418d482514bc
SHA256 a7966fe7575cbc2ea16ba4ba39d2576a9638b6e78cf767688d5d6af8439e4787
SHA512 acf6a05ae10a5894d706a0da8f832a07ffa807cd694442c51d4863ca9bd07b7174e85ee0b27e65661ccb38269c6b9df26a6b9e6ddce879a50ea2cbf5a86793aa

memory/1204-35-0x0000000000560000-0x000000000056A000-memory.dmp

memory/1204-36-0x00007FFF681C0000-0x00007FFF68C81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

MD5 bc5d6c21c9ba272735e4490ba056407e
SHA1 27f5715ab1f899cefc7935e02709f5f7392f1c5d
SHA256 1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c
SHA512 e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

memory/1204-38-0x00007FFF681C0000-0x00007FFF68C81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1768784.exe

MD5 bc5d6c21c9ba272735e4490ba056407e
SHA1 27f5715ab1f899cefc7935e02709f5f7392f1c5d
SHA256 1924c309f253bae40986bca4fc5a79e503f87b5ec083398eab5a7dd15f53874c
SHA512 e9aaee620ad0b2e4bf47f889df6d81348ee44d0385ddfc83fc1d27ab61480a3300b77e9ae506f79ae6ed61488de9b8e2e1abed64fa73a65824d217d0656bfe43

memory/2548-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2548-43-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2548-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2548-42-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe

MD5 e37b88f5e0678e813f2c1036efbb6a95
SHA1 23a1fcea773bc9d6c9cefb651ba12a92b64a1695
SHA256 7090f730163b554920f2755bcf99af222ce05a084bfd38f0e1ad58146de09726
SHA512 28233679110254d190641bc008cc31b180382e8332e6e3f46a9833f66019594ae49d6c848b2f74192deb96f71da325f163cfe42a06a22e61572e0a615862bcfe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7259936.exe

MD5 e37b88f5e0678e813f2c1036efbb6a95
SHA1 23a1fcea773bc9d6c9cefb651ba12a92b64a1695
SHA256 7090f730163b554920f2755bcf99af222ce05a084bfd38f0e1ad58146de09726
SHA512 28233679110254d190641bc008cc31b180382e8332e6e3f46a9833f66019594ae49d6c848b2f74192deb96f71da325f163cfe42a06a22e61572e0a615862bcfe

memory/1692-50-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1692-51-0x0000000074340000-0x0000000074AF0000-memory.dmp

memory/1692-52-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0984448.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0984448.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1692-62-0x000000000ACE0000-0x000000000B2F8000-memory.dmp

memory/1692-63-0x000000000A7D0000-0x000000000A8DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1692-67-0x0000000002E40000-0x0000000002E52000-memory.dmp

memory/1692-68-0x0000000002CF0000-0x0000000002D00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1546825.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u1546825.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/1692-74-0x0000000002EA0000-0x0000000002EDC000-memory.dmp

memory/1692-76-0x000000000A6C0000-0x000000000A70C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8939860.exe

MD5 1ce192080e2fff4b4426096ff63b958d
SHA1 23a5c0247139ff9081a10a9986cee71d0b630af2
SHA256 cb5d84035c5930b194ab1065fdf44cfdb57025c2b1bc2959d637808e8d50570c
SHA512 15784d81c13d03c7389cd024808916d443f47b660ca28ebe2299c38f5bfe612c3bb5a47c9c8f63808e7b91297aaba83952643f63b085e94f4deab2ce2e9e804a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8939860.exe

MD5 1ce192080e2fff4b4426096ff63b958d
SHA1 23a5c0247139ff9081a10a9986cee71d0b630af2
SHA256 cb5d84035c5930b194ab1065fdf44cfdb57025c2b1bc2959d637808e8d50570c
SHA512 15784d81c13d03c7389cd024808916d443f47b660ca28ebe2299c38f5bfe612c3bb5a47c9c8f63808e7b91297aaba83952643f63b085e94f4deab2ce2e9e804a

memory/1692-86-0x0000000074340000-0x0000000074AF0000-memory.dmp

memory/1692-87-0x0000000002CF0000-0x0000000002D00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6d5040418450624fef735b49ec6bffe9
SHA1 5fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256 dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512 bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976