Malware Analysis Report

2025-01-23 09:52

Sample ID 231010-zceefshf6y
Target 174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2
SHA256 174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2
Tags
healer mystic dropper evasion persistence stealer trojan amadey redline gruha infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2

Threat Level: Known bad

The file 174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2 was found to be: Known bad.

Malicious Activity Summary

healer mystic dropper evasion persistence stealer trojan amadey redline gruha infostealer

Healer

Detect Mystic stealer payload

Detects Healer an antivirus disabler dropper

RedLine

Amadey

Mystic

Modifies Windows Defender Real-time Protection settings

Windows security modification

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:34

Reported

2023-10-10 20:50

Platform

win7-20230831-en

Max time kernel

120s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A

Mystic

stealer mystic

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 780 set thread context of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe
PID 2972 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe
PID 2972 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe
PID 2972 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe
PID 2972 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe
PID 2972 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe
PID 2972 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe
PID 2100 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe
PID 2100 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe
PID 2100 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe
PID 2100 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe
PID 2100 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe
PID 2100 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe
PID 2100 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe
PID 2736 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe
PID 2736 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe
PID 2736 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe
PID 2736 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe
PID 2736 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe
PID 2736 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe
PID 2736 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe
PID 2612 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe
PID 2612 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe
PID 2612 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe
PID 2612 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe
PID 2612 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe
PID 2612 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe
PID 2612 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe
PID 2660 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe
PID 2660 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe
PID 2660 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe
PID 2660 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe
PID 2660 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe
PID 2660 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe
PID 2660 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe
PID 2660 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe
PID 2660 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe
PID 2660 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe
PID 2660 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe
PID 2660 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe
PID 2660 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe
PID 2660 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\SysWOW64\WerFault.exe
PID 780 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\SysWOW64\WerFault.exe
PID 780 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\SysWOW64\WerFault.exe
PID 780 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\SysWOW64\WerFault.exe
PID 780 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\SysWOW64\WerFault.exe
PID 780 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\SysWOW64\WerFault.exe
PID 780 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\SysWOW64\WerFault.exe
PID 1504 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe

"C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 36

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe

MD5 8f4c4cd9dea78070268d2e3529a6c9fe
SHA1 8662d9d75d9424666c115ed6c1ed2799f28b09fd
SHA256 19321addea70bbc5479e48168924899b5dcbece1f38325178cb658f31a9fa778
SHA512 ee11565f2c6673b7dfa52f59219e4b2c64751d60b230218f3203e7dfe5d860a8b283fdd6274dfa59d1ee30b3054697d1dad40712f58e7a73b8e923e984040b5e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe

MD5 8f4c4cd9dea78070268d2e3529a6c9fe
SHA1 8662d9d75d9424666c115ed6c1ed2799f28b09fd
SHA256 19321addea70bbc5479e48168924899b5dcbece1f38325178cb658f31a9fa778
SHA512 ee11565f2c6673b7dfa52f59219e4b2c64751d60b230218f3203e7dfe5d860a8b283fdd6274dfa59d1ee30b3054697d1dad40712f58e7a73b8e923e984040b5e

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe

MD5 8f4c4cd9dea78070268d2e3529a6c9fe
SHA1 8662d9d75d9424666c115ed6c1ed2799f28b09fd
SHA256 19321addea70bbc5479e48168924899b5dcbece1f38325178cb658f31a9fa778
SHA512 ee11565f2c6673b7dfa52f59219e4b2c64751d60b230218f3203e7dfe5d860a8b283fdd6274dfa59d1ee30b3054697d1dad40712f58e7a73b8e923e984040b5e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe

MD5 8f4c4cd9dea78070268d2e3529a6c9fe
SHA1 8662d9d75d9424666c115ed6c1ed2799f28b09fd
SHA256 19321addea70bbc5479e48168924899b5dcbece1f38325178cb658f31a9fa778
SHA512 ee11565f2c6673b7dfa52f59219e4b2c64751d60b230218f3203e7dfe5d860a8b283fdd6274dfa59d1ee30b3054697d1dad40712f58e7a73b8e923e984040b5e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe

MD5 777fda121dc2c05dac6a859bef06fd9f
SHA1 45c5e60ba4b6560538655f6bf9d26c9ec7f7b990
SHA256 94ef91901cfbee6934713ef56318496400db0d285c4116a2d88067be037d3077
SHA512 71f6cbbceefa5c6b3b189bb01be9cfcfdb7198a6a030fb424da2dd0048fb85d7d10947dddc45a75a277a2806bc36644e05b49ff4202cb974df0d85fbc4dcb349

\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe

MD5 777fda121dc2c05dac6a859bef06fd9f
SHA1 45c5e60ba4b6560538655f6bf9d26c9ec7f7b990
SHA256 94ef91901cfbee6934713ef56318496400db0d285c4116a2d88067be037d3077
SHA512 71f6cbbceefa5c6b3b189bb01be9cfcfdb7198a6a030fb424da2dd0048fb85d7d10947dddc45a75a277a2806bc36644e05b49ff4202cb974df0d85fbc4dcb349

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe

MD5 777fda121dc2c05dac6a859bef06fd9f
SHA1 45c5e60ba4b6560538655f6bf9d26c9ec7f7b990
SHA256 94ef91901cfbee6934713ef56318496400db0d285c4116a2d88067be037d3077
SHA512 71f6cbbceefa5c6b3b189bb01be9cfcfdb7198a6a030fb424da2dd0048fb85d7d10947dddc45a75a277a2806bc36644e05b49ff4202cb974df0d85fbc4dcb349

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe

MD5 777fda121dc2c05dac6a859bef06fd9f
SHA1 45c5e60ba4b6560538655f6bf9d26c9ec7f7b990
SHA256 94ef91901cfbee6934713ef56318496400db0d285c4116a2d88067be037d3077
SHA512 71f6cbbceefa5c6b3b189bb01be9cfcfdb7198a6a030fb424da2dd0048fb85d7d10947dddc45a75a277a2806bc36644e05b49ff4202cb974df0d85fbc4dcb349

\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe

MD5 8338993f9102c776262f057ca8ee9ad3
SHA1 46fde7d02b32d4a14fb50399453b08761905c621
SHA256 f0897e28d56dc3c6829ab8c4a35493db94daeb97a9490f95c7d75fb1cc12e6c6
SHA512 8a2156fe2e4b916f11f8bae6b545b304472ea3141e68a3ee54c1ca49b2faeeccc415ae4276bf4d08291814aff3fe5ab8d0c2ef07474f2c90ea8b69726a40b457

\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe

MD5 8338993f9102c776262f057ca8ee9ad3
SHA1 46fde7d02b32d4a14fb50399453b08761905c621
SHA256 f0897e28d56dc3c6829ab8c4a35493db94daeb97a9490f95c7d75fb1cc12e6c6
SHA512 8a2156fe2e4b916f11f8bae6b545b304472ea3141e68a3ee54c1ca49b2faeeccc415ae4276bf4d08291814aff3fe5ab8d0c2ef07474f2c90ea8b69726a40b457

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe

MD5 8338993f9102c776262f057ca8ee9ad3
SHA1 46fde7d02b32d4a14fb50399453b08761905c621
SHA256 f0897e28d56dc3c6829ab8c4a35493db94daeb97a9490f95c7d75fb1cc12e6c6
SHA512 8a2156fe2e4b916f11f8bae6b545b304472ea3141e68a3ee54c1ca49b2faeeccc415ae4276bf4d08291814aff3fe5ab8d0c2ef07474f2c90ea8b69726a40b457

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe

MD5 8338993f9102c776262f057ca8ee9ad3
SHA1 46fde7d02b32d4a14fb50399453b08761905c621
SHA256 f0897e28d56dc3c6829ab8c4a35493db94daeb97a9490f95c7d75fb1cc12e6c6
SHA512 8a2156fe2e4b916f11f8bae6b545b304472ea3141e68a3ee54c1ca49b2faeeccc415ae4276bf4d08291814aff3fe5ab8d0c2ef07474f2c90ea8b69726a40b457

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe

MD5 fa338af5f5b5ac1cadf87a93bde0efb7
SHA1 8da1e51856c3fe9a32e19bfb0e8308b567b526cc
SHA256 4f9cdd5df77cfbba55deb15a25f28fbb539b3a7c8e94d8a8769b5ad05e988ea3
SHA512 045a7b4eb8ccd6ed819d38b65056d287b0eaa747e332ac8ad603eeede8ce8d0b3e3a2adea63c692a1a3e5699ea065445bd8125e2adbf8b13308a298e24f9790e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe

MD5 fa338af5f5b5ac1cadf87a93bde0efb7
SHA1 8da1e51856c3fe9a32e19bfb0e8308b567b526cc
SHA256 4f9cdd5df77cfbba55deb15a25f28fbb539b3a7c8e94d8a8769b5ad05e988ea3
SHA512 045a7b4eb8ccd6ed819d38b65056d287b0eaa747e332ac8ad603eeede8ce8d0b3e3a2adea63c692a1a3e5699ea065445bd8125e2adbf8b13308a298e24f9790e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe

MD5 fa338af5f5b5ac1cadf87a93bde0efb7
SHA1 8da1e51856c3fe9a32e19bfb0e8308b567b526cc
SHA256 4f9cdd5df77cfbba55deb15a25f28fbb539b3a7c8e94d8a8769b5ad05e988ea3
SHA512 045a7b4eb8ccd6ed819d38b65056d287b0eaa747e332ac8ad603eeede8ce8d0b3e3a2adea63c692a1a3e5699ea065445bd8125e2adbf8b13308a298e24f9790e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe

MD5 fa338af5f5b5ac1cadf87a93bde0efb7
SHA1 8da1e51856c3fe9a32e19bfb0e8308b567b526cc
SHA256 4f9cdd5df77cfbba55deb15a25f28fbb539b3a7c8e94d8a8769b5ad05e988ea3
SHA512 045a7b4eb8ccd6ed819d38b65056d287b0eaa747e332ac8ad603eeede8ce8d0b3e3a2adea63c692a1a3e5699ea065445bd8125e2adbf8b13308a298e24f9790e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe

MD5 cb3f3a4d067169ce76c05db6de8ee8bd
SHA1 96ddcc0df2e979c6306c57689eddcc0dd5acbe10
SHA256 61fbd77ed4a94b1888a04324b477e70d8a347d361862f743921a0ab81ae3d802
SHA512 6f48dc353b47084c4c9a5b5d2d8a1dca41f497bc64b22c98fb9390998a39060258ffae154bb3e765e313475c7f6aef63226870b8f3407278cd71a59d8ea080c4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe

MD5 cb3f3a4d067169ce76c05db6de8ee8bd
SHA1 96ddcc0df2e979c6306c57689eddcc0dd5acbe10
SHA256 61fbd77ed4a94b1888a04324b477e70d8a347d361862f743921a0ab81ae3d802
SHA512 6f48dc353b47084c4c9a5b5d2d8a1dca41f497bc64b22c98fb9390998a39060258ffae154bb3e765e313475c7f6aef63226870b8f3407278cd71a59d8ea080c4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe

MD5 cb3f3a4d067169ce76c05db6de8ee8bd
SHA1 96ddcc0df2e979c6306c57689eddcc0dd5acbe10
SHA256 61fbd77ed4a94b1888a04324b477e70d8a347d361862f743921a0ab81ae3d802
SHA512 6f48dc353b47084c4c9a5b5d2d8a1dca41f497bc64b22c98fb9390998a39060258ffae154bb3e765e313475c7f6aef63226870b8f3407278cd71a59d8ea080c4

memory/2824-48-0x0000000000E50000-0x0000000000E5A000-memory.dmp

memory/2824-49-0x000007FEF5030000-0x000007FEF5A1C000-memory.dmp

memory/2824-50-0x000007FEF5030000-0x000007FEF5A1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

memory/2824-51-0x000007FEF5030000-0x000007FEF5A1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

memory/1504-61-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1504-62-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1504-63-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1504-65-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1504-64-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1504-68-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1504-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1504-66-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1504-70-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1504-72-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:34

Reported

2023-10-10 20:50

Platform

win10v2004-20230915-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5640688.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6870723.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe
PID 2108 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe
PID 2108 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe
PID 3712 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe
PID 3712 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe
PID 3712 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe
PID 2620 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe
PID 2620 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe
PID 2620 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe
PID 1492 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe
PID 1492 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe
PID 1492 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe
PID 1264 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe
PID 1264 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe
PID 1264 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe
PID 1264 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe
PID 1264 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe
PID 4972 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4972 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4972 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4972 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4972 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4972 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4972 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4972 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4972 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4972 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1492 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe
PID 1492 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe
PID 1492 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe
PID 1744 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2620 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5640688.exe
PID 2620 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5640688.exe
PID 2620 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5640688.exe
PID 3336 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5640688.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3336 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5640688.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3336 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5640688.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3712 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6870723.exe
PID 3712 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6870723.exe
PID 3712 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6870723.exe
PID 840 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 840 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 840 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 840 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6870723.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 2972 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6870723.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 2972 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6870723.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 3216 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3216 wrote to memory of 716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe

"C:\Users\Admin\AppData\Local\Temp\174e56bf44835ab2ef1ebf316ffd9e8591bd27bd3c5f2b42661040e141a5d1e2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4972 -ip 4972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1572 -ip 1572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 584

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1744 -ip 1744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5640688.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5640688.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6870723.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6870723.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6434656.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6434656.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 182.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe

MD5 8f4c4cd9dea78070268d2e3529a6c9fe
SHA1 8662d9d75d9424666c115ed6c1ed2799f28b09fd
SHA256 19321addea70bbc5479e48168924899b5dcbece1f38325178cb658f31a9fa778
SHA512 ee11565f2c6673b7dfa52f59219e4b2c64751d60b230218f3203e7dfe5d860a8b283fdd6274dfa59d1ee30b3054697d1dad40712f58e7a73b8e923e984040b5e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3560817.exe

MD5 8f4c4cd9dea78070268d2e3529a6c9fe
SHA1 8662d9d75d9424666c115ed6c1ed2799f28b09fd
SHA256 19321addea70bbc5479e48168924899b5dcbece1f38325178cb658f31a9fa778
SHA512 ee11565f2c6673b7dfa52f59219e4b2c64751d60b230218f3203e7dfe5d860a8b283fdd6274dfa59d1ee30b3054697d1dad40712f58e7a73b8e923e984040b5e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe

MD5 777fda121dc2c05dac6a859bef06fd9f
SHA1 45c5e60ba4b6560538655f6bf9d26c9ec7f7b990
SHA256 94ef91901cfbee6934713ef56318496400db0d285c4116a2d88067be037d3077
SHA512 71f6cbbceefa5c6b3b189bb01be9cfcfdb7198a6a030fb424da2dd0048fb85d7d10947dddc45a75a277a2806bc36644e05b49ff4202cb974df0d85fbc4dcb349

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2938605.exe

MD5 777fda121dc2c05dac6a859bef06fd9f
SHA1 45c5e60ba4b6560538655f6bf9d26c9ec7f7b990
SHA256 94ef91901cfbee6934713ef56318496400db0d285c4116a2d88067be037d3077
SHA512 71f6cbbceefa5c6b3b189bb01be9cfcfdb7198a6a030fb424da2dd0048fb85d7d10947dddc45a75a277a2806bc36644e05b49ff4202cb974df0d85fbc4dcb349

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe

MD5 8338993f9102c776262f057ca8ee9ad3
SHA1 46fde7d02b32d4a14fb50399453b08761905c621
SHA256 f0897e28d56dc3c6829ab8c4a35493db94daeb97a9490f95c7d75fb1cc12e6c6
SHA512 8a2156fe2e4b916f11f8bae6b545b304472ea3141e68a3ee54c1ca49b2faeeccc415ae4276bf4d08291814aff3fe5ab8d0c2ef07474f2c90ea8b69726a40b457

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2727794.exe

MD5 8338993f9102c776262f057ca8ee9ad3
SHA1 46fde7d02b32d4a14fb50399453b08761905c621
SHA256 f0897e28d56dc3c6829ab8c4a35493db94daeb97a9490f95c7d75fb1cc12e6c6
SHA512 8a2156fe2e4b916f11f8bae6b545b304472ea3141e68a3ee54c1ca49b2faeeccc415ae4276bf4d08291814aff3fe5ab8d0c2ef07474f2c90ea8b69726a40b457

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe

MD5 fa338af5f5b5ac1cadf87a93bde0efb7
SHA1 8da1e51856c3fe9a32e19bfb0e8308b567b526cc
SHA256 4f9cdd5df77cfbba55deb15a25f28fbb539b3a7c8e94d8a8769b5ad05e988ea3
SHA512 045a7b4eb8ccd6ed819d38b65056d287b0eaa747e332ac8ad603eeede8ce8d0b3e3a2adea63c692a1a3e5699ea065445bd8125e2adbf8b13308a298e24f9790e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8439962.exe

MD5 fa338af5f5b5ac1cadf87a93bde0efb7
SHA1 8da1e51856c3fe9a32e19bfb0e8308b567b526cc
SHA256 4f9cdd5df77cfbba55deb15a25f28fbb539b3a7c8e94d8a8769b5ad05e988ea3
SHA512 045a7b4eb8ccd6ed819d38b65056d287b0eaa747e332ac8ad603eeede8ce8d0b3e3a2adea63c692a1a3e5699ea065445bd8125e2adbf8b13308a298e24f9790e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe

MD5 cb3f3a4d067169ce76c05db6de8ee8bd
SHA1 96ddcc0df2e979c6306c57689eddcc0dd5acbe10
SHA256 61fbd77ed4a94b1888a04324b477e70d8a347d361862f743921a0ab81ae3d802
SHA512 6f48dc353b47084c4c9a5b5d2d8a1dca41f497bc64b22c98fb9390998a39060258ffae154bb3e765e313475c7f6aef63226870b8f3407278cd71a59d8ea080c4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9944549.exe

MD5 cb3f3a4d067169ce76c05db6de8ee8bd
SHA1 96ddcc0df2e979c6306c57689eddcc0dd5acbe10
SHA256 61fbd77ed4a94b1888a04324b477e70d8a347d361862f743921a0ab81ae3d802
SHA512 6f48dc353b47084c4c9a5b5d2d8a1dca41f497bc64b22c98fb9390998a39060258ffae154bb3e765e313475c7f6aef63226870b8f3407278cd71a59d8ea080c4

memory/2552-35-0x0000000000600000-0x000000000060A000-memory.dmp

memory/2552-36-0x00007FF9DB9D0000-0x00007FF9DC491000-memory.dmp

memory/2552-37-0x00007FF9DB9D0000-0x00007FF9DC491000-memory.dmp

memory/2552-39-0x00007FF9DB9D0000-0x00007FF9DC491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2236804.exe

MD5 8821f3fdb6c4e06871bb3a4e4ac83492
SHA1 707c070a44bb747aa9e40156899a2b3a396797be
SHA256 1f41754a4416206cd608f89ea14631d287e54d3e7d9fff8d3f7fb2510878a98a
SHA512 d542aa865bc50105746beb39acb8ac63a307d328442c47ec97706527f6abeef1ff731ba9ced77d105b30f109da395e8311c51b78279de34c0174876ae053edf7

memory/1572-43-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1572-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1572-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1572-47-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe

MD5 e29129cbf11b9c414404e03bc7ea82f4
SHA1 a2dc6f91896f105b5da16887a37bf1b18f5b3185
SHA256 f2c1d8319c74b498fa88426f9c8e959497af908ffb0a3ee8aa1912300c743f24
SHA512 829bb6af9fc955d96b75462566ed7207986dbb2c3345096e8de5417fdfd7e2ff8783573a7db8c8a5ec50288e5ce9041b3debc11fa3189148ade109dff67a46fa

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4739947.exe

MD5 e29129cbf11b9c414404e03bc7ea82f4
SHA1 a2dc6f91896f105b5da16887a37bf1b18f5b3185
SHA256 f2c1d8319c74b498fa88426f9c8e959497af908ffb0a3ee8aa1912300c743f24
SHA512 829bb6af9fc955d96b75462566ed7207986dbb2c3345096e8de5417fdfd7e2ff8783573a7db8c8a5ec50288e5ce9041b3debc11fa3189148ade109dff67a46fa

memory/2204-51-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5640688.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t5640688.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2204-57-0x0000000074140000-0x00000000748F0000-memory.dmp

memory/2204-58-0x0000000001100000-0x0000000001106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6870723.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6870723.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/2204-71-0x00000000057F0000-0x0000000005E08000-memory.dmp

memory/2204-76-0x00000000052E0000-0x00000000053EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/2204-81-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

memory/2204-80-0x0000000005210000-0x0000000005222000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6434656.exe

MD5 950b13103fb639c026a51c05a54ee779
SHA1 287a11e911a2f085dc2180c7e202ebe817996291
SHA256 d0f9e60a2c1326300f921314e70472b1cdbd45abb38f05905fa8d92508d9eeab
SHA512 77446cc36c898991bd748dce80d9a8c291be4b0928cc5b51a3435c73a528dfab3d5cc73aaef891ab8d63aa9d889f20c0a8ff1c0a82f116a0b67df28bb0038d11

memory/2204-84-0x0000000005270000-0x00000000052AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6434656.exe

MD5 950b13103fb639c026a51c05a54ee779
SHA1 287a11e911a2f085dc2180c7e202ebe817996291
SHA256 d0f9e60a2c1326300f921314e70472b1cdbd45abb38f05905fa8d92508d9eeab
SHA512 77446cc36c898991bd748dce80d9a8c291be4b0928cc5b51a3435c73a528dfab3d5cc73aaef891ab8d63aa9d889f20c0a8ff1c0a82f116a0b67df28bb0038d11

memory/2204-86-0x00000000053F0000-0x000000000543C000-memory.dmp

memory/2204-87-0x0000000074140000-0x00000000748F0000-memory.dmp

memory/2204-88-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6d5040418450624fef735b49ec6bffe9
SHA1 5fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256 dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512 bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976