Analysis Overview
SHA256
f6199a143c49d9df5a9beaee4caf259c4cc4417d501d0ee076eb291a4477ace4
Threat Level: Known bad
The file f6199a143c49d9df5a9beaee4caf259c4cc4417d501d0ee076eb291a4477ace4 was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine
Detects Healer an antivirus disabler dropper
Mystic
Amadey
Detect Mystic stealer payload
Modifies Windows Defender Real-time Protection settings
Windows security modification
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-10 20:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-10 20:36
Reported
2023-10-10 20:55
Platform
win7-20230831-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
Mystic
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4333362.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9148283.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5710407.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7005783.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe | N/A |
Loads dropped DLL
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5710407.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7005783.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f6199a143c49d9df5a9beaee4caf259c4cc4417d501d0ee076eb291a4477ace4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4333362.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9148283.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2736 set thread context of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f6199a143c49d9df5a9beaee4caf259c4cc4417d501d0ee076eb291a4477ace4.exe
"C:\Users\Admin\AppData\Local\Temp\f6199a143c49d9df5a9beaee4caf259c4cc4417d501d0ee076eb291a4477ace4.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4333362.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4333362.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9148283.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9148283.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5710407.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5710407.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7005783.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7005783.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 36
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 268
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4333362.exe
| MD5 | ee123d148d34f2f3ddd3ff585edd2b79 |
| SHA1 | 6b261f5edf08f60c84928630513f8ff9b29c89db |
| SHA256 | 9cf6b1820b9fb53b00c5c2790a147593cb846907c24e557a85dcaa0d4bd874cf |
| SHA512 | 92e0009ec34a7b6aaef3e8dd2cabb2033ecda3ada50b678e8e9a08464a2638d7bb42d90ccff0866cce40c0b35315ace70ce5451d90e5ead0b90bbcdf373608a0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4333362.exe
| MD5 | ee123d148d34f2f3ddd3ff585edd2b79 |
| SHA1 | 6b261f5edf08f60c84928630513f8ff9b29c89db |
| SHA256 | 9cf6b1820b9fb53b00c5c2790a147593cb846907c24e557a85dcaa0d4bd874cf |
| SHA512 | 92e0009ec34a7b6aaef3e8dd2cabb2033ecda3ada50b678e8e9a08464a2638d7bb42d90ccff0866cce40c0b35315ace70ce5451d90e5ead0b90bbcdf373608a0 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4333362.exe
| MD5 | ee123d148d34f2f3ddd3ff585edd2b79 |
| SHA1 | 6b261f5edf08f60c84928630513f8ff9b29c89db |
| SHA256 | 9cf6b1820b9fb53b00c5c2790a147593cb846907c24e557a85dcaa0d4bd874cf |
| SHA512 | 92e0009ec34a7b6aaef3e8dd2cabb2033ecda3ada50b678e8e9a08464a2638d7bb42d90ccff0866cce40c0b35315ace70ce5451d90e5ead0b90bbcdf373608a0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4333362.exe
| MD5 | ee123d148d34f2f3ddd3ff585edd2b79 |
| SHA1 | 6b261f5edf08f60c84928630513f8ff9b29c89db |
| SHA256 | 9cf6b1820b9fb53b00c5c2790a147593cb846907c24e557a85dcaa0d4bd874cf |
| SHA512 | 92e0009ec34a7b6aaef3e8dd2cabb2033ecda3ada50b678e8e9a08464a2638d7bb42d90ccff0866cce40c0b35315ace70ce5451d90e5ead0b90bbcdf373608a0 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9148283.exe
| MD5 | 64193ebbee10735f17508dea7c940cd1 |
| SHA1 | 7aa59c947f6f9285876d982a41d3917b4ee9715e |
| SHA256 | 605d99a97e940dc1dfc65a65fdb58720f316d0c1573e450dde18d8fd37daa5c3 |
| SHA512 | 6fc3d5f49971a9c4b3c3310238caa6222c6678ddb5d73dd83e9ecc2e3f1007086be547a10174a6adaa779880248bcb715c96b70dafc9f36a97d24b03325fa78d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9148283.exe
| MD5 | 64193ebbee10735f17508dea7c940cd1 |
| SHA1 | 7aa59c947f6f9285876d982a41d3917b4ee9715e |
| SHA256 | 605d99a97e940dc1dfc65a65fdb58720f316d0c1573e450dde18d8fd37daa5c3 |
| SHA512 | 6fc3d5f49971a9c4b3c3310238caa6222c6678ddb5d73dd83e9ecc2e3f1007086be547a10174a6adaa779880248bcb715c96b70dafc9f36a97d24b03325fa78d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9148283.exe
| MD5 | 64193ebbee10735f17508dea7c940cd1 |
| SHA1 | 7aa59c947f6f9285876d982a41d3917b4ee9715e |
| SHA256 | 605d99a97e940dc1dfc65a65fdb58720f316d0c1573e450dde18d8fd37daa5c3 |
| SHA512 | 6fc3d5f49971a9c4b3c3310238caa6222c6678ddb5d73dd83e9ecc2e3f1007086be547a10174a6adaa779880248bcb715c96b70dafc9f36a97d24b03325fa78d |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9148283.exe
| MD5 | 64193ebbee10735f17508dea7c940cd1 |
| SHA1 | 7aa59c947f6f9285876d982a41d3917b4ee9715e |
| SHA256 | 605d99a97e940dc1dfc65a65fdb58720f316d0c1573e450dde18d8fd37daa5c3 |
| SHA512 | 6fc3d5f49971a9c4b3c3310238caa6222c6678ddb5d73dd83e9ecc2e3f1007086be547a10174a6adaa779880248bcb715c96b70dafc9f36a97d24b03325fa78d |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5710407.exe
| MD5 | 29e7456884ecc6d3e203447d730fcddf |
| SHA1 | 73ac855c019287d4c0b09c2f1f8fc725834b9151 |
| SHA256 | 9a16e4ce9bb52471a424167679ff9b938b95efedd3e5ed6fcb0deaa57ecb9488 |
| SHA512 | 0fae4a0c3b083bd1e879fe7f6441ed7e48076a09cdd3a34c3d144b8b1c7116e4bc7b7842911280d17d3ae8906659f4ebf012a4093f6debe8bc2c551570bad017 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5710407.exe
| MD5 | 29e7456884ecc6d3e203447d730fcddf |
| SHA1 | 73ac855c019287d4c0b09c2f1f8fc725834b9151 |
| SHA256 | 9a16e4ce9bb52471a424167679ff9b938b95efedd3e5ed6fcb0deaa57ecb9488 |
| SHA512 | 0fae4a0c3b083bd1e879fe7f6441ed7e48076a09cdd3a34c3d144b8b1c7116e4bc7b7842911280d17d3ae8906659f4ebf012a4093f6debe8bc2c551570bad017 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5710407.exe
| MD5 | 29e7456884ecc6d3e203447d730fcddf |
| SHA1 | 73ac855c019287d4c0b09c2f1f8fc725834b9151 |
| SHA256 | 9a16e4ce9bb52471a424167679ff9b938b95efedd3e5ed6fcb0deaa57ecb9488 |
| SHA512 | 0fae4a0c3b083bd1e879fe7f6441ed7e48076a09cdd3a34c3d144b8b1c7116e4bc7b7842911280d17d3ae8906659f4ebf012a4093f6debe8bc2c551570bad017 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5710407.exe
| MD5 | 29e7456884ecc6d3e203447d730fcddf |
| SHA1 | 73ac855c019287d4c0b09c2f1f8fc725834b9151 |
| SHA256 | 9a16e4ce9bb52471a424167679ff9b938b95efedd3e5ed6fcb0deaa57ecb9488 |
| SHA512 | 0fae4a0c3b083bd1e879fe7f6441ed7e48076a09cdd3a34c3d144b8b1c7116e4bc7b7842911280d17d3ae8906659f4ebf012a4093f6debe8bc2c551570bad017 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7005783.exe
| MD5 | 3b69619d2f6d2cc036f8b1d0a1de31de |
| SHA1 | bff6d69c2d572bddb0d9d65073818be9522c6508 |
| SHA256 | f31400334913422f9b302513c661a537ad1d3b5ad0e3910e6c881f8cae0e01bb |
| SHA512 | f4a53b229a2da4ca5dec7ac12adc1ab5402f043d7dbde33a0177d16555168db7a2e5be7e8d19bd67a670d7c4b8a08ab266d58547686ddf421e0fabe2e267fec0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7005783.exe
| MD5 | 3b69619d2f6d2cc036f8b1d0a1de31de |
| SHA1 | bff6d69c2d572bddb0d9d65073818be9522c6508 |
| SHA256 | f31400334913422f9b302513c661a537ad1d3b5ad0e3910e6c881f8cae0e01bb |
| SHA512 | f4a53b229a2da4ca5dec7ac12adc1ab5402f043d7dbde33a0177d16555168db7a2e5be7e8d19bd67a670d7c4b8a08ab266d58547686ddf421e0fabe2e267fec0 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7005783.exe
| MD5 | 3b69619d2f6d2cc036f8b1d0a1de31de |
| SHA1 | bff6d69c2d572bddb0d9d65073818be9522c6508 |
| SHA256 | f31400334913422f9b302513c661a537ad1d3b5ad0e3910e6c881f8cae0e01bb |
| SHA512 | f4a53b229a2da4ca5dec7ac12adc1ab5402f043d7dbde33a0177d16555168db7a2e5be7e8d19bd67a670d7c4b8a08ab266d58547686ddf421e0fabe2e267fec0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7005783.exe
| MD5 | 3b69619d2f6d2cc036f8b1d0a1de31de |
| SHA1 | bff6d69c2d572bddb0d9d65073818be9522c6508 |
| SHA256 | f31400334913422f9b302513c661a537ad1d3b5ad0e3910e6c881f8cae0e01bb |
| SHA512 | f4a53b229a2da4ca5dec7ac12adc1ab5402f043d7dbde33a0177d16555168db7a2e5be7e8d19bd67a670d7c4b8a08ab266d58547686ddf421e0fabe2e267fec0 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe
| MD5 | 7cccedc416776760d131a844e9101abe |
| SHA1 | 5db2b361d70cde00e42a62ee146d4aae7a02ed03 |
| SHA256 | 849d20ab15fce28c2dcf8e898dd9e1a0f49749855e71a6afe130265049708e7f |
| SHA512 | b49880853caef3b79cebd99316a49ba2e1e81c64f4a0922c383fcc17f52c277e7a6f30eae67e4df771f3383795ff30c4be8508c7c8202245dd8d1ba878548adb |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe
| MD5 | 7cccedc416776760d131a844e9101abe |
| SHA1 | 5db2b361d70cde00e42a62ee146d4aae7a02ed03 |
| SHA256 | 849d20ab15fce28c2dcf8e898dd9e1a0f49749855e71a6afe130265049708e7f |
| SHA512 | b49880853caef3b79cebd99316a49ba2e1e81c64f4a0922c383fcc17f52c277e7a6f30eae67e4df771f3383795ff30c4be8508c7c8202245dd8d1ba878548adb |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe
| MD5 | 7cccedc416776760d131a844e9101abe |
| SHA1 | 5db2b361d70cde00e42a62ee146d4aae7a02ed03 |
| SHA256 | 849d20ab15fce28c2dcf8e898dd9e1a0f49749855e71a6afe130265049708e7f |
| SHA512 | b49880853caef3b79cebd99316a49ba2e1e81c64f4a0922c383fcc17f52c277e7a6f30eae67e4df771f3383795ff30c4be8508c7c8202245dd8d1ba878548adb |
memory/2088-48-0x0000000000E00000-0x0000000000E0A000-memory.dmp
memory/2088-49-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp
memory/2088-50-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
| MD5 | e82bc5bff26f3a7277722967290d0270 |
| SHA1 | 8bb3a1901ecfcc1fa81170f55c332eda258d579e |
| SHA256 | 6fd973c4720af659b7dcbc31bd24f5e00a83c9c4dd0c6170811512f1c8cb9250 |
| SHA512 | 9c87b65fc090674580dbb9c5316a967ea4b7221ac476a36063f87e5fae71d6abe69c80ca2a98309e997474f107ebafa1632db10f6166dfc42e803bc917d384ea |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
| MD5 | e82bc5bff26f3a7277722967290d0270 |
| SHA1 | 8bb3a1901ecfcc1fa81170f55c332eda258d579e |
| SHA256 | 6fd973c4720af659b7dcbc31bd24f5e00a83c9c4dd0c6170811512f1c8cb9250 |
| SHA512 | 9c87b65fc090674580dbb9c5316a967ea4b7221ac476a36063f87e5fae71d6abe69c80ca2a98309e997474f107ebafa1632db10f6166dfc42e803bc917d384ea |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
| MD5 | e82bc5bff26f3a7277722967290d0270 |
| SHA1 | 8bb3a1901ecfcc1fa81170f55c332eda258d579e |
| SHA256 | 6fd973c4720af659b7dcbc31bd24f5e00a83c9c4dd0c6170811512f1c8cb9250 |
| SHA512 | 9c87b65fc090674580dbb9c5316a967ea4b7221ac476a36063f87e5fae71d6abe69c80ca2a98309e997474f107ebafa1632db10f6166dfc42e803bc917d384ea |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
| MD5 | e82bc5bff26f3a7277722967290d0270 |
| SHA1 | 8bb3a1901ecfcc1fa81170f55c332eda258d579e |
| SHA256 | 6fd973c4720af659b7dcbc31bd24f5e00a83c9c4dd0c6170811512f1c8cb9250 |
| SHA512 | 9c87b65fc090674580dbb9c5316a967ea4b7221ac476a36063f87e5fae71d6abe69c80ca2a98309e997474f107ebafa1632db10f6166dfc42e803bc917d384ea |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
| MD5 | e82bc5bff26f3a7277722967290d0270 |
| SHA1 | 8bb3a1901ecfcc1fa81170f55c332eda258d579e |
| SHA256 | 6fd973c4720af659b7dcbc31bd24f5e00a83c9c4dd0c6170811512f1c8cb9250 |
| SHA512 | 9c87b65fc090674580dbb9c5316a967ea4b7221ac476a36063f87e5fae71d6abe69c80ca2a98309e997474f107ebafa1632db10f6166dfc42e803bc917d384ea |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
| MD5 | e82bc5bff26f3a7277722967290d0270 |
| SHA1 | 8bb3a1901ecfcc1fa81170f55c332eda258d579e |
| SHA256 | 6fd973c4720af659b7dcbc31bd24f5e00a83c9c4dd0c6170811512f1c8cb9250 |
| SHA512 | 9c87b65fc090674580dbb9c5316a967ea4b7221ac476a36063f87e5fae71d6abe69c80ca2a98309e997474f107ebafa1632db10f6166dfc42e803bc917d384ea |
memory/2088-51-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp
memory/2560-63-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2560-72-0x0000000000400000-0x0000000000428000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
| MD5 | e82bc5bff26f3a7277722967290d0270 |
| SHA1 | 8bb3a1901ecfcc1fa81170f55c332eda258d579e |
| SHA256 | 6fd973c4720af659b7dcbc31bd24f5e00a83c9c4dd0c6170811512f1c8cb9250 |
| SHA512 | 9c87b65fc090674580dbb9c5316a967ea4b7221ac476a36063f87e5fae71d6abe69c80ca2a98309e997474f107ebafa1632db10f6166dfc42e803bc917d384ea |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
| MD5 | e82bc5bff26f3a7277722967290d0270 |
| SHA1 | 8bb3a1901ecfcc1fa81170f55c332eda258d579e |
| SHA256 | 6fd973c4720af659b7dcbc31bd24f5e00a83c9c4dd0c6170811512f1c8cb9250 |
| SHA512 | 9c87b65fc090674580dbb9c5316a967ea4b7221ac476a36063f87e5fae71d6abe69c80ca2a98309e997474f107ebafa1632db10f6166dfc42e803bc917d384ea |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
| MD5 | e82bc5bff26f3a7277722967290d0270 |
| SHA1 | 8bb3a1901ecfcc1fa81170f55c332eda258d579e |
| SHA256 | 6fd973c4720af659b7dcbc31bd24f5e00a83c9c4dd0c6170811512f1c8cb9250 |
| SHA512 | 9c87b65fc090674580dbb9c5316a967ea4b7221ac476a36063f87e5fae71d6abe69c80ca2a98309e997474f107ebafa1632db10f6166dfc42e803bc917d384ea |
memory/2560-70-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2560-68-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2560-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2560-66-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2560-65-0x0000000000400000-0x0000000000428000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
| MD5 | e82bc5bff26f3a7277722967290d0270 |
| SHA1 | 8bb3a1901ecfcc1fa81170f55c332eda258d579e |
| SHA256 | 6fd973c4720af659b7dcbc31bd24f5e00a83c9c4dd0c6170811512f1c8cb9250 |
| SHA512 | 9c87b65fc090674580dbb9c5316a967ea4b7221ac476a36063f87e5fae71d6abe69c80ca2a98309e997474f107ebafa1632db10f6166dfc42e803bc917d384ea |
memory/2560-64-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2560-62-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2560-61-0x0000000000400000-0x0000000000428000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-10 20:36
Reported
2023-10-10 20:57
Platform
win10v2004-20230915-en
Max time kernel
176s
Max time network
185s
Command Line
Signatures
Amadey
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
Mystic
RedLine
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1873640.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4782406.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe | N/A |
Executes dropped EXE
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4333362.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9148283.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5710407.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7005783.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f6199a143c49d9df5a9beaee4caf259c4cc4417d501d0ee076eb291a4477ace4.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1532 set thread context of 3572 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4972 set thread context of 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2567197.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f6199a143c49d9df5a9beaee4caf259c4cc4417d501d0ee076eb291a4477ace4.exe
"C:\Users\Admin\AppData\Local\Temp\f6199a143c49d9df5a9beaee4caf259c4cc4417d501d0ee076eb291a4477ace4.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4333362.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4333362.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9148283.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9148283.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5710407.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5710407.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7005783.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7005783.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1532 -ip 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3572 -ip 3572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 156
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2567197.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2567197.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4972 -ip 4972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 152
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1873640.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1873640.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4782406.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4782406.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0304267.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0304267.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | 78.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4333362.exe
| MD5 | ee123d148d34f2f3ddd3ff585edd2b79 |
| SHA1 | 6b261f5edf08f60c84928630513f8ff9b29c89db |
| SHA256 | 9cf6b1820b9fb53b00c5c2790a147593cb846907c24e557a85dcaa0d4bd874cf |
| SHA512 | 92e0009ec34a7b6aaef3e8dd2cabb2033ecda3ada50b678e8e9a08464a2638d7bb42d90ccff0866cce40c0b35315ace70ce5451d90e5ead0b90bbcdf373608a0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4333362.exe
| MD5 | ee123d148d34f2f3ddd3ff585edd2b79 |
| SHA1 | 6b261f5edf08f60c84928630513f8ff9b29c89db |
| SHA256 | 9cf6b1820b9fb53b00c5c2790a147593cb846907c24e557a85dcaa0d4bd874cf |
| SHA512 | 92e0009ec34a7b6aaef3e8dd2cabb2033ecda3ada50b678e8e9a08464a2638d7bb42d90ccff0866cce40c0b35315ace70ce5451d90e5ead0b90bbcdf373608a0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9148283.exe
| MD5 | 64193ebbee10735f17508dea7c940cd1 |
| SHA1 | 7aa59c947f6f9285876d982a41d3917b4ee9715e |
| SHA256 | 605d99a97e940dc1dfc65a65fdb58720f316d0c1573e450dde18d8fd37daa5c3 |
| SHA512 | 6fc3d5f49971a9c4b3c3310238caa6222c6678ddb5d73dd83e9ecc2e3f1007086be547a10174a6adaa779880248bcb715c96b70dafc9f36a97d24b03325fa78d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9148283.exe
| MD5 | 64193ebbee10735f17508dea7c940cd1 |
| SHA1 | 7aa59c947f6f9285876d982a41d3917b4ee9715e |
| SHA256 | 605d99a97e940dc1dfc65a65fdb58720f316d0c1573e450dde18d8fd37daa5c3 |
| SHA512 | 6fc3d5f49971a9c4b3c3310238caa6222c6678ddb5d73dd83e9ecc2e3f1007086be547a10174a6adaa779880248bcb715c96b70dafc9f36a97d24b03325fa78d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5710407.exe
| MD5 | 29e7456884ecc6d3e203447d730fcddf |
| SHA1 | 73ac855c019287d4c0b09c2f1f8fc725834b9151 |
| SHA256 | 9a16e4ce9bb52471a424167679ff9b938b95efedd3e5ed6fcb0deaa57ecb9488 |
| SHA512 | 0fae4a0c3b083bd1e879fe7f6441ed7e48076a09cdd3a34c3d144b8b1c7116e4bc7b7842911280d17d3ae8906659f4ebf012a4093f6debe8bc2c551570bad017 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5710407.exe
| MD5 | 29e7456884ecc6d3e203447d730fcddf |
| SHA1 | 73ac855c019287d4c0b09c2f1f8fc725834b9151 |
| SHA256 | 9a16e4ce9bb52471a424167679ff9b938b95efedd3e5ed6fcb0deaa57ecb9488 |
| SHA512 | 0fae4a0c3b083bd1e879fe7f6441ed7e48076a09cdd3a34c3d144b8b1c7116e4bc7b7842911280d17d3ae8906659f4ebf012a4093f6debe8bc2c551570bad017 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7005783.exe
| MD5 | 3b69619d2f6d2cc036f8b1d0a1de31de |
| SHA1 | bff6d69c2d572bddb0d9d65073818be9522c6508 |
| SHA256 | f31400334913422f9b302513c661a537ad1d3b5ad0e3910e6c881f8cae0e01bb |
| SHA512 | f4a53b229a2da4ca5dec7ac12adc1ab5402f043d7dbde33a0177d16555168db7a2e5be7e8d19bd67a670d7c4b8a08ab266d58547686ddf421e0fabe2e267fec0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7005783.exe
| MD5 | 3b69619d2f6d2cc036f8b1d0a1de31de |
| SHA1 | bff6d69c2d572bddb0d9d65073818be9522c6508 |
| SHA256 | f31400334913422f9b302513c661a537ad1d3b5ad0e3910e6c881f8cae0e01bb |
| SHA512 | f4a53b229a2da4ca5dec7ac12adc1ab5402f043d7dbde33a0177d16555168db7a2e5be7e8d19bd67a670d7c4b8a08ab266d58547686ddf421e0fabe2e267fec0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe
| MD5 | 7cccedc416776760d131a844e9101abe |
| SHA1 | 5db2b361d70cde00e42a62ee146d4aae7a02ed03 |
| SHA256 | 849d20ab15fce28c2dcf8e898dd9e1a0f49749855e71a6afe130265049708e7f |
| SHA512 | b49880853caef3b79cebd99316a49ba2e1e81c64f4a0922c383fcc17f52c277e7a6f30eae67e4df771f3383795ff30c4be8508c7c8202245dd8d1ba878548adb |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8787578.exe
| MD5 | 7cccedc416776760d131a844e9101abe |
| SHA1 | 5db2b361d70cde00e42a62ee146d4aae7a02ed03 |
| SHA256 | 849d20ab15fce28c2dcf8e898dd9e1a0f49749855e71a6afe130265049708e7f |
| SHA512 | b49880853caef3b79cebd99316a49ba2e1e81c64f4a0922c383fcc17f52c277e7a6f30eae67e4df771f3383795ff30c4be8508c7c8202245dd8d1ba878548adb |
memory/2592-35-0x0000000000390000-0x000000000039A000-memory.dmp
memory/2592-36-0x00007FFA8DE60000-0x00007FFA8E921000-memory.dmp
memory/2592-37-0x00007FFA8DE60000-0x00007FFA8E921000-memory.dmp
memory/2592-39-0x00007FFA8DE60000-0x00007FFA8E921000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
| MD5 | e82bc5bff26f3a7277722967290d0270 |
| SHA1 | 8bb3a1901ecfcc1fa81170f55c332eda258d579e |
| SHA256 | 6fd973c4720af659b7dcbc31bd24f5e00a83c9c4dd0c6170811512f1c8cb9250 |
| SHA512 | 9c87b65fc090674580dbb9c5316a967ea4b7221ac476a36063f87e5fae71d6abe69c80ca2a98309e997474f107ebafa1632db10f6166dfc42e803bc917d384ea |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7116732.exe
| MD5 | e82bc5bff26f3a7277722967290d0270 |
| SHA1 | 8bb3a1901ecfcc1fa81170f55c332eda258d579e |
| SHA256 | 6fd973c4720af659b7dcbc31bd24f5e00a83c9c4dd0c6170811512f1c8cb9250 |
| SHA512 | 9c87b65fc090674580dbb9c5316a967ea4b7221ac476a36063f87e5fae71d6abe69c80ca2a98309e997474f107ebafa1632db10f6166dfc42e803bc917d384ea |
memory/3572-43-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3572-44-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3572-45-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3572-47-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2567197.exe
| MD5 | 733109c57dca24f86628dc71caecc83a |
| SHA1 | f3d8c3cf4ab0c4732c3fe8baf696fbc4b5b32ab1 |
| SHA256 | c8c1ecd3f5c63a603e10ffc1f1f669364d8a1edc8c82f1bad754bf4519d73be4 |
| SHA512 | 07a5c459a54824654c1948e536b05facc9b3ec1e7f711a909cbde9f677fb480c83de24a42e3752f5b28c11c72c97a62a169d75fe8c30006fbd9586f395b34fb2 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2567197.exe
| MD5 | 733109c57dca24f86628dc71caecc83a |
| SHA1 | f3d8c3cf4ab0c4732c3fe8baf696fbc4b5b32ab1 |
| SHA256 | c8c1ecd3f5c63a603e10ffc1f1f669364d8a1edc8c82f1bad754bf4519d73be4 |
| SHA512 | 07a5c459a54824654c1948e536b05facc9b3ec1e7f711a909cbde9f677fb480c83de24a42e3752f5b28c11c72c97a62a169d75fe8c30006fbd9586f395b34fb2 |
memory/3280-51-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1873640.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1873640.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/3280-63-0x0000000074150000-0x0000000074900000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4782406.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u4782406.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/3280-68-0x0000000002DB0000-0x0000000002DB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0304267.exe
| MD5 | 7fcdef23d334aab6ce4661d2c8882cc7 |
| SHA1 | 56980302d40c3e6f1623e2034ababd2029012c56 |
| SHA256 | 9b7a3b3798794c6e6fade65114379e5864daf2b1aecca8a120ee2a01945be139 |
| SHA512 | 5a74e77729e312eb23210567b3ac4054ecccb4c65ccc74ee2ebb73104edd4edfb6676be14c8e2ebd44a044eede96ef70195d4d9002fa85ef22734b4f87fc844c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0304267.exe
| MD5 | 7fcdef23d334aab6ce4661d2c8882cc7 |
| SHA1 | 56980302d40c3e6f1623e2034ababd2029012c56 |
| SHA256 | 9b7a3b3798794c6e6fade65114379e5864daf2b1aecca8a120ee2a01945be139 |
| SHA512 | 5a74e77729e312eb23210567b3ac4054ecccb4c65ccc74ee2ebb73104edd4edfb6676be14c8e2ebd44a044eede96ef70195d4d9002fa85ef22734b4f87fc844c |
memory/3280-81-0x0000000005BA0000-0x00000000061B8000-memory.dmp
memory/3280-82-0x0000000005690000-0x000000000579A000-memory.dmp
memory/3280-83-0x0000000005470000-0x0000000005480000-memory.dmp
memory/3280-84-0x0000000074150000-0x0000000074900000-memory.dmp
memory/3280-85-0x0000000005580000-0x0000000005592000-memory.dmp
memory/3280-86-0x00000000055E0000-0x000000000561C000-memory.dmp
memory/3280-87-0x0000000005470000-0x0000000005480000-memory.dmp
memory/3280-88-0x0000000005630000-0x000000000567C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 6d5040418450624fef735b49ec6bffe9 |
| SHA1 | 5fff6a1a620a5c4522aead8dbd0a5a52570e8773 |
| SHA256 | dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3 |
| SHA512 | bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |