Analysis Overview
SHA256
fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90
Threat Level: Known bad
The file fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90 was found to be: Known bad.
Malicious Activity Summary
Detect Mystic stealer payload
Modifies Windows Defender Real-time Protection settings
Healer
Mystic
Amadey
Detects Healer an antivirus disabler dropper
RedLine
Windows security modification
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-10 20:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-10 20:45
Reported
2023-10-10 21:13
Platform
win7-20230831-en
Max time kernel
122s
Max time network
150s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
Mystic
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe | N/A |
Loads dropped DLL
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2484 set thread context of 2524 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90.exe
"C:\Users\Admin\AppData\Local\Temp\fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 36
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 268
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe
| MD5 | 0f6fb44ed64d409e7b22681d6eccf35a |
| SHA1 | cddf8832797d0b86899200dc78e8b3bd628cb824 |
| SHA256 | ea0ee31c7040738ad083db91f618126aaa7d8aec67197d94e68ffa6ae6b40689 |
| SHA512 | 46eb171de3ef09f49bc52ccec01dbd0491d6dc55e2e83bbcbf034ab5a61ae657cee348258f77f77d05f66fc5b7901a10717a88daf4705c217303dafb0ad93b4d |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe
| MD5 | 0f6fb44ed64d409e7b22681d6eccf35a |
| SHA1 | cddf8832797d0b86899200dc78e8b3bd628cb824 |
| SHA256 | ea0ee31c7040738ad083db91f618126aaa7d8aec67197d94e68ffa6ae6b40689 |
| SHA512 | 46eb171de3ef09f49bc52ccec01dbd0491d6dc55e2e83bbcbf034ab5a61ae657cee348258f77f77d05f66fc5b7901a10717a88daf4705c217303dafb0ad93b4d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe
| MD5 | 0f6fb44ed64d409e7b22681d6eccf35a |
| SHA1 | cddf8832797d0b86899200dc78e8b3bd628cb824 |
| SHA256 | ea0ee31c7040738ad083db91f618126aaa7d8aec67197d94e68ffa6ae6b40689 |
| SHA512 | 46eb171de3ef09f49bc52ccec01dbd0491d6dc55e2e83bbcbf034ab5a61ae657cee348258f77f77d05f66fc5b7901a10717a88daf4705c217303dafb0ad93b4d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe
| MD5 | 0f6fb44ed64d409e7b22681d6eccf35a |
| SHA1 | cddf8832797d0b86899200dc78e8b3bd628cb824 |
| SHA256 | ea0ee31c7040738ad083db91f618126aaa7d8aec67197d94e68ffa6ae6b40689 |
| SHA512 | 46eb171de3ef09f49bc52ccec01dbd0491d6dc55e2e83bbcbf034ab5a61ae657cee348258f77f77d05f66fc5b7901a10717a88daf4705c217303dafb0ad93b4d |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe
| MD5 | 24ecc57390242b77f453882f38f388b6 |
| SHA1 | 3bdfa84d6aeaf6b4ebb3425504765acf67b424e8 |
| SHA256 | 6cc87071e2158312085c87c31b8272178f5e2c27da57b755fb2c7e05fc6daf1a |
| SHA512 | 7c1ba2c26cbf70f12afdfa505d12a66d33a0631c1e2aa99849636952641c30193bd3c7005d3989d623d476661fc48f3b69d87384dcf6d0e76926fd457b1ebc0b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe
| MD5 | 24ecc57390242b77f453882f38f388b6 |
| SHA1 | 3bdfa84d6aeaf6b4ebb3425504765acf67b424e8 |
| SHA256 | 6cc87071e2158312085c87c31b8272178f5e2c27da57b755fb2c7e05fc6daf1a |
| SHA512 | 7c1ba2c26cbf70f12afdfa505d12a66d33a0631c1e2aa99849636952641c30193bd3c7005d3989d623d476661fc48f3b69d87384dcf6d0e76926fd457b1ebc0b |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe
| MD5 | 24ecc57390242b77f453882f38f388b6 |
| SHA1 | 3bdfa84d6aeaf6b4ebb3425504765acf67b424e8 |
| SHA256 | 6cc87071e2158312085c87c31b8272178f5e2c27da57b755fb2c7e05fc6daf1a |
| SHA512 | 7c1ba2c26cbf70f12afdfa505d12a66d33a0631c1e2aa99849636952641c30193bd3c7005d3989d623d476661fc48f3b69d87384dcf6d0e76926fd457b1ebc0b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe
| MD5 | 24ecc57390242b77f453882f38f388b6 |
| SHA1 | 3bdfa84d6aeaf6b4ebb3425504765acf67b424e8 |
| SHA256 | 6cc87071e2158312085c87c31b8272178f5e2c27da57b755fb2c7e05fc6daf1a |
| SHA512 | 7c1ba2c26cbf70f12afdfa505d12a66d33a0631c1e2aa99849636952641c30193bd3c7005d3989d623d476661fc48f3b69d87384dcf6d0e76926fd457b1ebc0b |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe
| MD5 | 6b2d990dc07cf8c2e172d03474b23404 |
| SHA1 | 73ccd488cf1b5466f62bf3c27e131ed3bc902cb3 |
| SHA256 | c87129f6e0a615abd35be86ef6cdcd066865311e5802d20d264c6db19a50dc4d |
| SHA512 | d845b76f67d715da8d80ce20dc4ff38600c6c31667aa1cc4a14589e155edd728b6e11ded4c7c5f3585a0ce5628d171d41abf4632bf87e54a4183c2d7d6c35f38 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe
| MD5 | 6b2d990dc07cf8c2e172d03474b23404 |
| SHA1 | 73ccd488cf1b5466f62bf3c27e131ed3bc902cb3 |
| SHA256 | c87129f6e0a615abd35be86ef6cdcd066865311e5802d20d264c6db19a50dc4d |
| SHA512 | d845b76f67d715da8d80ce20dc4ff38600c6c31667aa1cc4a14589e155edd728b6e11ded4c7c5f3585a0ce5628d171d41abf4632bf87e54a4183c2d7d6c35f38 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe
| MD5 | 6b2d990dc07cf8c2e172d03474b23404 |
| SHA1 | 73ccd488cf1b5466f62bf3c27e131ed3bc902cb3 |
| SHA256 | c87129f6e0a615abd35be86ef6cdcd066865311e5802d20d264c6db19a50dc4d |
| SHA512 | d845b76f67d715da8d80ce20dc4ff38600c6c31667aa1cc4a14589e155edd728b6e11ded4c7c5f3585a0ce5628d171d41abf4632bf87e54a4183c2d7d6c35f38 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe
| MD5 | 6b2d990dc07cf8c2e172d03474b23404 |
| SHA1 | 73ccd488cf1b5466f62bf3c27e131ed3bc902cb3 |
| SHA256 | c87129f6e0a615abd35be86ef6cdcd066865311e5802d20d264c6db19a50dc4d |
| SHA512 | d845b76f67d715da8d80ce20dc4ff38600c6c31667aa1cc4a14589e155edd728b6e11ded4c7c5f3585a0ce5628d171d41abf4632bf87e54a4183c2d7d6c35f38 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe
| MD5 | 895409a60865c8ae2567dd6f6c08ed57 |
| SHA1 | bbc2fa3424e906ff91c494ef9e52aceec99f8cfa |
| SHA256 | 08c84a534fb485e46eacd8061ba866d4dc2aba36d34f70a33c842818cdee8ee5 |
| SHA512 | d127d51044d283f49850f86cb52910c7bc6c776ecc5e9654dccbc05151c6e7fc109ac4e3f60a7d843fb9fd94d448692b6a49a841bac5b6fbf8bd85b8dd0b779e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe
| MD5 | 895409a60865c8ae2567dd6f6c08ed57 |
| SHA1 | bbc2fa3424e906ff91c494ef9e52aceec99f8cfa |
| SHA256 | 08c84a534fb485e46eacd8061ba866d4dc2aba36d34f70a33c842818cdee8ee5 |
| SHA512 | d127d51044d283f49850f86cb52910c7bc6c776ecc5e9654dccbc05151c6e7fc109ac4e3f60a7d843fb9fd94d448692b6a49a841bac5b6fbf8bd85b8dd0b779e |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe
| MD5 | 895409a60865c8ae2567dd6f6c08ed57 |
| SHA1 | bbc2fa3424e906ff91c494ef9e52aceec99f8cfa |
| SHA256 | 08c84a534fb485e46eacd8061ba866d4dc2aba36d34f70a33c842818cdee8ee5 |
| SHA512 | d127d51044d283f49850f86cb52910c7bc6c776ecc5e9654dccbc05151c6e7fc109ac4e3f60a7d843fb9fd94d448692b6a49a841bac5b6fbf8bd85b8dd0b779e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe
| MD5 | 895409a60865c8ae2567dd6f6c08ed57 |
| SHA1 | bbc2fa3424e906ff91c494ef9e52aceec99f8cfa |
| SHA256 | 08c84a534fb485e46eacd8061ba866d4dc2aba36d34f70a33c842818cdee8ee5 |
| SHA512 | d127d51044d283f49850f86cb52910c7bc6c776ecc5e9654dccbc05151c6e7fc109ac4e3f60a7d843fb9fd94d448692b6a49a841bac5b6fbf8bd85b8dd0b779e |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe
| MD5 | 417bf355ff406c10fd30628dc9629590 |
| SHA1 | 2679d7839e4e361ea016e99e453b981002dc2d71 |
| SHA256 | 9eea16179fbb0add20846370c57fc4973b3f6726983712d8314df208527b6b9b |
| SHA512 | da8d590bb3a786087512aa99ed2e081aac67780b6b5e14a03e13dee3a2f59f23c8b21617b9ce961bfed5644626b433fbd8ceb4965a1e5e796113c1a8473bf966 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe
| MD5 | 417bf355ff406c10fd30628dc9629590 |
| SHA1 | 2679d7839e4e361ea016e99e453b981002dc2d71 |
| SHA256 | 9eea16179fbb0add20846370c57fc4973b3f6726983712d8314df208527b6b9b |
| SHA512 | da8d590bb3a786087512aa99ed2e081aac67780b6b5e14a03e13dee3a2f59f23c8b21617b9ce961bfed5644626b433fbd8ceb4965a1e5e796113c1a8473bf966 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe
| MD5 | 417bf355ff406c10fd30628dc9629590 |
| SHA1 | 2679d7839e4e361ea016e99e453b981002dc2d71 |
| SHA256 | 9eea16179fbb0add20846370c57fc4973b3f6726983712d8314df208527b6b9b |
| SHA512 | da8d590bb3a786087512aa99ed2e081aac67780b6b5e14a03e13dee3a2f59f23c8b21617b9ce961bfed5644626b433fbd8ceb4965a1e5e796113c1a8473bf966 |
memory/2688-48-0x00000000009B0000-0x00000000009BA000-memory.dmp
memory/2688-49-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp
memory/2688-50-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp
memory/2688-51-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
| MD5 | 4186d77c96511ae22ef295132a469f08 |
| SHA1 | da0498d6bc8ae72ba77910879523e47875e6a9bf |
| SHA256 | 28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa |
| SHA512 | e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
| MD5 | 4186d77c96511ae22ef295132a469f08 |
| SHA1 | da0498d6bc8ae72ba77910879523e47875e6a9bf |
| SHA256 | 28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa |
| SHA512 | e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
| MD5 | 4186d77c96511ae22ef295132a469f08 |
| SHA1 | da0498d6bc8ae72ba77910879523e47875e6a9bf |
| SHA256 | 28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa |
| SHA512 | e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
| MD5 | 4186d77c96511ae22ef295132a469f08 |
| SHA1 | da0498d6bc8ae72ba77910879523e47875e6a9bf |
| SHA256 | 28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa |
| SHA512 | e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
| MD5 | 4186d77c96511ae22ef295132a469f08 |
| SHA1 | da0498d6bc8ae72ba77910879523e47875e6a9bf |
| SHA256 | 28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa |
| SHA512 | e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
| MD5 | 4186d77c96511ae22ef295132a469f08 |
| SHA1 | da0498d6bc8ae72ba77910879523e47875e6a9bf |
| SHA256 | 28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa |
| SHA512 | e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8 |
memory/2524-61-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2524-62-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2524-63-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2524-64-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2524-65-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2524-66-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2524-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2524-68-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2524-70-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2524-72-0x0000000000400000-0x0000000000428000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
| MD5 | 4186d77c96511ae22ef295132a469f08 |
| SHA1 | da0498d6bc8ae72ba77910879523e47875e6a9bf |
| SHA256 | 28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa |
| SHA512 | e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
| MD5 | 4186d77c96511ae22ef295132a469f08 |
| SHA1 | da0498d6bc8ae72ba77910879523e47875e6a9bf |
| SHA256 | 28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa |
| SHA512 | e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
| MD5 | 4186d77c96511ae22ef295132a469f08 |
| SHA1 | da0498d6bc8ae72ba77910879523e47875e6a9bf |
| SHA256 | 28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa |
| SHA512 | e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
| MD5 | 4186d77c96511ae22ef295132a469f08 |
| SHA1 | da0498d6bc8ae72ba77910879523e47875e6a9bf |
| SHA256 | 28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa |
| SHA512 | e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-10 20:45
Reported
2023-10-10 21:12
Platform
win10v2004-20230915-en
Max time kernel
152s
Max time network
165s
Command Line
Signatures
Amadey
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
Mystic
RedLine
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7944559.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9928137.exe | N/A |
Executes dropped EXE
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4556 set thread context of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3736 set thread context of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6222964.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90.exe
"C:\Users\Admin\AppData\Local\Temp\fbaaf142d79893fa37e6660341cd9130ad99d286884dba77eee9ee008a2a1f90.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4556 -ip 4556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3052 -ip 3052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 584
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6222964.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6222964.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3736 -ip 3736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 152
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7944559.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7944559.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9928137.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9928137.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2149483.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2149483.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 254.210.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 78.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe
| MD5 | 0f6fb44ed64d409e7b22681d6eccf35a |
| SHA1 | cddf8832797d0b86899200dc78e8b3bd628cb824 |
| SHA256 | ea0ee31c7040738ad083db91f618126aaa7d8aec67197d94e68ffa6ae6b40689 |
| SHA512 | 46eb171de3ef09f49bc52ccec01dbd0491d6dc55e2e83bbcbf034ab5a61ae657cee348258f77f77d05f66fc5b7901a10717a88daf4705c217303dafb0ad93b4d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1101304.exe
| MD5 | 0f6fb44ed64d409e7b22681d6eccf35a |
| SHA1 | cddf8832797d0b86899200dc78e8b3bd628cb824 |
| SHA256 | ea0ee31c7040738ad083db91f618126aaa7d8aec67197d94e68ffa6ae6b40689 |
| SHA512 | 46eb171de3ef09f49bc52ccec01dbd0491d6dc55e2e83bbcbf034ab5a61ae657cee348258f77f77d05f66fc5b7901a10717a88daf4705c217303dafb0ad93b4d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe
| MD5 | 24ecc57390242b77f453882f38f388b6 |
| SHA1 | 3bdfa84d6aeaf6b4ebb3425504765acf67b424e8 |
| SHA256 | 6cc87071e2158312085c87c31b8272178f5e2c27da57b755fb2c7e05fc6daf1a |
| SHA512 | 7c1ba2c26cbf70f12afdfa505d12a66d33a0631c1e2aa99849636952641c30193bd3c7005d3989d623d476661fc48f3b69d87384dcf6d0e76926fd457b1ebc0b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5749368.exe
| MD5 | 24ecc57390242b77f453882f38f388b6 |
| SHA1 | 3bdfa84d6aeaf6b4ebb3425504765acf67b424e8 |
| SHA256 | 6cc87071e2158312085c87c31b8272178f5e2c27da57b755fb2c7e05fc6daf1a |
| SHA512 | 7c1ba2c26cbf70f12afdfa505d12a66d33a0631c1e2aa99849636952641c30193bd3c7005d3989d623d476661fc48f3b69d87384dcf6d0e76926fd457b1ebc0b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe
| MD5 | 6b2d990dc07cf8c2e172d03474b23404 |
| SHA1 | 73ccd488cf1b5466f62bf3c27e131ed3bc902cb3 |
| SHA256 | c87129f6e0a615abd35be86ef6cdcd066865311e5802d20d264c6db19a50dc4d |
| SHA512 | d845b76f67d715da8d80ce20dc4ff38600c6c31667aa1cc4a14589e155edd728b6e11ded4c7c5f3585a0ce5628d171d41abf4632bf87e54a4183c2d7d6c35f38 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7803993.exe
| MD5 | 6b2d990dc07cf8c2e172d03474b23404 |
| SHA1 | 73ccd488cf1b5466f62bf3c27e131ed3bc902cb3 |
| SHA256 | c87129f6e0a615abd35be86ef6cdcd066865311e5802d20d264c6db19a50dc4d |
| SHA512 | d845b76f67d715da8d80ce20dc4ff38600c6c31667aa1cc4a14589e155edd728b6e11ded4c7c5f3585a0ce5628d171d41abf4632bf87e54a4183c2d7d6c35f38 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe
| MD5 | 895409a60865c8ae2567dd6f6c08ed57 |
| SHA1 | bbc2fa3424e906ff91c494ef9e52aceec99f8cfa |
| SHA256 | 08c84a534fb485e46eacd8061ba866d4dc2aba36d34f70a33c842818cdee8ee5 |
| SHA512 | d127d51044d283f49850f86cb52910c7bc6c776ecc5e9654dccbc05151c6e7fc109ac4e3f60a7d843fb9fd94d448692b6a49a841bac5b6fbf8bd85b8dd0b779e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3509958.exe
| MD5 | 895409a60865c8ae2567dd6f6c08ed57 |
| SHA1 | bbc2fa3424e906ff91c494ef9e52aceec99f8cfa |
| SHA256 | 08c84a534fb485e46eacd8061ba866d4dc2aba36d34f70a33c842818cdee8ee5 |
| SHA512 | d127d51044d283f49850f86cb52910c7bc6c776ecc5e9654dccbc05151c6e7fc109ac4e3f60a7d843fb9fd94d448692b6a49a841bac5b6fbf8bd85b8dd0b779e |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe
| MD5 | 417bf355ff406c10fd30628dc9629590 |
| SHA1 | 2679d7839e4e361ea016e99e453b981002dc2d71 |
| SHA256 | 9eea16179fbb0add20846370c57fc4973b3f6726983712d8314df208527b6b9b |
| SHA512 | da8d590bb3a786087512aa99ed2e081aac67780b6b5e14a03e13dee3a2f59f23c8b21617b9ce961bfed5644626b433fbd8ceb4965a1e5e796113c1a8473bf966 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1529595.exe
| MD5 | 417bf355ff406c10fd30628dc9629590 |
| SHA1 | 2679d7839e4e361ea016e99e453b981002dc2d71 |
| SHA256 | 9eea16179fbb0add20846370c57fc4973b3f6726983712d8314df208527b6b9b |
| SHA512 | da8d590bb3a786087512aa99ed2e081aac67780b6b5e14a03e13dee3a2f59f23c8b21617b9ce961bfed5644626b433fbd8ceb4965a1e5e796113c1a8473bf966 |
memory/5040-35-0x00000000009E0000-0x00000000009EA000-memory.dmp
memory/5040-36-0x00007FF909E10000-0x00007FF90A8D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
| MD5 | 4186d77c96511ae22ef295132a469f08 |
| SHA1 | da0498d6bc8ae72ba77910879523e47875e6a9bf |
| SHA256 | 28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa |
| SHA512 | e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8 |
memory/5040-40-0x00007FF909E10000-0x00007FF90A8D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7148277.exe
| MD5 | 4186d77c96511ae22ef295132a469f08 |
| SHA1 | da0498d6bc8ae72ba77910879523e47875e6a9bf |
| SHA256 | 28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa |
| SHA512 | e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8 |
memory/3052-42-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3052-43-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3052-44-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3052-46-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6222964.exe
| MD5 | 861e8d2170e82fecd19492b63bbd5fa6 |
| SHA1 | 84d9dbbaf992ff23c31dac2165ef39ca3eadf8db |
| SHA256 | 47859ee9e62478aab82cea2f583dc924fddadf52bbe9f17eb068a24928fd0d60 |
| SHA512 | 798a5fb3d5cebd7fa9336c4d4027f00862a2adab24924e65024f4898a4e423dfcced124ce556ea823f9079ac9ba0fcc0c6b1ca29c98884c764626bfefaa2e29c |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6222964.exe
| MD5 | 861e8d2170e82fecd19492b63bbd5fa6 |
| SHA1 | 84d9dbbaf992ff23c31dac2165ef39ca3eadf8db |
| SHA256 | 47859ee9e62478aab82cea2f583dc924fddadf52bbe9f17eb068a24928fd0d60 |
| SHA512 | 798a5fb3d5cebd7fa9336c4d4027f00862a2adab24924e65024f4898a4e423dfcced124ce556ea823f9079ac9ba0fcc0c6b1ca29c98884c764626bfefaa2e29c |
memory/1544-50-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1544-51-0x00000000745C0000-0x0000000074D70000-memory.dmp
memory/1544-52-0x00000000054C0000-0x00000000054C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7944559.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7944559.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/1544-58-0x0000000005BE0000-0x00000000061F8000-memory.dmp
memory/1544-63-0x00000000056D0000-0x00000000057DA000-memory.dmp
memory/1544-64-0x0000000005510000-0x0000000005522000-memory.dmp
memory/1544-65-0x00000000055B0000-0x00000000055C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/1544-69-0x0000000005570000-0x00000000055AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9928137.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9928137.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/1544-75-0x00000000055D0000-0x000000000561C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/1544-82-0x00000000745C0000-0x0000000074D70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2149483.exe
| MD5 | 5f743f5d6f83702752d94a3235908fec |
| SHA1 | b8b723c7a71753d4ccd95123283e39efe3cae202 |
| SHA256 | bcf59b82c856523563a7323cd9d08614743355066615c94cc6d8f91fe3bf7634 |
| SHA512 | 59e7a97eb293b5f52ed04d3bfc7a2dd3833c4676573d2e599fb44bedace2adb7da516a4e86b3fbf373b415129c49553fcdf236eac3c77c22648f4df1f9d14d3f |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2149483.exe
| MD5 | 5f743f5d6f83702752d94a3235908fec |
| SHA1 | b8b723c7a71753d4ccd95123283e39efe3cae202 |
| SHA256 | bcf59b82c856523563a7323cd9d08614743355066615c94cc6d8f91fe3bf7634 |
| SHA512 | 59e7a97eb293b5f52ed04d3bfc7a2dd3833c4676573d2e599fb44bedace2adb7da516a4e86b3fbf373b415129c49553fcdf236eac3c77c22648f4df1f9d14d3f |
memory/1544-87-0x00000000055B0000-0x00000000055C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |