Analysis Overview
SHA256
4042bc1e3de52c1fa2ec03d39b0a8632b8ca97f1beea1764eb78104cf6a3b716
Threat Level: Known bad
The file 4042bc1e3de52c1fa2ec03d39b0a8632b8ca97f1beea1764eb78104cf6a3b716 was found to be: Known bad.
Malicious Activity Summary
Amadey
Mystic
Healer
Detect Mystic stealer payload
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Checks computer location settings
Windows security modification
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Launches sc.exe
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-10 20:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-10 20:46
Reported
2023-10-10 21:16
Platform
win7-20230831-en
Max time kernel
122s
Max time network
145s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
Mystic
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5440031.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9567782.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5101495.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0197715.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe | N/A |
Loads dropped DLL
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5101495.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0197715.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4042bc1e3de52c1fa2ec03d39b0a8632b8ca97f1beea1764eb78104cf6a3b716.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5440031.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9567782.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2828 set thread context of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4042bc1e3de52c1fa2ec03d39b0a8632b8ca97f1beea1764eb78104cf6a3b716.exe
"C:\Users\Admin\AppData\Local\Temp\4042bc1e3de52c1fa2ec03d39b0a8632b8ca97f1beea1764eb78104cf6a3b716.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5440031.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5440031.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9567782.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9567782.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5101495.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5101495.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0197715.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0197715.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 36
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 268
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5440031.exe
| MD5 | cae744e2fb438fd84fb5368b365a0973 |
| SHA1 | 6ba2aee6ecc57428cc8eab16df16fbd85740a135 |
| SHA256 | ccf598995dda23f50d85626e3f7228248ad8168702d2a9175f6299d031ac8bc1 |
| SHA512 | 07d4fa6455063d0dc3a029a294c0b9fe7e23e58b9a59323499c42fcd7763e75b7c15207c038fed5ed4c0bb4ae71a58b5bc1535a79cb30804bc186f55486a3aa9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5440031.exe
| MD5 | cae744e2fb438fd84fb5368b365a0973 |
| SHA1 | 6ba2aee6ecc57428cc8eab16df16fbd85740a135 |
| SHA256 | ccf598995dda23f50d85626e3f7228248ad8168702d2a9175f6299d031ac8bc1 |
| SHA512 | 07d4fa6455063d0dc3a029a294c0b9fe7e23e58b9a59323499c42fcd7763e75b7c15207c038fed5ed4c0bb4ae71a58b5bc1535a79cb30804bc186f55486a3aa9 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5440031.exe
| MD5 | cae744e2fb438fd84fb5368b365a0973 |
| SHA1 | 6ba2aee6ecc57428cc8eab16df16fbd85740a135 |
| SHA256 | ccf598995dda23f50d85626e3f7228248ad8168702d2a9175f6299d031ac8bc1 |
| SHA512 | 07d4fa6455063d0dc3a029a294c0b9fe7e23e58b9a59323499c42fcd7763e75b7c15207c038fed5ed4c0bb4ae71a58b5bc1535a79cb30804bc186f55486a3aa9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5440031.exe
| MD5 | cae744e2fb438fd84fb5368b365a0973 |
| SHA1 | 6ba2aee6ecc57428cc8eab16df16fbd85740a135 |
| SHA256 | ccf598995dda23f50d85626e3f7228248ad8168702d2a9175f6299d031ac8bc1 |
| SHA512 | 07d4fa6455063d0dc3a029a294c0b9fe7e23e58b9a59323499c42fcd7763e75b7c15207c038fed5ed4c0bb4ae71a58b5bc1535a79cb30804bc186f55486a3aa9 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9567782.exe
| MD5 | 60253fc6eeb513078d44b44050d15535 |
| SHA1 | 4bd1fdca2b986659ae76a5d40e177e1f5abe36ad |
| SHA256 | 116167dbeba532373e4126557c28c49085800ec0f53d9257923905bf3951b107 |
| SHA512 | 221b9745f7801893b59fd602d0d0a128db80723e0abb3be20c9f11bebcd0bb085322182b908a2af358f37bdd57694b6d975bdffd9e650689a3cddb6b7bc64da1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9567782.exe
| MD5 | 60253fc6eeb513078d44b44050d15535 |
| SHA1 | 4bd1fdca2b986659ae76a5d40e177e1f5abe36ad |
| SHA256 | 116167dbeba532373e4126557c28c49085800ec0f53d9257923905bf3951b107 |
| SHA512 | 221b9745f7801893b59fd602d0d0a128db80723e0abb3be20c9f11bebcd0bb085322182b908a2af358f37bdd57694b6d975bdffd9e650689a3cddb6b7bc64da1 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9567782.exe
| MD5 | 60253fc6eeb513078d44b44050d15535 |
| SHA1 | 4bd1fdca2b986659ae76a5d40e177e1f5abe36ad |
| SHA256 | 116167dbeba532373e4126557c28c49085800ec0f53d9257923905bf3951b107 |
| SHA512 | 221b9745f7801893b59fd602d0d0a128db80723e0abb3be20c9f11bebcd0bb085322182b908a2af358f37bdd57694b6d975bdffd9e650689a3cddb6b7bc64da1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9567782.exe
| MD5 | 60253fc6eeb513078d44b44050d15535 |
| SHA1 | 4bd1fdca2b986659ae76a5d40e177e1f5abe36ad |
| SHA256 | 116167dbeba532373e4126557c28c49085800ec0f53d9257923905bf3951b107 |
| SHA512 | 221b9745f7801893b59fd602d0d0a128db80723e0abb3be20c9f11bebcd0bb085322182b908a2af358f37bdd57694b6d975bdffd9e650689a3cddb6b7bc64da1 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5101495.exe
| MD5 | 50001cd195476b44cfccab62d6e8b51c |
| SHA1 | f00c24ce41c6bf799a064d7457cff3c280176b3b |
| SHA256 | 9da2a927b401fbe1bf65694b21cc34f9c03ecbcd488c23840715b43ba753b4ed |
| SHA512 | ffd1d646c30d29e38cb1657a6de1421f5b97d0dcf1659ea0e752d3aa34232dc5327a7a8dfb8eddcfd7df8248ca215e70527ed3c72a84bc113894b37e70cfafbb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5101495.exe
| MD5 | 50001cd195476b44cfccab62d6e8b51c |
| SHA1 | f00c24ce41c6bf799a064d7457cff3c280176b3b |
| SHA256 | 9da2a927b401fbe1bf65694b21cc34f9c03ecbcd488c23840715b43ba753b4ed |
| SHA512 | ffd1d646c30d29e38cb1657a6de1421f5b97d0dcf1659ea0e752d3aa34232dc5327a7a8dfb8eddcfd7df8248ca215e70527ed3c72a84bc113894b37e70cfafbb |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5101495.exe
| MD5 | 50001cd195476b44cfccab62d6e8b51c |
| SHA1 | f00c24ce41c6bf799a064d7457cff3c280176b3b |
| SHA256 | 9da2a927b401fbe1bf65694b21cc34f9c03ecbcd488c23840715b43ba753b4ed |
| SHA512 | ffd1d646c30d29e38cb1657a6de1421f5b97d0dcf1659ea0e752d3aa34232dc5327a7a8dfb8eddcfd7df8248ca215e70527ed3c72a84bc113894b37e70cfafbb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5101495.exe
| MD5 | 50001cd195476b44cfccab62d6e8b51c |
| SHA1 | f00c24ce41c6bf799a064d7457cff3c280176b3b |
| SHA256 | 9da2a927b401fbe1bf65694b21cc34f9c03ecbcd488c23840715b43ba753b4ed |
| SHA512 | ffd1d646c30d29e38cb1657a6de1421f5b97d0dcf1659ea0e752d3aa34232dc5327a7a8dfb8eddcfd7df8248ca215e70527ed3c72a84bc113894b37e70cfafbb |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0197715.exe
| MD5 | c68207f2ff597db0f86bc3a0e4f86d6f |
| SHA1 | e18e09c90ca24a0ef1e7da29e501039749bee480 |
| SHA256 | 9f41aedc8ee45e7de9de77135c98fc325c88fda96c96e82a3f645b87da745dda |
| SHA512 | 2f463ee5682ac4fcb346ee2b9e07b51ecfe9fe9ed78df8bad193c6945f7568721d8c5c65f54e0e3ca6a93c16f196bc65607089fc128f7cfa1f0bb3418003e13e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0197715.exe
| MD5 | c68207f2ff597db0f86bc3a0e4f86d6f |
| SHA1 | e18e09c90ca24a0ef1e7da29e501039749bee480 |
| SHA256 | 9f41aedc8ee45e7de9de77135c98fc325c88fda96c96e82a3f645b87da745dda |
| SHA512 | 2f463ee5682ac4fcb346ee2b9e07b51ecfe9fe9ed78df8bad193c6945f7568721d8c5c65f54e0e3ca6a93c16f196bc65607089fc128f7cfa1f0bb3418003e13e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0197715.exe
| MD5 | c68207f2ff597db0f86bc3a0e4f86d6f |
| SHA1 | e18e09c90ca24a0ef1e7da29e501039749bee480 |
| SHA256 | 9f41aedc8ee45e7de9de77135c98fc325c88fda96c96e82a3f645b87da745dda |
| SHA512 | 2f463ee5682ac4fcb346ee2b9e07b51ecfe9fe9ed78df8bad193c6945f7568721d8c5c65f54e0e3ca6a93c16f196bc65607089fc128f7cfa1f0bb3418003e13e |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0197715.exe
| MD5 | c68207f2ff597db0f86bc3a0e4f86d6f |
| SHA1 | e18e09c90ca24a0ef1e7da29e501039749bee480 |
| SHA256 | 9f41aedc8ee45e7de9de77135c98fc325c88fda96c96e82a3f645b87da745dda |
| SHA512 | 2f463ee5682ac4fcb346ee2b9e07b51ecfe9fe9ed78df8bad193c6945f7568721d8c5c65f54e0e3ca6a93c16f196bc65607089fc128f7cfa1f0bb3418003e13e |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe
| MD5 | bbd440498315e029d0707a934d76cb98 |
| SHA1 | 36503d21cccc67be0c8143f51d066f7c0d9ad3b0 |
| SHA256 | 5256ce16ffd51bb8705484957104fd08108954094c1a63e96af68624a4ec23a3 |
| SHA512 | 5d42afbcdcfa1ceab806af9a6547f9c1b880ba8ed8ef75d4abaa6c8523ca91018afc8d852ab6f4b63833db6d8edb2e48dae4bab12709140ddcd8fd3c978c3cd3 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe
| MD5 | bbd440498315e029d0707a934d76cb98 |
| SHA1 | 36503d21cccc67be0c8143f51d066f7c0d9ad3b0 |
| SHA256 | 5256ce16ffd51bb8705484957104fd08108954094c1a63e96af68624a4ec23a3 |
| SHA512 | 5d42afbcdcfa1ceab806af9a6547f9c1b880ba8ed8ef75d4abaa6c8523ca91018afc8d852ab6f4b63833db6d8edb2e48dae4bab12709140ddcd8fd3c978c3cd3 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe
| MD5 | bbd440498315e029d0707a934d76cb98 |
| SHA1 | 36503d21cccc67be0c8143f51d066f7c0d9ad3b0 |
| SHA256 | 5256ce16ffd51bb8705484957104fd08108954094c1a63e96af68624a4ec23a3 |
| SHA512 | 5d42afbcdcfa1ceab806af9a6547f9c1b880ba8ed8ef75d4abaa6c8523ca91018afc8d852ab6f4b63833db6d8edb2e48dae4bab12709140ddcd8fd3c978c3cd3 |
memory/3008-48-0x00000000008D0000-0x00000000008DA000-memory.dmp
memory/3008-49-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
memory/3008-50-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
memory/3008-51-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
| MD5 | 455dbc93bb79bf3db879533ebf5a0b7d |
| SHA1 | 93d14621a0a4272faf893a0000723221168de2e7 |
| SHA256 | cb1e58551d267791e8c8c422217499c6b3237d827b4381b3ad67b57a39f66cce |
| SHA512 | 3e80efe591b9a331d35f391ea4944235969177ba40bb6dae6e968c11fd357518d4e723399e6c67d595f1f4d98a2563388f969f5a7e8e0be6022c7c7223881483 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
| MD5 | 455dbc93bb79bf3db879533ebf5a0b7d |
| SHA1 | 93d14621a0a4272faf893a0000723221168de2e7 |
| SHA256 | cb1e58551d267791e8c8c422217499c6b3237d827b4381b3ad67b57a39f66cce |
| SHA512 | 3e80efe591b9a331d35f391ea4944235969177ba40bb6dae6e968c11fd357518d4e723399e6c67d595f1f4d98a2563388f969f5a7e8e0be6022c7c7223881483 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
| MD5 | 455dbc93bb79bf3db879533ebf5a0b7d |
| SHA1 | 93d14621a0a4272faf893a0000723221168de2e7 |
| SHA256 | cb1e58551d267791e8c8c422217499c6b3237d827b4381b3ad67b57a39f66cce |
| SHA512 | 3e80efe591b9a331d35f391ea4944235969177ba40bb6dae6e968c11fd357518d4e723399e6c67d595f1f4d98a2563388f969f5a7e8e0be6022c7c7223881483 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
| MD5 | 455dbc93bb79bf3db879533ebf5a0b7d |
| SHA1 | 93d14621a0a4272faf893a0000723221168de2e7 |
| SHA256 | cb1e58551d267791e8c8c422217499c6b3237d827b4381b3ad67b57a39f66cce |
| SHA512 | 3e80efe591b9a331d35f391ea4944235969177ba40bb6dae6e968c11fd357518d4e723399e6c67d595f1f4d98a2563388f969f5a7e8e0be6022c7c7223881483 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
| MD5 | 455dbc93bb79bf3db879533ebf5a0b7d |
| SHA1 | 93d14621a0a4272faf893a0000723221168de2e7 |
| SHA256 | cb1e58551d267791e8c8c422217499c6b3237d827b4381b3ad67b57a39f66cce |
| SHA512 | 3e80efe591b9a331d35f391ea4944235969177ba40bb6dae6e968c11fd357518d4e723399e6c67d595f1f4d98a2563388f969f5a7e8e0be6022c7c7223881483 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
| MD5 | 455dbc93bb79bf3db879533ebf5a0b7d |
| SHA1 | 93d14621a0a4272faf893a0000723221168de2e7 |
| SHA256 | cb1e58551d267791e8c8c422217499c6b3237d827b4381b3ad67b57a39f66cce |
| SHA512 | 3e80efe591b9a331d35f391ea4944235969177ba40bb6dae6e968c11fd357518d4e723399e6c67d595f1f4d98a2563388f969f5a7e8e0be6022c7c7223881483 |
memory/1668-61-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1668-62-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1668-65-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1668-66-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1668-64-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1668-63-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1668-68-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1668-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1668-70-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1668-72-0x0000000000400000-0x0000000000428000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
| MD5 | 455dbc93bb79bf3db879533ebf5a0b7d |
| SHA1 | 93d14621a0a4272faf893a0000723221168de2e7 |
| SHA256 | cb1e58551d267791e8c8c422217499c6b3237d827b4381b3ad67b57a39f66cce |
| SHA512 | 3e80efe591b9a331d35f391ea4944235969177ba40bb6dae6e968c11fd357518d4e723399e6c67d595f1f4d98a2563388f969f5a7e8e0be6022c7c7223881483 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
| MD5 | 455dbc93bb79bf3db879533ebf5a0b7d |
| SHA1 | 93d14621a0a4272faf893a0000723221168de2e7 |
| SHA256 | cb1e58551d267791e8c8c422217499c6b3237d827b4381b3ad67b57a39f66cce |
| SHA512 | 3e80efe591b9a331d35f391ea4944235969177ba40bb6dae6e968c11fd357518d4e723399e6c67d595f1f4d98a2563388f969f5a7e8e0be6022c7c7223881483 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
| MD5 | 455dbc93bb79bf3db879533ebf5a0b7d |
| SHA1 | 93d14621a0a4272faf893a0000723221168de2e7 |
| SHA256 | cb1e58551d267791e8c8c422217499c6b3237d827b4381b3ad67b57a39f66cce |
| SHA512 | 3e80efe591b9a331d35f391ea4944235969177ba40bb6dae6e968c11fd357518d4e723399e6c67d595f1f4d98a2563388f969f5a7e8e0be6022c7c7223881483 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
| MD5 | 455dbc93bb79bf3db879533ebf5a0b7d |
| SHA1 | 93d14621a0a4272faf893a0000723221168de2e7 |
| SHA256 | cb1e58551d267791e8c8c422217499c6b3237d827b4381b3ad67b57a39f66cce |
| SHA512 | 3e80efe591b9a331d35f391ea4944235969177ba40bb6dae6e968c11fd357518d4e723399e6c67d595f1f4d98a2563388f969f5a7e8e0be6022c7c7223881483 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-10 20:46
Reported
2023-10-10 21:14
Platform
win10v2004-20230915-en
Max time kernel
144s
Max time network
155s
Command Line
Signatures
Amadey
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
Mystic
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0957063.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3195422.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0197715.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4042bc1e3de52c1fa2ec03d39b0a8632b8ca97f1beea1764eb78104cf6a3b716.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5440031.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9567782.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5101495.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4600 set thread context of 4512 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3064 set thread context of 32 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8106984.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4042bc1e3de52c1fa2ec03d39b0a8632b8ca97f1beea1764eb78104cf6a3b716.exe
"C:\Users\Admin\AppData\Local\Temp\4042bc1e3de52c1fa2ec03d39b0a8632b8ca97f1beea1764eb78104cf6a3b716.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5440031.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5440031.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9567782.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9567782.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5101495.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5101495.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0197715.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0197715.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4600 -ip 4600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4512 -ip 4512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8106984.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8106984.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3064 -ip 3064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 32 -ip 32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3195422.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3195422.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0957063.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0957063.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7639881.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7639881.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 78.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5440031.exe
| MD5 | cae744e2fb438fd84fb5368b365a0973 |
| SHA1 | 6ba2aee6ecc57428cc8eab16df16fbd85740a135 |
| SHA256 | ccf598995dda23f50d85626e3f7228248ad8168702d2a9175f6299d031ac8bc1 |
| SHA512 | 07d4fa6455063d0dc3a029a294c0b9fe7e23e58b9a59323499c42fcd7763e75b7c15207c038fed5ed4c0bb4ae71a58b5bc1535a79cb30804bc186f55486a3aa9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5440031.exe
| MD5 | cae744e2fb438fd84fb5368b365a0973 |
| SHA1 | 6ba2aee6ecc57428cc8eab16df16fbd85740a135 |
| SHA256 | ccf598995dda23f50d85626e3f7228248ad8168702d2a9175f6299d031ac8bc1 |
| SHA512 | 07d4fa6455063d0dc3a029a294c0b9fe7e23e58b9a59323499c42fcd7763e75b7c15207c038fed5ed4c0bb4ae71a58b5bc1535a79cb30804bc186f55486a3aa9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9567782.exe
| MD5 | 60253fc6eeb513078d44b44050d15535 |
| SHA1 | 4bd1fdca2b986659ae76a5d40e177e1f5abe36ad |
| SHA256 | 116167dbeba532373e4126557c28c49085800ec0f53d9257923905bf3951b107 |
| SHA512 | 221b9745f7801893b59fd602d0d0a128db80723e0abb3be20c9f11bebcd0bb085322182b908a2af358f37bdd57694b6d975bdffd9e650689a3cddb6b7bc64da1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9567782.exe
| MD5 | 60253fc6eeb513078d44b44050d15535 |
| SHA1 | 4bd1fdca2b986659ae76a5d40e177e1f5abe36ad |
| SHA256 | 116167dbeba532373e4126557c28c49085800ec0f53d9257923905bf3951b107 |
| SHA512 | 221b9745f7801893b59fd602d0d0a128db80723e0abb3be20c9f11bebcd0bb085322182b908a2af358f37bdd57694b6d975bdffd9e650689a3cddb6b7bc64da1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5101495.exe
| MD5 | 50001cd195476b44cfccab62d6e8b51c |
| SHA1 | f00c24ce41c6bf799a064d7457cff3c280176b3b |
| SHA256 | 9da2a927b401fbe1bf65694b21cc34f9c03ecbcd488c23840715b43ba753b4ed |
| SHA512 | ffd1d646c30d29e38cb1657a6de1421f5b97d0dcf1659ea0e752d3aa34232dc5327a7a8dfb8eddcfd7df8248ca215e70527ed3c72a84bc113894b37e70cfafbb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5101495.exe
| MD5 | 50001cd195476b44cfccab62d6e8b51c |
| SHA1 | f00c24ce41c6bf799a064d7457cff3c280176b3b |
| SHA256 | 9da2a927b401fbe1bf65694b21cc34f9c03ecbcd488c23840715b43ba753b4ed |
| SHA512 | ffd1d646c30d29e38cb1657a6de1421f5b97d0dcf1659ea0e752d3aa34232dc5327a7a8dfb8eddcfd7df8248ca215e70527ed3c72a84bc113894b37e70cfafbb |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0197715.exe
| MD5 | c68207f2ff597db0f86bc3a0e4f86d6f |
| SHA1 | e18e09c90ca24a0ef1e7da29e501039749bee480 |
| SHA256 | 9f41aedc8ee45e7de9de77135c98fc325c88fda96c96e82a3f645b87da745dda |
| SHA512 | 2f463ee5682ac4fcb346ee2b9e07b51ecfe9fe9ed78df8bad193c6945f7568721d8c5c65f54e0e3ca6a93c16f196bc65607089fc128f7cfa1f0bb3418003e13e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0197715.exe
| MD5 | c68207f2ff597db0f86bc3a0e4f86d6f |
| SHA1 | e18e09c90ca24a0ef1e7da29e501039749bee480 |
| SHA256 | 9f41aedc8ee45e7de9de77135c98fc325c88fda96c96e82a3f645b87da745dda |
| SHA512 | 2f463ee5682ac4fcb346ee2b9e07b51ecfe9fe9ed78df8bad193c6945f7568721d8c5c65f54e0e3ca6a93c16f196bc65607089fc128f7cfa1f0bb3418003e13e |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe
| MD5 | bbd440498315e029d0707a934d76cb98 |
| SHA1 | 36503d21cccc67be0c8143f51d066f7c0d9ad3b0 |
| SHA256 | 5256ce16ffd51bb8705484957104fd08108954094c1a63e96af68624a4ec23a3 |
| SHA512 | 5d42afbcdcfa1ceab806af9a6547f9c1b880ba8ed8ef75d4abaa6c8523ca91018afc8d852ab6f4b63833db6d8edb2e48dae4bab12709140ddcd8fd3c978c3cd3 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8051100.exe
| MD5 | bbd440498315e029d0707a934d76cb98 |
| SHA1 | 36503d21cccc67be0c8143f51d066f7c0d9ad3b0 |
| SHA256 | 5256ce16ffd51bb8705484957104fd08108954094c1a63e96af68624a4ec23a3 |
| SHA512 | 5d42afbcdcfa1ceab806af9a6547f9c1b880ba8ed8ef75d4abaa6c8523ca91018afc8d852ab6f4b63833db6d8edb2e48dae4bab12709140ddcd8fd3c978c3cd3 |
memory/3804-35-0x00000000005A0000-0x00000000005AA000-memory.dmp
memory/3804-36-0x00007FFB78140000-0x00007FFB78C01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
| MD5 | 455dbc93bb79bf3db879533ebf5a0b7d |
| SHA1 | 93d14621a0a4272faf893a0000723221168de2e7 |
| SHA256 | cb1e58551d267791e8c8c422217499c6b3237d827b4381b3ad67b57a39f66cce |
| SHA512 | 3e80efe591b9a331d35f391ea4944235969177ba40bb6dae6e968c11fd357518d4e723399e6c67d595f1f4d98a2563388f969f5a7e8e0be6022c7c7223881483 |
memory/3804-40-0x00007FFB78140000-0x00007FFB78C01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2502166.exe
| MD5 | 455dbc93bb79bf3db879533ebf5a0b7d |
| SHA1 | 93d14621a0a4272faf893a0000723221168de2e7 |
| SHA256 | cb1e58551d267791e8c8c422217499c6b3237d827b4381b3ad67b57a39f66cce |
| SHA512 | 3e80efe591b9a331d35f391ea4944235969177ba40bb6dae6e968c11fd357518d4e723399e6c67d595f1f4d98a2563388f969f5a7e8e0be6022c7c7223881483 |
memory/4512-42-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4512-43-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4512-44-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4512-46-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8106984.exe
| MD5 | 9ce38bcc25f02d4dc887b541f8a4db6b |
| SHA1 | 1a65f57c9e9f4db7b1a4936027efe47217940362 |
| SHA256 | d91060516022fd42524bd0dd4570ad150621f06ef30e6b03acdd2aec28e72964 |
| SHA512 | a515f57fcb962f73ec3481045ae6740497d2c0fc6881339535e276c5df678e47abeba92e7f3d1911c57e3a3e2f0dbb025124ae6e27ca267c17c1ce0fab8c8eb5 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8106984.exe
| MD5 | 9ce38bcc25f02d4dc887b541f8a4db6b |
| SHA1 | 1a65f57c9e9f4db7b1a4936027efe47217940362 |
| SHA256 | d91060516022fd42524bd0dd4570ad150621f06ef30e6b03acdd2aec28e72964 |
| SHA512 | a515f57fcb962f73ec3481045ae6740497d2c0fc6881339535e276c5df678e47abeba92e7f3d1911c57e3a3e2f0dbb025124ae6e27ca267c17c1ce0fab8c8eb5 |
memory/32-51-0x0000000000400000-0x0000000000428000-memory.dmp
memory/32-52-0x0000000000400000-0x0000000000428000-memory.dmp
memory/32-54-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3195422.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3195422.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0957063.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0957063.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7639881.exe
| MD5 | f1da1dad8541e34aa52343b5c3e10e96 |
| SHA1 | c95e1f9c8ff2e1782aee91e7920733e59a9c885e |
| SHA256 | 0c5f07a99ccadb0de068828fd3bfd9bb73543e77af430bfbf245be48e22095be |
| SHA512 | 7a8a68ec1af455751a23c72b5070ad8d6a03193e39c2fb53205d24a6864b6d6361793e1f71af35c0b9e25ca74e13c4d5dfcecf04bc6e18a91a83d6280366d62f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7639881.exe
| MD5 | f1da1dad8541e34aa52343b5c3e10e96 |
| SHA1 | c95e1f9c8ff2e1782aee91e7920733e59a9c885e |
| SHA256 | 0c5f07a99ccadb0de068828fd3bfd9bb73543e77af430bfbf245be48e22095be |
| SHA512 | 7a8a68ec1af455751a23c72b5070ad8d6a03193e39c2fb53205d24a6864b6d6361793e1f71af35c0b9e25ca74e13c4d5dfcecf04bc6e18a91a83d6280366d62f |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 6d5040418450624fef735b49ec6bffe9 |
| SHA1 | 5fff6a1a620a5c4522aead8dbd0a5a52570e8773 |
| SHA256 | dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3 |
| SHA512 | bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |