Malware Analysis Report

2024-10-24 19:58

Sample ID 231101-rqrmyaba47
Target NEAS.f235fcc2e4c00da062b221b7666fe150.exe
SHA256 6fb61b007a7cdb6f56031f757ba5024ae21fef3bc9d811093283de29c765de5b
Tags
amadey healer mystic redline genda dropper evasion infostealer persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6fb61b007a7cdb6f56031f757ba5024ae21fef3bc9d811093283de29c765de5b

Threat Level: Known bad

The file NEAS.f235fcc2e4c00da062b221b7666fe150.exe was found to be: Known bad.

Malicious Activity Summary

amadey healer mystic redline genda dropper evasion infostealer persistence stealer trojan

Healer

RedLine

Amadey

Detect Mystic stealer payload

Mystic

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

Checks computer location settings

Loads dropped DLL

Windows security modification

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-01 14:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-01 14:24

Reported

2023-11-01 23:40

Platform

win10v2004-20231023-en

Max time kernel

141s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.f235fcc2e4c00da062b221b7666fe150.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u1190642.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t0427406.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9031482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.f235fcc2e4c00da062b221b7666fe150.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f235fcc2e4c00da062b221b7666fe150.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe
PID 1304 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f235fcc2e4c00da062b221b7666fe150.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe
PID 1304 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f235fcc2e4c00da062b221b7666fe150.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe
PID 3388 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe
PID 3388 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe
PID 3388 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe
PID 2652 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9031482.exe
PID 2652 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9031482.exe
PID 2652 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9031482.exe
PID 4464 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9031482.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe
PID 4464 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9031482.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe
PID 4464 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9031482.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe
PID 4464 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9031482.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe
PID 4464 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9031482.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe
PID 4044 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2652 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe
PID 2652 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe
PID 2652 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe
PID 2860 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3388 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t0427406.exe
PID 3388 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t0427406.exe
PID 3388 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t0427406.exe
PID 4436 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t0427406.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4436 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t0427406.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4436 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t0427406.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1304 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f235fcc2e4c00da062b221b7666fe150.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u1190642.exe
PID 1304 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f235fcc2e4c00da062b221b7666fe150.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u1190642.exe
PID 1304 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.f235fcc2e4c00da062b221b7666fe150.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u1190642.exe
PID 2076 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2076 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2076 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 5056 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u1190642.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 5056 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u1190642.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 5056 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u1190642.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 2076 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 5080 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 5080 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 5080 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 888 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.f235fcc2e4c00da062b221b7666fe150.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.f235fcc2e4c00da062b221b7666fe150.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9031482.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9031482.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1584 -ip 1584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2860 -ip 2860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 156

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t0427406.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t0427406.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u1190642.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u1190642.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.78:80 tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe

MD5 c91a8b78bd92a93f0a4f83e0e727d2d7
SHA1 162c4dc8a3cae929241df89d99f9ba8d4272d27a
SHA256 aaf28ca4d6afe7f8acdf4fc2e316d269ae400ad345e7b1d1480a5a659bde412c
SHA512 b1e5076c8b7e3991fb3f6993e2c336dddb34b2ea3a0d5d425093a6a53d60ed57ab629af6ffefead867bbfffce6bbdcf7d0af03153f4be9741b202b4e7019ec7e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2102058.exe

MD5 c91a8b78bd92a93f0a4f83e0e727d2d7
SHA1 162c4dc8a3cae929241df89d99f9ba8d4272d27a
SHA256 aaf28ca4d6afe7f8acdf4fc2e316d269ae400ad345e7b1d1480a5a659bde412c
SHA512 b1e5076c8b7e3991fb3f6993e2c336dddb34b2ea3a0d5d425093a6a53d60ed57ab629af6ffefead867bbfffce6bbdcf7d0af03153f4be9741b202b4e7019ec7e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe

MD5 75f60e5fd38ae6178ed22dc93e7d1f6b
SHA1 ab0b8c49e01b1febe632f1593701ce9e12c7c2d9
SHA256 c5046eabced7b4fb1743d8a6ad1769ae9d801e28b89cfa877df06e1e812b3bc5
SHA512 5a07a19a4a0d120fbaf2ea0c9bc7da2406c9b1aef89e7f00b48692f9e7298e786caa3415d27ef3f8eaf0b582857a6c99fb868e4ebe9d7a7e27683dab2ec8add0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5105797.exe

MD5 75f60e5fd38ae6178ed22dc93e7d1f6b
SHA1 ab0b8c49e01b1febe632f1593701ce9e12c7c2d9
SHA256 c5046eabced7b4fb1743d8a6ad1769ae9d801e28b89cfa877df06e1e812b3bc5
SHA512 5a07a19a4a0d120fbaf2ea0c9bc7da2406c9b1aef89e7f00b48692f9e7298e786caa3415d27ef3f8eaf0b582857a6c99fb868e4ebe9d7a7e27683dab2ec8add0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9031482.exe

MD5 56db5b18b8e28df9857c20a09eb581aa
SHA1 18e2137f057b04b4d70cacf68d0af242ad143836
SHA256 fc8578e98cc18b8f687c64f387eabfdb1e636b9972706a4cf469e31040de28ba
SHA512 e24285373c78bd01fbaf1d502e362cc1132f405a218058f87efd454a361fc3cc9df4cc9eeb2cc72fe0edcc99caeaf0ef3d2848ca2f89f0f61bc5e1a60e46c645

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9031482.exe

MD5 56db5b18b8e28df9857c20a09eb581aa
SHA1 18e2137f057b04b4d70cacf68d0af242ad143836
SHA256 fc8578e98cc18b8f687c64f387eabfdb1e636b9972706a4cf469e31040de28ba
SHA512 e24285373c78bd01fbaf1d502e362cc1132f405a218058f87efd454a361fc3cc9df4cc9eeb2cc72fe0edcc99caeaf0ef3d2848ca2f89f0f61bc5e1a60e46c645

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe

MD5 b0ffe6e119718a6c0bef39c2e32a912b
SHA1 770d12cb4212e9b2aa8acb0b20a1fd67c656ff6f
SHA256 7ee01a4ba6f0e2fb3f2be717e233f85a4556308a6a2cf489849f6cc630bee4c8
SHA512 05ba6baf46f1da8c9ae2b432e5b04aef724f3236285256b64a3111f508efebd5dfb6df7e665ad9944d897a01e47e229fcf6b500e7d4d9b49711d9c2e83b1016a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q8737601.exe

MD5 b0ffe6e119718a6c0bef39c2e32a912b
SHA1 770d12cb4212e9b2aa8acb0b20a1fd67c656ff6f
SHA256 7ee01a4ba6f0e2fb3f2be717e233f85a4556308a6a2cf489849f6cc630bee4c8
SHA512 05ba6baf46f1da8c9ae2b432e5b04aef724f3236285256b64a3111f508efebd5dfb6df7e665ad9944d897a01e47e229fcf6b500e7d4d9b49711d9c2e83b1016a

memory/3104-28-0x0000000000C20000-0x0000000000C2A000-memory.dmp

memory/3104-29-0x00007FFC66AA0000-0x00007FFC67561000-memory.dmp

memory/3104-30-0x00007FFC66AA0000-0x00007FFC67561000-memory.dmp

memory/3104-32-0x00007FFC66AA0000-0x00007FFC67561000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe

MD5 586cee0f876f89e87a973b73b4bb1ffb
SHA1 98cb6b608186a7329977a26a7e56aa9892fd5ec5
SHA256 32225e219aaa2f2cb994d203336ac590a568896b4daea9c8c6682b0b47840d4b
SHA512 cb51e7a13167a86e0c5181ce409325349bc0c992d7021ab17132356c121e35f6923646ea07fc2566f622c58628a440e839d4f2192782008c30d8015bfd22b822

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0424156.exe

MD5 586cee0f876f89e87a973b73b4bb1ffb
SHA1 98cb6b608186a7329977a26a7e56aa9892fd5ec5
SHA256 32225e219aaa2f2cb994d203336ac590a568896b4daea9c8c6682b0b47840d4b
SHA512 cb51e7a13167a86e0c5181ce409325349bc0c992d7021ab17132356c121e35f6923646ea07fc2566f622c58628a440e839d4f2192782008c30d8015bfd22b822

memory/1584-36-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1584-37-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1584-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1584-40-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe

MD5 03d7f8e83e7059b84ffcf66bfacc6b27
SHA1 6b6c6ec97e8bb1072b097a248b66d6d364034091
SHA256 691a99bfb39e55e08510a652ca0ae96d3839b5be9a3be197679f6ff495d88b01
SHA512 9f0713028d60ad8183b0968b927e9d64bb15abf73953c3f879dcba42d2347c1f134471963e445f1e6a4af3349c7a36aafa506df50d90eba180e7bd3290ec6d46

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7288563.exe

MD5 03d7f8e83e7059b84ffcf66bfacc6b27
SHA1 6b6c6ec97e8bb1072b097a248b66d6d364034091
SHA256 691a99bfb39e55e08510a652ca0ae96d3839b5be9a3be197679f6ff495d88b01
SHA512 9f0713028d60ad8183b0968b927e9d64bb15abf73953c3f879dcba42d2347c1f134471963e445f1e6a4af3349c7a36aafa506df50d90eba180e7bd3290ec6d46

memory/2868-44-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t0427406.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t0427406.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2868-50-0x0000000073FD0000-0x0000000074780000-memory.dmp

memory/2868-53-0x0000000007A60000-0x0000000008004000-memory.dmp

memory/2868-56-0x0000000007550000-0x00000000075E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u1190642.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u1190642.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/2868-65-0x00000000074D0000-0x00000000074E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/2868-73-0x0000000007750000-0x000000000775A000-memory.dmp

memory/2868-74-0x0000000008630000-0x0000000008C48000-memory.dmp

memory/2868-75-0x00000000078F0000-0x00000000079FA000-memory.dmp

memory/2868-76-0x0000000007820000-0x0000000007832000-memory.dmp

memory/2868-77-0x0000000007880000-0x00000000078BC000-memory.dmp

memory/2868-78-0x0000000007A00000-0x0000000007A4C000-memory.dmp

memory/2868-79-0x0000000073FD0000-0x0000000074780000-memory.dmp

memory/2868-80-0x00000000074D0000-0x00000000074E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4