Malware Analysis Report

2024-10-24 19:57

Sample ID 231101-z5lz1adc31
Target NEAS.d9fd63a3ea8644d4f4f915efde890840_JC.exe
SHA256 24147aa841a552b57a14494a9cc06d41884d8ef15b1686c06027ea84aa7de7c8
Tags
amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24147aa841a552b57a14494a9cc06d41884d8ef15b1686c06027ea84aa7de7c8

Threat Level: Known bad

The file NEAS.d9fd63a3ea8644d4f4f915efde890840_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Detects Healer an antivirus disabler dropper

Amadey

Healer

Mystic

RedLine

Modifies Windows Defender Real-time Protection settings

Detect Mystic stealer payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-01 21:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-01 21:18

Reported

2023-11-02 01:44

Platform

win10v2004-20231020-en

Max time kernel

151s

Max time network

180s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.d9fd63a3ea8644d4f4f915efde890840_JC.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0193458.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.d9fd63a3ea8644d4f4f915efde890840_JC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.d9fd63a3ea8644d4f4f915efde890840_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe
PID 1924 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.d9fd63a3ea8644d4f4f915efde890840_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe
PID 1924 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.d9fd63a3ea8644d4f4f915efde890840_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe
PID 4152 wrote to memory of 5952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe
PID 4152 wrote to memory of 5952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe
PID 4152 wrote to memory of 5952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe
PID 5952 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe
PID 5952 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe
PID 5952 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe
PID 2544 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2544 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5952 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe
PID 5952 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe
PID 5952 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe
PID 1716 wrote to memory of 5128 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1716 wrote to memory of 5128 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1716 wrote to memory of 5128 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1716 wrote to memory of 5128 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1716 wrote to memory of 5128 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1716 wrote to memory of 5128 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1716 wrote to memory of 5128 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1716 wrote to memory of 5128 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1716 wrote to memory of 5128 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1716 wrote to memory of 5128 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4152 wrote to memory of 6008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe
PID 4152 wrote to memory of 6008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe
PID 4152 wrote to memory of 6008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe
PID 6008 wrote to memory of 6092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 6008 wrote to memory of 6092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 6008 wrote to memory of 6092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 6008 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 6008 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 6008 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 6008 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 6008 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 6008 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 6008 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 6008 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1924 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.d9fd63a3ea8644d4f4f915efde890840_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0193458.exe
PID 1924 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.d9fd63a3ea8644d4f4f915efde890840_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0193458.exe
PID 1924 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.d9fd63a3ea8644d4f4f915efde890840_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0193458.exe
PID 32 wrote to memory of 6072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0193458.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 32 wrote to memory of 6072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0193458.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 32 wrote to memory of 6072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0193458.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 6072 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe C:\Windows\SysWOW64\schtasks.exe
PID 6072 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe C:\Windows\SysWOW64\schtasks.exe
PID 6072 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe C:\Windows\SysWOW64\schtasks.exe
PID 6072 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe C:\Windows\SysWOW64\cmd.exe
PID 6072 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe C:\Windows\SysWOW64\cmd.exe
PID 6072 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1352 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1352 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1352 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1352 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.d9fd63a3ea8644d4f4f915efde890840_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.d9fd63a3ea8644d4f4f915efde890840_JC.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2544 -ip 2544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 140

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1716 -ip 1716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5128 -ip 5128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6008 -ip 6008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6008 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0193458.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0193458.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explonde.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explonde.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.68.52:80 tcp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 77.91.68.52:80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
FI 77.91.68.52:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 udp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe

MD5 144da28e900a79758f8cfec479b1a29d
SHA1 3f1f06ab1f68e897635a8c47b1a9187138232c00
SHA256 bf458e039bc5341868f8cff330eeb8856194571ac91c243262da8d34778cac14
SHA512 e5a410bd6905a3a7520237b3b9dcab87511949d4560546248f6be10082afd19d5a8020f597cc4f2ad6b92413d201920464c8148bc5ac55e709884699e623080e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6355189.exe

MD5 144da28e900a79758f8cfec479b1a29d
SHA1 3f1f06ab1f68e897635a8c47b1a9187138232c00
SHA256 bf458e039bc5341868f8cff330eeb8856194571ac91c243262da8d34778cac14
SHA512 e5a410bd6905a3a7520237b3b9dcab87511949d4560546248f6be10082afd19d5a8020f597cc4f2ad6b92413d201920464c8148bc5ac55e709884699e623080e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe

MD5 0988d09052792483b186d236c6da7d51
SHA1 a645ec25e438686f00e7c15c1ad3bb26d51f673f
SHA256 be4b07618b42cc773d44d3f924a19bbc41cbbbb2f196720db16060b9b8eb5583
SHA512 93653765d4fcca066baf0f6270e26d1ab2217f3d87af3484207b129f987626a0eced1b71dbc011a0ca60d9243267dffbb3245d19cc68c7cb0edb8717ffea5868

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8877095.exe

MD5 0988d09052792483b186d236c6da7d51
SHA1 a645ec25e438686f00e7c15c1ad3bb26d51f673f
SHA256 be4b07618b42cc773d44d3f924a19bbc41cbbbb2f196720db16060b9b8eb5583
SHA512 93653765d4fcca066baf0f6270e26d1ab2217f3d87af3484207b129f987626a0eced1b71dbc011a0ca60d9243267dffbb3245d19cc68c7cb0edb8717ffea5868

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe

MD5 a99183e9a721e0d237872b90d001a447
SHA1 d7a56d586172a86d9abef90930fe10da058dea2f
SHA256 d07d47d45e9cfc22b8c2e5fced7a2b5468d455a1e7c6a3ff7db5ce81b81e6539
SHA512 df11bb187bc3dc7e08aa2d980aa55ecfd45df13381d2804db4aecfb6a7e23ecbce085f05b3507ba7d025a1c282ead37cda54c7f26ae208748faac7608e63e252

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0173140.exe

MD5 a99183e9a721e0d237872b90d001a447
SHA1 d7a56d586172a86d9abef90930fe10da058dea2f
SHA256 d07d47d45e9cfc22b8c2e5fced7a2b5468d455a1e7c6a3ff7db5ce81b81e6539
SHA512 df11bb187bc3dc7e08aa2d980aa55ecfd45df13381d2804db4aecfb6a7e23ecbce085f05b3507ba7d025a1c282ead37cda54c7f26ae208748faac7608e63e252

memory/1676-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1676-22-0x0000000074230000-0x00000000749E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe

MD5 7c13d6e894bf39893b8e8e5492e491fc
SHA1 3d2f7f22fe4ad53a128b295282e6b1a9ee24c895
SHA256 82f60381d8e86e1cadb33702ee57b1445414d4701f65218344ee40b6b6e304bd
SHA512 e311b25d2a101288ff9bf96736f9e1d6692d37f135e960786e88d205e01a944229ea067b92e850081e3a9ecc0862c2fd8db86bd0426e7daa69214ae4316bc219

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1904388.exe

MD5 7c13d6e894bf39893b8e8e5492e491fc
SHA1 3d2f7f22fe4ad53a128b295282e6b1a9ee24c895
SHA256 82f60381d8e86e1cadb33702ee57b1445414d4701f65218344ee40b6b6e304bd
SHA512 e311b25d2a101288ff9bf96736f9e1d6692d37f135e960786e88d205e01a944229ea067b92e850081e3a9ecc0862c2fd8db86bd0426e7daa69214ae4316bc219

memory/5128-26-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5128-27-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5128-28-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5128-30-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1676-31-0x0000000074230000-0x00000000749E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe

MD5 d013bc55864b09b95805e0e2ee8bc6e8
SHA1 4dc6bc43b63a8120aec5ab3bc3c1bbbb06f89563
SHA256 a545199b764d3dfad792d850735cac5c457598fc572a660d9b44f9705f333e85
SHA512 e00d728323479818bb4bbb6a2b510c64d86706d287ceadf2353542d1c1ef63aa7a05f8d7b1d2139a02d9703db4280bcc62d8210594d1360e05b88f158656e06e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1770325.exe

MD5 d013bc55864b09b95805e0e2ee8bc6e8
SHA1 4dc6bc43b63a8120aec5ab3bc3c1bbbb06f89563
SHA256 a545199b764d3dfad792d850735cac5c457598fc572a660d9b44f9705f333e85
SHA512 e00d728323479818bb4bbb6a2b510c64d86706d287ceadf2353542d1c1ef63aa7a05f8d7b1d2139a02d9703db4280bcc62d8210594d1360e05b88f158656e06e

memory/2096-35-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2096-36-0x0000000074230000-0x00000000749E0000-memory.dmp

memory/2096-37-0x00000000051A0000-0x00000000051A6000-memory.dmp

memory/2096-38-0x0000000074230000-0x00000000749E0000-memory.dmp

memory/1676-40-0x0000000074230000-0x00000000749E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0193458.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t0193458.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

memory/2096-46-0x0000000005930000-0x0000000005F48000-memory.dmp

memory/2096-49-0x0000000005450000-0x000000000555A000-memory.dmp

memory/2096-53-0x0000000005200000-0x0000000005210000-memory.dmp

memory/2096-52-0x0000000005380000-0x0000000005392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

memory/2096-57-0x00000000053E0000-0x000000000541C000-memory.dmp

memory/2096-58-0x0000000005560000-0x00000000055AC000-memory.dmp

memory/2096-59-0x0000000005200000-0x0000000005210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a