Malware Analysis Report

2024-10-16 03:40

Sample ID 241008-2hb8dsyalc
Target 44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68N
SHA256 44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68
Tags
amadey healer mystic smokeloader fb0fb8 backdoor discovery dropper evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68

Threat Level: Known bad

The file 44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68N was found to be: Known bad.

Malicious Activity Summary

amadey healer mystic smokeloader fb0fb8 backdoor discovery dropper evasion persistence stealer trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Mystic

SmokeLoader

Amadey

Detect Mystic stealer payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-08 22:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-08 22:34

Reported

2024-10-08 22:36

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68N.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Mystic

stealer mystic

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6012442.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6012442.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6115943.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 716 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe
PID 716 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe
PID 716 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe
PID 3384 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe
PID 3384 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe
PID 3384 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe
PID 3596 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe
PID 3596 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe
PID 3596 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe
PID 3792 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3596 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe
PID 3596 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe
PID 3596 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe
PID 2736 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2736 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2736 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2736 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2736 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2736 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2736 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2736 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2736 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2736 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3384 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6115943.exe
PID 3384 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6115943.exe
PID 3384 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6115943.exe
PID 3992 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6115943.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3992 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6115943.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3992 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6115943.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3992 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6115943.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3992 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6115943.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3992 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6115943.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6012442.exe
PID 716 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6012442.exe
PID 716 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6012442.exe
PID 4248 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6012442.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 4248 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6012442.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 4248 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6012442.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 2988 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 4120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 4120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 4120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1192 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1192 wrote to memory of 1136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1192 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1192 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1192 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1192 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 3808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68N.exe

"C:\Users\Admin\AppData\Local\Temp\44f9127cc5ef663292f4867e04106e0730634f7269304932e5f7559c65899b68N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3792 -ip 3792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2736 -ip 2736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 140

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6115943.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6115943.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3992 -ip 3992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 568

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6012442.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6012442.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explonde.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explonde.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.68.52:80 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FI 77.91.68.52:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.68.52:80 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6383983.exe

MD5 b5d554ae64132b9f73bb0e8c65993f74
SHA1 0793eebb849cf154a2b360616088fefcb4626fef
SHA256 993521a8caa930c33f43805d77d854b78c686a9a7a37977a4efb103e55168c18
SHA512 66d242711985d14637e60de18173a2dc9471452bb5d7cbb5c26f744e783a8ae4d1a6b0e7103db8559397e62d3f426fbbd14a8b781587cf507df1c97f6e32b5f1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9389528.exe

MD5 70892996a1ecdf76d70bdc189a263e6e
SHA1 2cad6f235eb2df76e7dc8e8752724f347abec038
SHA256 cca32a3d1575e97fbcbbb4e2b23f73922242c2b1a3a01dc0f256e28fed708608
SHA512 5b897ebe14feabf23173015abb0fda90291968c5cf63e0128e1f3bd19f888d0ad063dcd02490e9ef2a1d67127b1246680faa5f895490fa6408b87870b83db601

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q0457569.exe

MD5 c7b7ac2581db386b7c21ef42e38dd8af
SHA1 0e5cf20c668ec1ee1d3f5ba31489b788095ac584
SHA256 89757f4df814acb126d53016c13080472174ec4ff9895e140dc1ecf3eaa02c98
SHA512 5927ab7858659b0f2e580e5d9a6ad8e28fcfde74a02813ad62911f2bfae53ac22b33cddd89ff5c2a8fbb0df6341155acf3081a4a9d0492c015adfe359cbbd112

memory/3700-21-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r0116433.exe

MD5 9fa3e93d3a41f380020d26e31e2b4647
SHA1 33ca673016fb0878448e670ff39203ac4cb228e5
SHA256 9568150b3e1f2e5fbc15830650bdec034c6c44d1b7aa0c849a54506fe78ee954
SHA512 1b965a4a96e8b79d2c0d70d932f48ce653b1663a7afc10b1d25b56bc7e1f3cea0494c0f4c5ee95f78141aa26b10787b9a6bcdd9049ea234f3a203449494e017e

memory/3520-25-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3520-28-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3520-26-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6115943.exe

MD5 c5d3688d8d7339db313cdb358c47496a
SHA1 be4d9238d6d958233269ba615e461727449bca60
SHA256 a4d34c4a0e1737897d42ab471159699d4115127a0fce2eca3661e795e6b41cba
SHA512 0a4419ddb951ad30023cdac9bd56f402e179a2482dd4fda42d692994cda5419cb764959857c23ac0f915ad6a1f3ed0e592444fc827dbafc71015e5945d49e8a5

memory/1372-32-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6012442.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a