Malware Analysis Report

2024-10-16 03:53

Sample ID 240507-wq4pqaha9w
Target 0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507
SHA256 0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507
Tags
amadey healer redline most dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507

Threat Level: Known bad

The file 0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline most dropper evasion infostealer persistence trojan

RedLine

Amadey

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Detects executables packed with ConfuserEx Mod

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 18:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 18:08

Reported

2024-05-07 18:11

Platform

win10v2004-20240419-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c34068059.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b82376023.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d21120403.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe
PID 1664 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe
PID 1664 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe
PID 4348 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe
PID 4348 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe
PID 4348 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe
PID 4928 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe
PID 4928 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe
PID 4928 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe
PID 400 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe
PID 400 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe
PID 400 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe
PID 4628 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe
PID 4628 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe
PID 4628 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe
PID 64 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe C:\Windows\Temp\1.exe
PID 64 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe C:\Windows\Temp\1.exe
PID 4628 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b82376023.exe
PID 4628 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b82376023.exe
PID 4628 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b82376023.exe
PID 400 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c34068059.exe
PID 400 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c34068059.exe
PID 400 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c34068059.exe
PID 5684 wrote to memory of 5576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c34068059.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5684 wrote to memory of 5576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c34068059.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5684 wrote to memory of 5576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c34068059.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4928 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d21120403.exe
PID 4928 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d21120403.exe
PID 4928 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d21120403.exe
PID 5576 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5576 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5576 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5576 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5576 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5576 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3716 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3716 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3716 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3716 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3716 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3716 wrote to memory of 5356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 5356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 5356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 5620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3716 wrote to memory of 5620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3716 wrote to memory of 5620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3716 wrote to memory of 5812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3716 wrote to memory of 5812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3716 wrote to memory of 5812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4348 wrote to memory of 6980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f30260517.exe
PID 4348 wrote to memory of 6980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f30260517.exe
PID 4348 wrote to memory of 6980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f30260517.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe

"C:\Users\Admin\AppData\Local\Temp\0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b82376023.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b82376023.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3552 -ip 3552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1252

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c34068059.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c34068059.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d21120403.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d21120403.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2264 -ip 2264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1232

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f30260517.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f30260517.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe

MD5 eb6df914f792463c6b73e7ec469c8461
SHA1 8554dddffe66aded66bde4d63202d5a937926649
SHA256 b28f2c48fef70e5d6bee1842dbad2fd77844b42872d826afdbb6baadb940e775
SHA512 25d1eb53e6eded1066f7337f5a65c007e51b9c848598080fcac37ff4ba8c87e53f4ce85b877cc1ce2d74d32015ccf4cd4e096ac114c1af2db72cd9150a70811c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe

MD5 6db8b139f21785fc3f74040cba7bd879
SHA1 6a974e0d9853a71866afc9b1287373f40866ca69
SHA256 d905004448cf627f2b3c811eda70ff8d81417e5eb32f878b693ca2b5ba2e58b7
SHA512 bb06f2260a9db0619e481c8090bddc580b35cb269237712bd1bd7b17bc956e4fd95f3a142779af0b01647a293898d751e03bb87430459f2ae6b4d13dbb4793c7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe

MD5 a88d050386d14b4aebcd28a0159374e0
SHA1 bdc0fd47c6ad75fec3f55fd9e81cd1150fa32cb0
SHA256 8ef042ba464dbfa6b7724e827f97abb4d62fdb196078e34d93dd1734ab23c721
SHA512 888e6282ac5b56bf82189dcad2b37dd05a08afe0a899719036e43058286a5ddb3b59a204fabc04f1e04c58c9a86b5f921e729a11bdb1fa9aa7b1cbdedbfe7301

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe

MD5 c3b227a8d59e216b36e3443a68c0f336
SHA1 d6e389fc00512afc25533dd3dc70334c6b050b96
SHA256 913eb8efad291d713bd7fb562a710d7776abb71828ee548e1207bd9c1ab64569
SHA512 d90428e0ed75f8dbda1e8b2243faad87fa6263c7a6084785c10633eb1a48c767f658fb699b7bf10e0f663e7038fb1271181cc89d7b17b0beceaa6151db05fc44

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe

MD5 8c76a0aecbb36bcb24bf81b55041804e
SHA1 52a1ce0625fd48703e66e68db221b4b5f090e513
SHA256 6346e4731b34c24444b2c7f37e7f0d9f915eb8e899ea2a1a476b567c08a2c5a4
SHA512 1ed04a9a6b2d61149092bac8810cc1736ebb9684c9a40ba1eb6413bfb8b3d3d3e51b476ee856f5cb620bd7e4e49199e76bf1a953d97425a4576489b6013f14fc

memory/64-35-0x00000000048D0000-0x0000000004928000-memory.dmp

memory/64-36-0x0000000004990000-0x0000000004F34000-memory.dmp

memory/64-37-0x0000000004FA0000-0x0000000004FF6000-memory.dmp

memory/64-63-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-61-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-101-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-99-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-97-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-95-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-93-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-91-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-89-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-85-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-83-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-82-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-79-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-77-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-75-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-73-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-71-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-69-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-67-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-65-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-59-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-58-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-55-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-53-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-51-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-49-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-47-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-45-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-43-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-41-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-87-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-39-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-38-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/64-2166-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4884-2182-0x0000000000510000-0x000000000051A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b82376023.exe

MD5 c372801b964b119ba1fdc9e43ec40135
SHA1 654c946c401d6f8b56b3f0fcf8dc2412e94e7319
SHA256 33a030c4b403616a71a062641b31f175621b28fa6cca01218f307e17b05861da
SHA512 0d5c2b9a2f1c12bf30823de75aff91f689c80afb7816751dbc166f5c54658a926a0d3b6896a53775f73e4820b6e98d8a77fad2c987ba7cdbe0ea4a148563f7e9

memory/3552-4312-0x0000000005750000-0x00000000057E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c34068059.exe

MD5 56ef7499c670c2fbf0843de73f0eb04d
SHA1 babf7b5c66e3d1b6afb975a52be5c757ae30e770
SHA256 3064365221253aa32f3b0146d0da8df9e628f74db461765494ee84ad2f411206
SHA512 3226161c9f36dd267b1ea0ae7c3fa73cd4bd54af219786a0b5ec028a26d8ba16207e35ade22fdaf5a2d4b0295d51bb95eea21a5a44a9662959d98263f4a5a32e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d21120403.exe

MD5 837edb04fe5c3757bb85b4ca658e4f9d
SHA1 06badaa402603c3ed83a8ba137c657110cf5d3c5
SHA256 e5bf9cda112af21c3c3b208d24740b975705d2bca0c51684c984da01acce093d
SHA512 d21d5aaffa3d24217fe17e8d38a9e452846a0e1cfa2ca6a4e4fe4b4c520f726ff9fb49a291a5f1124c444cfa125b6a5b5bf25dec47076ee3a7bca1ca9ec61e30

memory/2264-4332-0x0000000002740000-0x00000000027A8000-memory.dmp

memory/2264-4333-0x0000000005550000-0x00000000055B6000-memory.dmp

memory/2264-6480-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f30260517.exe

MD5 f77f9fab9a0b9ee566fc9697c91d2858
SHA1 f1d27440f44debef40c1cf1be77bfb12ddc0bd7d
SHA256 61229f74e0b38411040fe9444d494259c45f51b6a7f7aad24c80c0c9a06c736a
SHA512 5268bad02215dbbefc4b58f6444e89b826e38646d25cc5c5a6e9712bec32c3fd01a4d90ea4c6e52f8e036a318638ce8d5d9e444b9d03d1f1ef9f7cbf9df3ad5c

memory/6980-6486-0x0000000000AB0000-0x0000000000AE0000-memory.dmp

memory/6980-6487-0x0000000002E40000-0x0000000002E46000-memory.dmp

memory/6980-6488-0x000000000AEA0000-0x000000000B4B8000-memory.dmp

memory/6980-6489-0x000000000A990000-0x000000000AA9A000-memory.dmp

memory/6980-6490-0x00000000053C0000-0x00000000053D2000-memory.dmp

memory/6980-6491-0x000000000A8C0000-0x000000000A8FC000-memory.dmp

memory/6980-6492-0x0000000002D40000-0x0000000002D8C000-memory.dmp