Malware Analysis Report

2025-04-13 23:55

Sample ID 241104-zltwhaxekp
Target 8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1
SHA256 8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1

Threat Level: Known bad

The file 8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey family

RedLine

RedLine payload

Redline family

Healer family

Detects Healer an antivirus disabler dropper

Healer

Amadey

Modifies Windows Defender Real-time Protection settings

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 20:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 20:48

Reported

2024-11-04 20:51

Platform

win7-20240729-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe
PID 2204 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe
PID 2204 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe
PID 2204 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe
PID 2204 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe
PID 2204 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe
PID 2204 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe
PID 1164 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe
PID 1164 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe
PID 1164 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe
PID 1164 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe
PID 1164 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe
PID 1164 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe
PID 1164 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe
PID 1664 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe
PID 1664 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe
PID 1664 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe
PID 1664 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe
PID 1664 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe
PID 1664 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe
PID 1664 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe
PID 2596 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe
PID 2596 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe
PID 2596 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe
PID 2596 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe
PID 2596 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe
PID 2596 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe
PID 2596 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe
PID 2596 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe
PID 2596 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe
PID 2596 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe
PID 2596 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe
PID 2596 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe
PID 2596 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe
PID 2596 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe
PID 2480 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2480 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2480 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2480 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2480 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2480 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2480 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1664 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe
PID 1664 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe
PID 1664 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe
PID 1664 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe
PID 1664 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe
PID 1664 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe
PID 1664 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe
PID 2444 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe

"C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {83CAE05B-457F-455D-BC0E-8D3033EAC87C} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp

Files

memory/2204-0-0x00000000045C0000-0x00000000046C7000-memory.dmp

memory/2204-1-0x00000000045C0000-0x00000000046C7000-memory.dmp

memory/2204-2-0x0000000004780000-0x0000000004891000-memory.dmp

memory/2204-3-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe

MD5 2fd9aa68544b56c3e3ca59f349c1f9bc
SHA1 7e5c86100808545a738b8e54d04b1ddc58022535
SHA256 87d88ae0acfec206089d3333156ab5c0febfed00995616fbf9d021159c8cc6a3
SHA512 11ea565d3553864a267a099bba6392916c5cf0e061d70bf4b282ee43eb39d4f14c6b0e77dcbfcb7c45f239d4ab788f3487750e3302d8bb7c7fd42a9fa0a9566b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe

MD5 109a78aa95e46d400f298e2413266634
SHA1 df07508990d319d7fb2c7b6cd35ea2195675c692
SHA256 1761d720d1c3aec2d47b8abbc248aab422b3d368e4f1861be4e9c77d901faa26
SHA512 c1d1e38feb2a1c4b10bee528ca2c55e8050843e964880d2631449a26162965d4da29b6bb0c4ed521808e320177e4d991dd6dbb2521aef3c655cade68c4bde559

\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe

MD5 5b5c75a9a5a9eba88436c609dde2c296
SHA1 38e49367ffda431e58cdb89741d820ee413161cb
SHA256 ee5f1d9c7ef5915cd257146919b254d00b258edf0899498fe5c33ac599910e86
SHA512 9884336575dd0f6ca4823483d028c9e2041a76aa179b374a20b2ffdeb2329a414a6976511a9ccb731bf9ba4390b31f17c132fdf5adfe1a2f9783cb35394e97c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2600-42-0x0000000000C00000-0x0000000000C0A000-memory.dmp

memory/2204-43-0x00000000045C0000-0x00000000046C7000-memory.dmp

memory/2204-44-0x0000000004780000-0x0000000004891000-memory.dmp

memory/2204-46-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2204-45-0x0000000000400000-0x0000000002C97000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe

MD5 a9891aff23463349365d9db34f973f37
SHA1 459b2ad7e1abf10cd47ae094748978a0dfd92676
SHA256 394e802f27b9e9d2d75ba23dcc0ac8526f998a63f9e7eb91937bd443884537cd
SHA512 5c5775b5187cafb78accea2da03a7f3629d7a09785fe2d109598b8c5c1f44a0ab9f442224f80d39df541da4ff4ea276cdf0ced68057e57fc0f04f7e0f6a3f40d

memory/2524-73-0x0000000004830000-0x000000000486C000-memory.dmp

memory/2524-74-0x0000000004880000-0x00000000048BA000-memory.dmp

memory/2524-116-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-120-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-118-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-124-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-137-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-134-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-132-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-128-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-126-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-114-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-110-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-108-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-106-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-102-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-98-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-94-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-90-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-130-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-122-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-112-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-104-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-100-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-96-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-92-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-88-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-86-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-84-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-82-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-80-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-78-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-76-0x0000000004880000-0x00000000048B5000-memory.dmp

memory/2524-75-0x0000000004880000-0x00000000048B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 20:48

Reported

2024-11-04 20:51

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 548 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe
PID 548 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe
PID 548 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe
PID 4448 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe
PID 4448 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe
PID 4448 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe
PID 1976 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe
PID 1976 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe
PID 1976 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe
PID 3564 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe
PID 3564 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe
PID 3564 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe
PID 3564 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe
PID 3564 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe
PID 3516 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3516 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3516 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1976 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe
PID 1976 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe
PID 1976 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe
PID 2956 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3748 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3748 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3748 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3748 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3748 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3748 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3748 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3748 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3748 wrote to memory of 3820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3748 wrote to memory of 3820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3748 wrote to memory of 3820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe

"C:\Users\Admin\AppData\Local\Temp\8adbe79ff502bb7832393b9824fd3120ad2616903afe9c589530928b76149ac1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 224.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp

Files

memory/548-1-0x0000000004AF0000-0x0000000004C03000-memory.dmp

memory/548-2-0x0000000004C10000-0x0000000004D21000-memory.dmp

memory/548-3-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe

MD5 2fd9aa68544b56c3e3ca59f349c1f9bc
SHA1 7e5c86100808545a738b8e54d04b1ddc58022535
SHA256 87d88ae0acfec206089d3333156ab5c0febfed00995616fbf9d021159c8cc6a3
SHA512 11ea565d3553864a267a099bba6392916c5cf0e061d70bf4b282ee43eb39d4f14c6b0e77dcbfcb7c45f239d4ab788f3487750e3302d8bb7c7fd42a9fa0a9566b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe

MD5 109a78aa95e46d400f298e2413266634
SHA1 df07508990d319d7fb2c7b6cd35ea2195675c692
SHA256 1761d720d1c3aec2d47b8abbc248aab422b3d368e4f1861be4e9c77d901faa26
SHA512 c1d1e38feb2a1c4b10bee528ca2c55e8050843e964880d2631449a26162965d4da29b6bb0c4ed521808e320177e4d991dd6dbb2521aef3c655cade68c4bde559

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe

MD5 5b5c75a9a5a9eba88436c609dde2c296
SHA1 38e49367ffda431e58cdb89741d820ee413161cb
SHA256 ee5f1d9c7ef5915cd257146919b254d00b258edf0899498fe5c33ac599910e86
SHA512 9884336575dd0f6ca4823483d028c9e2041a76aa179b374a20b2ffdeb2329a414a6976511a9ccb731bf9ba4390b31f17c132fdf5adfe1a2f9783cb35394e97c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3044-32-0x00000000007B0000-0x00000000007BA000-memory.dmp

memory/548-33-0x0000000004AF0000-0x0000000004C03000-memory.dmp

memory/548-35-0x0000000004C10000-0x0000000004D21000-memory.dmp

memory/548-34-0x0000000000400000-0x0000000002C97000-memory.dmp

memory/548-36-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe

MD5 a9891aff23463349365d9db34f973f37
SHA1 459b2ad7e1abf10cd47ae094748978a0dfd92676
SHA256 394e802f27b9e9d2d75ba23dcc0ac8526f998a63f9e7eb91937bd443884537cd
SHA512 5c5775b5187cafb78accea2da03a7f3629d7a09785fe2d109598b8c5c1f44a0ab9f442224f80d39df541da4ff4ea276cdf0ced68057e57fc0f04f7e0f6a3f40d

memory/4828-55-0x00000000072D0000-0x000000000730C000-memory.dmp

memory/4828-56-0x0000000007310000-0x00000000078B4000-memory.dmp

memory/4828-57-0x0000000007900000-0x000000000793A000-memory.dmp

memory/4828-65-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-119-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-101-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-91-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-83-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-63-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-61-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-59-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-58-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-117-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-115-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-113-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-111-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-109-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-107-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-105-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-103-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-99-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-97-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-95-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-93-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-89-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-87-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-85-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-81-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-79-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-77-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-75-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-73-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-71-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-69-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-67-0x0000000007900000-0x0000000007935000-memory.dmp

memory/4828-850-0x0000000009E00000-0x000000000A418000-memory.dmp

memory/4828-851-0x000000000A490000-0x000000000A4A2000-memory.dmp

memory/4828-852-0x000000000A4B0000-0x000000000A5BA000-memory.dmp

memory/4828-853-0x000000000A5D0000-0x000000000A60C000-memory.dmp

memory/4828-854-0x0000000006DC0000-0x0000000006E0C000-memory.dmp