Malware Analysis Report

2025-01-23 06:00

Sample ID 241107-hh37bszpbq
Target 2914768256a1d0572768504785254a707da68a8cae03585a73f04a1b2d1488dc
SHA256 2914768256a1d0572768504785254a707da68a8cae03585a73f04a1b2d1488dc
Tags
amadey healer redline 47f88f lada maxi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2914768256a1d0572768504785254a707da68a8cae03585a73f04a1b2d1488dc

Threat Level: Known bad

The file 2914768256a1d0572768504785254a707da68a8cae03585a73f04a1b2d1488dc was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 47f88f lada maxi discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine payload

RedLine

Detects Healer an antivirus disabler dropper

Redline family

Healer family

Amadey

Amadey family

Healer

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 06:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 06:45

Reported

2024-11-07 06:47

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2914768256a1d0572768504785254a707da68a8cae03585a73f04a1b2d1488dc.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az818601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az818601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az818601.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az818601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az818601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az818601.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co220815.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkT15t90.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az818601.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki191622.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2914768256a1d0572768504785254a707da68a8cae03585a73f04a1b2d1488dc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkT15t90.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2914768256a1d0572768504785254a707da68a8cae03585a73f04a1b2d1488dc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki191622.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co220815.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft150484.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az818601.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co220815.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2914768256a1d0572768504785254a707da68a8cae03585a73f04a1b2d1488dc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe
PID 2528 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2914768256a1d0572768504785254a707da68a8cae03585a73f04a1b2d1488dc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe
PID 2528 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2914768256a1d0572768504785254a707da68a8cae03585a73f04a1b2d1488dc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe
PID 1352 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe
PID 1352 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe
PID 1352 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe
PID 940 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe
PID 940 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe
PID 940 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe
PID 1084 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki191622.exe
PID 1084 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki191622.exe
PID 1084 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki191622.exe
PID 1356 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki191622.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az818601.exe
PID 1356 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki191622.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az818601.exe
PID 1356 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki191622.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe
PID 1356 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki191622.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe
PID 1356 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki191622.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe
PID 1084 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co220815.exe
PID 1084 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co220815.exe
PID 1084 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co220815.exe
PID 3708 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co220815.exe C:\Windows\Temp\1.exe
PID 3708 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co220815.exe C:\Windows\Temp\1.exe
PID 3708 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co220815.exe C:\Windows\Temp\1.exe
PID 940 wrote to memory of 5596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkT15t90.exe
PID 940 wrote to memory of 5596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkT15t90.exe
PID 940 wrote to memory of 5596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkT15t90.exe
PID 5596 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkT15t90.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 5596 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkT15t90.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 5596 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkT15t90.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 1352 wrote to memory of 5960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft150484.exe
PID 1352 wrote to memory of 5960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft150484.exe
PID 1352 wrote to memory of 5960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft150484.exe
PID 5860 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5860 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5860 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2914768256a1d0572768504785254a707da68a8cae03585a73f04a1b2d1488dc.exe

"C:\Users\Admin\AppData\Local\Temp\2914768256a1d0572768504785254a707da68a8cae03585a73f04a1b2d1488dc.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki191622.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki191622.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az818601.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az818601.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3428 -ip 3428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co220815.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co220815.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3708 -ip 3708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1388

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkT15t90.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkT15t90.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft150484.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft150484.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki618803.exe

MD5 843e8f69ad96fa83bb0526f448073c6c
SHA1 97fe16795b3a084c2212ce61c6e65278d9293383
SHA256 ad5a9cd0491c713d10fa0c9a884fec98964c851b31d095ddd63252f769afa8e9
SHA512 27741ad9ba9fbb4a80b5db532f7c67b4b4caec479188e46d82f07481539d5654d0683c7dc76b0b973d5a3af7a655c47823162406aebdfb9edebf25abafb03b20

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki460807.exe

MD5 8f7ddd5925c136ffb1505ace615a2b1f
SHA1 384e3b0852ba0e39d79f8f7627a26c44f993c086
SHA256 333e6e2a9f6954e627e3486a53df168924cd809865fa8374d759faf98235da6c
SHA512 8946b9629d347afd7cb8b39cedcd0e7552eccc5754125345e0182bfa764fd2928286b22dafca750757dac9608bb09060a242571a0ecf3a9d6ebe1b7dc22434bb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki654702.exe

MD5 7099c430deb15fbfd8c643a2aa5980b6
SHA1 d94b6595b2ed5fae2a1378844dbc90b92621330b
SHA256 7cc8742c21743a956583d70cb58d476a0cbc454552799cb1516a92ed04eed283
SHA512 892ff238c09b8f81d94f6e019d8c6aa036262e4ba7a1729fe8d033c0ac47eab26c7a6cd66487092a0787616f9fe674fcb8d75511cbcfd7c88e66abcc4c3c1323

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki191622.exe

MD5 d62ec34a9799b26b68f2efb067d766c4
SHA1 5d96151bf550d9c1e3d1699cb054e8798394ad9c
SHA256 3eaf1df59ec664978a527095a3e5cb26e82943790e4ea86ba4993b0d02e9465c
SHA512 8127097dc67baba9eb3e58b1b8e39d6c6ec00a35d5fabbd1e7bff67e791fe50eb36af5bdee35b34fb060f05c92771a38377c480d7508d511275f84658bf57516

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az818601.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2452-35-0x0000000000790000-0x000000000079A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu901435.exe

MD5 786beda6a173f9c2fcf4109abe9b9c05
SHA1 c47165673c634d487f133a9c49e303758f652258
SHA256 36c9fee28178260c1c8638ceb96c653662154b32be4868ab2d936b508e650c60
SHA512 c878fe45097c74591cc3752920139cfd3bd6a5d5ed519b54e59274fe45d716c1175fcbb04b0595725dee794ec8de9acb3f15b5f77c1895dc470d4a4b111871a8

memory/3428-41-0x00000000026D0000-0x00000000026EA000-memory.dmp

memory/3428-42-0x0000000004EF0000-0x0000000005494000-memory.dmp

memory/3428-43-0x0000000004DA0000-0x0000000004DB8000-memory.dmp

memory/3428-71-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-69-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-67-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-65-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-63-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-61-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-59-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-57-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-55-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-53-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-51-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-49-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-47-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-45-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-44-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/3428-72-0x0000000000400000-0x000000000080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co220815.exe

MD5 30bad4374d4cb3fae7b8f168d6b1b670
SHA1 79b8d1a3783a8d8a1c52a2c4f4ab4ccc8ee1ebad
SHA256 0af4cfbe97735bd3685056e371428e58f0b2136b88adb22dcaab56864ad1b788
SHA512 2f012d5548da1d07f1bf2c5fff8326d486ed60107c0ae2b236698d2253b2436b5f6ffc6662db6d8d78d8bd0ea3ee64f893437d33f9174038a5398f4d811f8fc8

memory/3428-74-0x0000000000400000-0x000000000080A000-memory.dmp

memory/3708-79-0x0000000002840000-0x00000000028A8000-memory.dmp

memory/3708-80-0x0000000005530000-0x0000000005596000-memory.dmp

memory/3708-81-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-114-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-112-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-110-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-109-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-106-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-104-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-102-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-100-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-99-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-96-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-94-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-92-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-90-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-88-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-86-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-84-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-82-0x0000000005530000-0x0000000005590000-memory.dmp

memory/3708-2223-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/5352-2236-0x00000000001B0000-0x00000000001DE000-memory.dmp

memory/5352-2237-0x0000000000880000-0x0000000000886000-memory.dmp

memory/5352-2238-0x0000000005110000-0x0000000005728000-memory.dmp

memory/5352-2239-0x0000000004C00000-0x0000000004D0A000-memory.dmp

memory/5352-2240-0x0000000004B30000-0x0000000004B42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkT15t90.exe

MD5 ee1f5f0e1168ce5938997c932b4dcd27
SHA1 b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256 dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512 bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8

memory/5352-2245-0x0000000004B90000-0x0000000004BCC000-memory.dmp

memory/5352-2246-0x0000000004D10000-0x0000000004D5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft150484.exe

MD5 f3f0110dd728ebd7a2e20609f3b7ff33
SHA1 9e846ddfc4e53793c77a8b74395ed1c1c73da027
SHA256 f7dbb53256eb8a1896925f31a12ef486afea188abd1ff3b67ae7325e5e756751
SHA512 81da25c6e399a6f312473b567541a72cb9a7907dec4a572af2e3b44fe8ff37465a06652b8cf903e152518f518b16a5055c598f34dd96306aa1b620d0b0a0bc4f

memory/5960-2261-0x0000000002800000-0x0000000002806000-memory.dmp

memory/5960-2260-0x00000000005F0000-0x0000000000620000-memory.dmp