Malware Analysis Report

2025-01-23 06:00

Sample ID 241107-jvb42syfpn
Target 57aa5f5713ec92920daba43a9d5a36e0e1ba398aa003fe8905f32f0019325d5c
SHA256 57aa5f5713ec92920daba43a9d5a36e0e1ba398aa003fe8905f32f0019325d5c
Tags
amadey healer redline 47f88f lada masi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57aa5f5713ec92920daba43a9d5a36e0e1ba398aa003fe8905f32f0019325d5c

Threat Level: Known bad

The file 57aa5f5713ec92920daba43a9d5a36e0e1ba398aa003fe8905f32f0019325d5c was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 47f88f lada masi discovery dropper evasion infostealer persistence trojan

Healer

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer family

Detects Healer an antivirus disabler dropper

Amadey

Amadey family

RedLine

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 07:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 07:58

Reported

2024-11-07 08:01

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57aa5f5713ec92920daba43a9d5a36e0e1ba398aa003fe8905f32f0019325d5c.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az594105.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az594105.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az594105.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az594105.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az594105.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az594105.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co134800.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dLt45t89.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az594105.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki306114.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\57aa5f5713ec92920daba43a9d5a36e0e1ba398aa003fe8905f32f0019325d5c.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki306114.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co134800.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dLt45t89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\57aa5f5713ec92920daba43a9d5a36e0e1ba398aa003fe8905f32f0019325d5c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft241188.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az594105.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co134800.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dLt45t89.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4292 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\57aa5f5713ec92920daba43a9d5a36e0e1ba398aa003fe8905f32f0019325d5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe
PID 4292 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\57aa5f5713ec92920daba43a9d5a36e0e1ba398aa003fe8905f32f0019325d5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe
PID 4292 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\57aa5f5713ec92920daba43a9d5a36e0e1ba398aa003fe8905f32f0019325d5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe
PID 2792 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe
PID 2792 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe
PID 2792 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe
PID 1872 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe
PID 1872 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe
PID 1872 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe
PID 2448 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki306114.exe
PID 2448 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki306114.exe
PID 2448 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki306114.exe
PID 4908 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki306114.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az594105.exe
PID 4908 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki306114.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az594105.exe
PID 4908 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki306114.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe
PID 4908 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki306114.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe
PID 4908 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki306114.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe
PID 2448 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co134800.exe
PID 2448 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co134800.exe
PID 2448 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co134800.exe
PID 1780 wrote to memory of 6068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co134800.exe C:\Windows\Temp\1.exe
PID 1780 wrote to memory of 6068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co134800.exe C:\Windows\Temp\1.exe
PID 1780 wrote to memory of 6068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co134800.exe C:\Windows\Temp\1.exe
PID 1872 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dLt45t89.exe
PID 1872 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dLt45t89.exe
PID 1872 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dLt45t89.exe
PID 2160 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dLt45t89.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 2160 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dLt45t89.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 2160 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dLt45t89.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 2792 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft241188.exe
PID 2792 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft241188.exe
PID 2792 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft241188.exe
PID 2868 wrote to memory of 6024 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2868 wrote to memory of 6024 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2868 wrote to memory of 6024 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\57aa5f5713ec92920daba43a9d5a36e0e1ba398aa003fe8905f32f0019325d5c.exe

"C:\Users\Admin\AppData\Local\Temp\57aa5f5713ec92920daba43a9d5a36e0e1ba398aa003fe8905f32f0019325d5c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki306114.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki306114.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az594105.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az594105.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co134800.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co134800.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1780 -ip 1780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1388

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dLt45t89.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dLt45t89.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft241188.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft241188.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 66.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki839669.exe

MD5 c9ec9afb1164e1a759e34f54c36ec2e7
SHA1 e9743bfcd6b903402a1a6c882e751d2bd9fe8164
SHA256 d2a0f34ec0f3dc53f808d5a00eef57f9bf2c96b1e635241dcaa812149e8d61c4
SHA512 75f0566f27a2d2b5c25f5d05d8d9eeca2c25ac7f26bfde7834e285edb0d5f8cca78271e9aa2a8bc68a7ebadd7657d158e82f0d32dffde40566df96bda2a3ecda

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki813379.exe

MD5 4bf3ee90b6cf7d653a77c72bec774405
SHA1 43ed85e347a1f1a4ba81ce0b7dc63cc6b5982a4a
SHA256 a5c548448c45cc50e9490514e94c0a80b0c67c8f2975efbcba5c3a70b04e2bcc
SHA512 888e2c876e83af95197b63fb97317f7bea7bdfc167f190e6d35277bc8aac41e63498c18d1f6b5aba90a5aeed80a53e11418a7fc43c3ee77f82b55179b48af537

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki621530.exe

MD5 0eeb4bce55c4ece2b1163fceaf443de3
SHA1 16c620bae14730970557537c5a2962942bc0def0
SHA256 7f2607a1082805d7fb3106efd4c832a5527658226875ede9862502f011dd711a
SHA512 3015b90ab96079528320ef144bc2f2ea231ffcc8cd59ef345fd46f0ccec4b67ed24f72abfc6fb868832d24ff8e3b5e9ae061877996fed7a6d3491a08cdaab188

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki306114.exe

MD5 f78bc567be4ed341ee60c815cd9ac1ff
SHA1 0cf64136fbbcc01abb7521197660ab371e8f7254
SHA256 61b39f36eee1171fcb8c1278fdb9cdfd8eed0bab81c54b2c9596559b1d82ccaf
SHA512 96d808e266e638555ecdaabc0acbc8f01c5a1827987fdfb99e135a7c9d0a2eab0cf966780d467d1e158a4531f4d811f7d81507667c7feb561e6f944cd30c407e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az594105.exe

MD5 5cc7a6e0666b04068ae2e0d7157644f0
SHA1 de4864e50fa2f3cb88af1c8b841238a08be444eb
SHA256 37bfac44fcd652150acda485daa2eb54a8a36768a4a4b76632817bcad6f95174
SHA512 08947785dad29e4d073c6f81a924c712b40c51f353efdb1fcca2f515adb9eb2a7bbb4b291f6aa9416643f98df392a860a0bbae982f96de721462045ba4f70c65

memory/1380-35-0x00000000004D0000-0x00000000004DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu186945.exe

MD5 a4d9d9616d247aa307082a3251b84d2f
SHA1 b206afb70e21eca9a162e938d07e1d47b8562211
SHA256 23a069340d726b4e5540f08e2940b0ac7b65dc54dde0a0471ac4292ac5dec73e
SHA512 98522b68907362635ab7e4bbdf1e739eb5daa8b91dd2d84c60bb21961eda9e83d140190e53fd2745be3d4d5974c6e14c49385635b380ef1546b26dc9dc156b80

memory/1488-41-0x0000000000900000-0x000000000091A000-memory.dmp

memory/1488-42-0x0000000004BC0000-0x0000000005164000-memory.dmp

memory/1488-43-0x00000000025E0000-0x00000000025F8000-memory.dmp

memory/1488-69-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-67-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-65-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-63-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-61-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-59-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-57-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-55-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-53-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-51-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-49-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-71-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-47-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-45-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-44-0x00000000025E0000-0x00000000025F2000-memory.dmp

memory/1488-72-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/1488-74-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co134800.exe

MD5 1de19130157c1aaac67eec630fd5e071
SHA1 f41f6c796a3e375e03c88cacd5cd83367dd83ea8
SHA256 7856eb317e113b2cc781e5d546aa2358a1c1025e8d1ab0378869d33d8e3ef64c
SHA512 e3aabb969fa73c4d1156b4a2bf88ea522b9adabe93d3d3e8b342d494c30c5eebcfba9ad04786d57af0f6e93349f4b2913474a4b2a8df6281fbad67b0bd8fe032

memory/1780-79-0x0000000002640000-0x00000000026A8000-memory.dmp

memory/1780-80-0x0000000005240000-0x00000000052A6000-memory.dmp

memory/1780-82-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-90-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-114-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-112-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-110-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-109-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-104-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-102-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-100-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-99-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-94-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-92-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-88-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-86-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-84-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-106-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-96-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-81-0x0000000005240000-0x00000000052A0000-memory.dmp

memory/1780-2223-0x0000000005410000-0x0000000005442000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/6068-2236-0x0000000000920000-0x000000000094E000-memory.dmp

memory/6068-2237-0x00000000050C0000-0x00000000050C6000-memory.dmp

memory/6068-2238-0x0000000005850000-0x0000000005E68000-memory.dmp

memory/6068-2239-0x0000000005370000-0x000000000547A000-memory.dmp

memory/6068-2240-0x00000000052A0000-0x00000000052B2000-memory.dmp

memory/6068-2241-0x0000000005300000-0x000000000533C000-memory.dmp

memory/6068-2242-0x0000000005480000-0x00000000054CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dLt45t89.exe

MD5 ee1f5f0e1168ce5938997c932b4dcd27
SHA1 b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256 dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512 bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft241188.exe

MD5 a6617a36bf46010a27095a688b48eb2c
SHA1 b5267081e3125c74d9eeec0bfa954f8ea5b3adcc
SHA256 2b5afa87a5559493b518082e89a7b800aaae55b73e04580e4f685efbcf088b26
SHA512 35be833f64a33704a7a8631f064ad5b968ed3ab6577ae1bd1545cba962d016982ad76035fa49e4fda0e3d95b659cbe307330274aa2607680d01822cac1612804

memory/4068-2260-0x0000000000AA0000-0x0000000000ACE000-memory.dmp

memory/4068-2261-0x0000000002B40000-0x0000000002B46000-memory.dmp