Malware Analysis Report

2025-01-23 06:02

Sample ID 241107-qa82lssfqb
Target b82d47e40d28e285211c121e26c01e83315ad5f5f3cbce782ae9c4ec8fd484d2
SHA256 b82d47e40d28e285211c121e26c01e83315ad5f5f3cbce782ae9c4ec8fd484d2
Tags
amadey healer redline 47f88f lada maxi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b82d47e40d28e285211c121e26c01e83315ad5f5f3cbce782ae9c4ec8fd484d2

Threat Level: Known bad

The file b82d47e40d28e285211c121e26c01e83315ad5f5f3cbce782ae9c4ec8fd484d2 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 47f88f lada maxi discovery dropper evasion infostealer persistence trojan

Amadey family

Healer family

RedLine

Healer

RedLine payload

Amadey

Redline family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 13:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 13:04

Reported

2024-11-07 13:07

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b82d47e40d28e285211c121e26c01e83315ad5f5f3cbce782ae9c4ec8fd484d2.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az882621.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az882621.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az882621.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az882621.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az882621.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az882621.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co119104.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daO42t50.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az882621.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b82d47e40d28e285211c121e26c01e83315ad5f5f3cbce782ae9c4ec8fd484d2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki498115.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft688719.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b82d47e40d28e285211c121e26c01e83315ad5f5f3cbce782ae9c4ec8fd484d2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co119104.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki498115.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daO42t50.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az882621.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co119104.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daO42t50.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3820 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\b82d47e40d28e285211c121e26c01e83315ad5f5f3cbce782ae9c4ec8fd484d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe
PID 3820 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\b82d47e40d28e285211c121e26c01e83315ad5f5f3cbce782ae9c4ec8fd484d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe
PID 3820 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\b82d47e40d28e285211c121e26c01e83315ad5f5f3cbce782ae9c4ec8fd484d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe
PID 708 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe
PID 708 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe
PID 708 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe
PID 2396 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe
PID 2396 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe
PID 2396 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe
PID 1744 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki498115.exe
PID 1744 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki498115.exe
PID 1744 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki498115.exe
PID 1436 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki498115.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az882621.exe
PID 1436 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki498115.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az882621.exe
PID 1436 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki498115.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe
PID 1436 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki498115.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe
PID 1436 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki498115.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe
PID 1744 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co119104.exe
PID 1744 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co119104.exe
PID 1744 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co119104.exe
PID 228 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co119104.exe C:\Windows\Temp\1.exe
PID 228 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co119104.exe C:\Windows\Temp\1.exe
PID 228 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co119104.exe C:\Windows\Temp\1.exe
PID 2396 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daO42t50.exe
PID 2396 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daO42t50.exe
PID 2396 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daO42t50.exe
PID 4184 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daO42t50.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 4184 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daO42t50.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 4184 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daO42t50.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 708 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft688719.exe
PID 708 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft688719.exe
PID 708 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft688719.exe
PID 4072 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4072 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4072 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b82d47e40d28e285211c121e26c01e83315ad5f5f3cbce782ae9c4ec8fd484d2.exe

"C:\Users\Admin\AppData\Local\Temp\b82d47e40d28e285211c121e26c01e83315ad5f5f3cbce782ae9c4ec8fd484d2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki498115.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki498115.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az882621.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az882621.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3148 -ip 3148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1012

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co119104.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co119104.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1388

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daO42t50.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daO42t50.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft688719.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft688719.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki534714.exe

MD5 e03ed949aef720af550d2a9e95a23279
SHA1 ef2199ecd6245747ee4bb40c8d56bd753634ed38
SHA256 d667dede0c15d157688929dbf4d5291ed1a81c2cd2561a8a7c065e15e0c2a3d1
SHA512 93c50b486271b47fe9945e7611d47ca6043814edef8c815016322bfa3254bfa0cf323e9beffddf48b44887e5fcb4fd01d7964cd788cf05a5370a8d3dcf205c57

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki806418.exe

MD5 134c5d26739946e58afd402f8669f322
SHA1 9ff6a360b71403e799918fb7b2c26ddc77d3cd5f
SHA256 13a6008c8fa25464ef7d487f46a43cf511c4fa2be82146d7f438ff9a3f45ccdb
SHA512 b4ef5ba2d74daca8795f4d8b3c500676b21d2588fde401e4cf9aa890626dfd0e39c8653bc937290191fe1836b6ca836e0124f06b97b2c8c7f4bd2a7784af6136

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki488750.exe

MD5 40e09237eb7fce38dabb1d4446340ad9
SHA1 e3e69d7e32aadc15d60fb0230324340155e3d002
SHA256 f565d0a5a57c47407dd9dbc8e15b119ecede01dd6c9c6f3d58f039d7baa3c5fb
SHA512 0cf0c00490f0310008b2ad9770e77aaa3ae25cc5d4ec237bc33998b34d889f85a52d63e5ce235697534ef70a54186b78fc8623b712887b2df2ebfb9ccaa8d92c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki498115.exe

MD5 2f25516e81cfa2053eb2f66e102cdecf
SHA1 9a4dfa4c9142fe74a0d64bad836f4f2a3dd40308
SHA256 b7809ded165135210ddb877d0a70019a6f36b14fd19618fe4033cf5ec6001ff2
SHA512 e30211d678ac2905908ba37efc482eca72bcfad077032ada38b4d68ef8a1f7ffdc683803dec601574bdb6f59a81ef69c6e7339729f378c1d3f93cbacb7838b30

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az882621.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2184-35-0x00000000004E0000-0x00000000004EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu528399.exe

MD5 4125d3638257f1ee7a2b1cb9c47574ec
SHA1 3ab43f19b4d8d3d1852876edfa431dd0cf051589
SHA256 7c0dd0132db29063564927cbe7b47c2b9d7aca382897050151a8ff4c63fc8eb2
SHA512 ae22db85f2ff7d8784c3eb508ed188bc73d5b0175205f748b853d6e53edb4e568aebd7a8ec33dcd636ee4422b852d3c510b8f4ab0170d20ef0eb91c21ad3163f

memory/3148-41-0x0000000002680000-0x000000000269A000-memory.dmp

memory/3148-42-0x0000000004F10000-0x00000000054B4000-memory.dmp

memory/3148-43-0x0000000004DB0000-0x0000000004DC8000-memory.dmp

memory/3148-44-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-49-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-71-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-69-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-67-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-65-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-63-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-61-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-59-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-57-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-55-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-53-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-51-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-47-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-45-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/3148-72-0x0000000000400000-0x000000000080A000-memory.dmp

memory/3148-74-0x0000000000400000-0x000000000080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co119104.exe

MD5 4bf7659eb60b00daeae1e56bf0cfe1d2
SHA1 e18c81f20be7e9d29f91aca5d4967aaa9c8fd134
SHA256 7ea841b767bf0d5dbc69bfd96d0f2f18651ea4a41d0c9729e037fea7dba88414
SHA512 51aa0792410d895c757f6c96b0043bb80012ed74dbdcb7ef74a5069af047a6cdda90fd06c23a0b494030ce147166a1c3937281ea9b4c93cd443cbe6fc766af01

memory/228-79-0x00000000027E0000-0x0000000002848000-memory.dmp

memory/228-80-0x0000000004F90000-0x0000000004FF6000-memory.dmp

memory/228-82-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-90-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-114-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-112-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-110-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-108-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-106-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-104-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-100-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-98-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-96-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-94-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-92-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-88-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-86-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-84-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-102-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-81-0x0000000004F90000-0x0000000004FF0000-memory.dmp

memory/228-2223-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/184-2236-0x0000000000B10000-0x0000000000B3E000-memory.dmp

memory/184-2237-0x0000000001410000-0x0000000001416000-memory.dmp

memory/184-2238-0x0000000005B20000-0x0000000006138000-memory.dmp

memory/184-2239-0x0000000005610000-0x000000000571A000-memory.dmp

memory/184-2240-0x0000000005480000-0x0000000005492000-memory.dmp

memory/184-2241-0x0000000005500000-0x000000000553C000-memory.dmp

memory/184-2243-0x0000000005540000-0x000000000558C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\daO42t50.exe

MD5 ee1f5f0e1168ce5938997c932b4dcd27
SHA1 b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256 dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512 bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft688719.exe

MD5 f3f0110dd728ebd7a2e20609f3b7ff33
SHA1 9e846ddfc4e53793c77a8b74395ed1c1c73da027
SHA256 f7dbb53256eb8a1896925f31a12ef486afea188abd1ff3b67ae7325e5e756751
SHA512 81da25c6e399a6f312473b567541a72cb9a7907dec4a572af2e3b44fe8ff37465a06652b8cf903e152518f518b16a5055c598f34dd96306aa1b620d0b0a0bc4f

memory/2600-2260-0x0000000000620000-0x0000000000650000-memory.dmp

memory/2600-2261-0x0000000000D90000-0x0000000000D96000-memory.dmp