Malware Analysis Report

2025-01-23 06:03

Sample ID 241107-sgqjysvbnr
Target 47668374e98c56554c8d87889f4fa7b16b3058149244937e4d6294ba5c925418
SHA256 47668374e98c56554c8d87889f4fa7b16b3058149244937e4d6294ba5c925418
Tags
amadey healer redline 47f88f lada maxi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47668374e98c56554c8d87889f4fa7b16b3058149244937e4d6294ba5c925418

Threat Level: Known bad

The file 47668374e98c56554c8d87889f4fa7b16b3058149244937e4d6294ba5c925418 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 47f88f lada maxi discovery dropper evasion infostealer persistence trojan

RedLine payload

Healer

Amadey

Detects Healer an antivirus disabler dropper

Amadey family

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine

Healer family

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 15:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 15:06

Reported

2024-11-07 15:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\47668374e98c56554c8d87889f4fa7b16b3058149244937e4d6294ba5c925418.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az222216.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az222216.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az222216.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az222216.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az222216.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az222216.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5720.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dnk60s88.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az222216.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki620822.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\47668374e98c56554c8d87889f4fa7b16b3058149244937e4d6294ba5c925418.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\47668374e98c56554c8d87889f4fa7b16b3058149244937e4d6294ba5c925418.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki620822.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dnk60s88.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft603383.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5720.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az222216.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5720.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3896 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\47668374e98c56554c8d87889f4fa7b16b3058149244937e4d6294ba5c925418.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe
PID 3896 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\47668374e98c56554c8d87889f4fa7b16b3058149244937e4d6294ba5c925418.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe
PID 3896 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\47668374e98c56554c8d87889f4fa7b16b3058149244937e4d6294ba5c925418.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe
PID 1120 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe
PID 1120 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe
PID 1120 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe
PID 764 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe
PID 764 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe
PID 764 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe
PID 5088 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki620822.exe
PID 5088 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki620822.exe
PID 5088 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki620822.exe
PID 4040 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki620822.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az222216.exe
PID 4040 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki620822.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az222216.exe
PID 4040 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki620822.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe
PID 4040 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki620822.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe
PID 4040 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki620822.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe
PID 5088 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5720.exe
PID 5088 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5720.exe
PID 5088 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5720.exe
PID 3140 wrote to memory of 5608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5720.exe C:\Windows\Temp\1.exe
PID 3140 wrote to memory of 5608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5720.exe C:\Windows\Temp\1.exe
PID 3140 wrote to memory of 5608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5720.exe C:\Windows\Temp\1.exe
PID 764 wrote to memory of 5896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dnk60s88.exe
PID 764 wrote to memory of 5896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dnk60s88.exe
PID 764 wrote to memory of 5896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dnk60s88.exe
PID 5896 wrote to memory of 6116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dnk60s88.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 5896 wrote to memory of 6116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dnk60s88.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 5896 wrote to memory of 6116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dnk60s88.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 1120 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft603383.exe
PID 1120 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft603383.exe
PID 1120 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft603383.exe
PID 6116 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6116 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6116 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\47668374e98c56554c8d87889f4fa7b16b3058149244937e4d6294ba5c925418.exe

"C:\Users\Admin\AppData\Local\Temp\47668374e98c56554c8d87889f4fa7b16b3058149244937e4d6294ba5c925418.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki620822.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki620822.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az222216.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az222216.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 832 -ip 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5720.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5720.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3140 -ip 3140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1504

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dnk60s88.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dnk60s88.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft603383.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft603383.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki784242.exe

MD5 9ea6d22af60b13399ad8826f0fc917d2
SHA1 c5c5ea456dbb67e4208fb6e544e2218a5bbc3cd0
SHA256 b5ec3d3504786d73cda7542cb87cc0dfca75332c9d8048cde32b78c21e218ba2
SHA512 60ca351bf254d3850ab7a90a6354a09a4d10e82342d3427f2e7eeb7809c0165ad70f6468b31911993f3bb785532b6644fc0c6954907e24e80d6dc3dab40f745a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki661302.exe

MD5 c22068daf34be6ccb306f0ca359e0471
SHA1 8a9c025190caa6c7aad47843221f8f8924fdb5d0
SHA256 dbbb629ff3e174df1538f6fabe4c3d4e0ab6415331bb32184a3a554f34a98155
SHA512 c7dd00f8d70ef9bc8a5c21f0e4e4ac8b09bf61877261802ae5d7bb52b72580062c063bf67519beed77d17f6c5fa6d192934e975f0d2cc0865c692e9a9df7f77d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki849119.exe

MD5 09d043dc1cdcfaaf9c9c8e8888e93f9b
SHA1 37031faa583f2ae1ad6afda72f930b26795754ad
SHA256 2dce2fe7be69baaf3a0843a4de1bd5ab59f4fc7d28550fbc3e3ec9a5c9cf5747
SHA512 66af2ece8debc6bfa13973de3410d5168839dd1cd76a8f60c8a0289b89236607fe95e15e982caadf95244f5f9917eff50615ed7eb089dc482c78f78e0aef8289

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki620822.exe

MD5 eef542ea1ba7a906372811466a3db0c2
SHA1 80c1d63c67da5c29e313c11ae7a91b3a1bf8ba69
SHA256 f611df1f7cc024807635a7bc888074d25d4d574f02002dd28563248450f07ad9
SHA512 2346bfc4243390043818f2fe31616a25e9b9e5810c4da893dccbd7f01ad4619733fbb0c09d7a155d63c6ec9bebe7123826cf5e90db223799fee059b77e1e8b9d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az222216.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3756-35-0x00000000007C0000-0x00000000007CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu166094.exe

MD5 c22722673d9ba17e8111e30161140b7d
SHA1 d6ae3961bd50183bf37cf7d03b8f1ffea1f79972
SHA256 9c7b55714877b9eba375ddbe0ecfeae06c162bc1eb49578670440c8d2126e746
SHA512 9c4b4f2fb348d4d9fe014e86f1d4da2579ca36da5f08831d876cdfe512e804690f5d07a16b114ea8a4a26913147171136c39c4c92e8cacf1f4939c55d4ab53fd

memory/832-41-0x00000000025B0000-0x00000000025CA000-memory.dmp

memory/832-42-0x0000000004F30000-0x00000000054D4000-memory.dmp

memory/832-43-0x0000000004DB0000-0x0000000004DC8000-memory.dmp

memory/832-44-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-51-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-71-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-69-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-67-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-66-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-63-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-61-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-60-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-57-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-55-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-49-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-47-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-45-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-54-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

memory/832-72-0x0000000000400000-0x0000000000809000-memory.dmp

memory/832-74-0x0000000000400000-0x0000000000809000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5720.exe

MD5 f4c9ee4a4971b6c59d5a0047e5b0b79e
SHA1 9097dd4ab8cb9d6dd2a731a8aa2362dbe32e805a
SHA256 28365fe9ee4d76786225840980b4e554d1a0fa6a974ce48aa917d5d1f70b5847
SHA512 0ca29256a6bb56ae4ae9f55539381b20d65c7d4abcb79a27eb84239acddf2eab6cb3b32546b3e82cd5541f0572b06a96f2b3078be441d7a78f2d11d86224b85d

memory/3140-79-0x0000000004F40000-0x0000000004FA8000-memory.dmp

memory/3140-80-0x0000000005560000-0x00000000055C6000-memory.dmp

memory/3140-108-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-114-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-112-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-110-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-106-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-104-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-102-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-100-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-98-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-97-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-95-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-92-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-90-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-88-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-86-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-84-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-82-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-81-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/3140-2223-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/5608-2236-0x0000000000530000-0x000000000055E000-memory.dmp

memory/5608-2237-0x0000000000C70000-0x0000000000C76000-memory.dmp

memory/5608-2238-0x0000000005530000-0x0000000005B48000-memory.dmp

memory/5608-2239-0x0000000005020000-0x000000000512A000-memory.dmp

memory/5608-2240-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/5608-2241-0x0000000004F10000-0x0000000004F4C000-memory.dmp

memory/5608-2242-0x0000000004F60000-0x0000000004FAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dnk60s88.exe

MD5 ee1f5f0e1168ce5938997c932b4dcd27
SHA1 b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256 dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512 bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft603383.exe

MD5 f3f0110dd728ebd7a2e20609f3b7ff33
SHA1 9e846ddfc4e53793c77a8b74395ed1c1c73da027
SHA256 f7dbb53256eb8a1896925f31a12ef486afea188abd1ff3b67ae7325e5e756751
SHA512 81da25c6e399a6f312473b567541a72cb9a7907dec4a572af2e3b44fe8ff37465a06652b8cf903e152518f518b16a5055c598f34dd96306aa1b620d0b0a0bc4f

memory/3280-2260-0x0000000000F10000-0x0000000000F40000-memory.dmp

memory/3280-2261-0x0000000005730000-0x0000000005736000-memory.dmp