Malware Analysis Report

2025-01-23 06:04

Sample ID 241108-agbrpa1bpr
Target 4a02a7860c73cb4f2c593e7036c1562c5d763a232af67e10af10533474ad5e0e
SHA256 4a02a7860c73cb4f2c593e7036c1562c5d763a232af67e10af10533474ad5e0e
Tags
amadey healer redline 47f88f lada masi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a02a7860c73cb4f2c593e7036c1562c5d763a232af67e10af10533474ad5e0e

Threat Level: Known bad

The file 4a02a7860c73cb4f2c593e7036c1562c5d763a232af67e10af10533474ad5e0e was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 47f88f lada masi discovery dropper evasion infostealer persistence trojan

Redline family

Amadey family

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

Healer family

Healer

Detects Healer an antivirus disabler dropper

Amadey

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 00:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 00:10

Reported

2024-11-08 00:13

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a02a7860c73cb4f2c593e7036c1562c5d763a232af67e10af10533474ad5e0e.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az020016.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az020016.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az020016.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az020016.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az020016.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az020016.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co213719.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dQo67t57.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az020016.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki947228.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4a02a7860c73cb4f2c593e7036c1562c5d763a232af67e10af10533474ad5e0e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co213719.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft837259.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a02a7860c73cb4f2c593e7036c1562c5d763a232af67e10af10533474ad5e0e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki947228.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dQo67t57.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az020016.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co213719.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\4a02a7860c73cb4f2c593e7036c1562c5d763a232af67e10af10533474ad5e0e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe
PID 208 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\4a02a7860c73cb4f2c593e7036c1562c5d763a232af67e10af10533474ad5e0e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe
PID 208 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\4a02a7860c73cb4f2c593e7036c1562c5d763a232af67e10af10533474ad5e0e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe
PID 1096 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe
PID 1096 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe
PID 1096 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe
PID 3104 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe
PID 3104 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe
PID 3104 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe
PID 3776 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki947228.exe
PID 3776 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki947228.exe
PID 3776 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki947228.exe
PID 4860 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki947228.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az020016.exe
PID 4860 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki947228.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az020016.exe
PID 4860 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki947228.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe
PID 4860 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki947228.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe
PID 4860 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki947228.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe
PID 3776 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co213719.exe
PID 3776 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co213719.exe
PID 3776 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co213719.exe
PID 1344 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co213719.exe C:\Windows\Temp\1.exe
PID 1344 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co213719.exe C:\Windows\Temp\1.exe
PID 1344 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co213719.exe C:\Windows\Temp\1.exe
PID 3104 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dQo67t57.exe
PID 3104 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dQo67t57.exe
PID 3104 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dQo67t57.exe
PID 1072 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dQo67t57.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 1072 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dQo67t57.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 1072 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dQo67t57.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 1096 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft837259.exe
PID 1096 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft837259.exe
PID 1096 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft837259.exe
PID 4508 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4508 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4508 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a02a7860c73cb4f2c593e7036c1562c5d763a232af67e10af10533474ad5e0e.exe

"C:\Users\Admin\AppData\Local\Temp\4a02a7860c73cb4f2c593e7036c1562c5d763a232af67e10af10533474ad5e0e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki947228.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki947228.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az020016.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az020016.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 884 -ip 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1104

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co213719.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co213719.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1344 -ip 1344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 1388

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dQo67t57.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dQo67t57.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft837259.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft837259.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki489347.exe

MD5 6e170299ac30c283be4237f8c6b6e6fd
SHA1 75661e65154373f3dc37b8e5376a2882bb4435b4
SHA256 28aee3382d5f37b0b4ef48dc616178c32b0316da891a9285f8f715fe2a7b0c6b
SHA512 9a3dff2b4340ec30354d9fe94fdcdb0e90484bf6116c02e03c3f72c163b442f0b804aac23bacca284a765c26818db339d3bb26c3ea3cbe6eda6a92a9028110e2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki978481.exe

MD5 0e393f48b5aa5a0b4006e7b519ff0f5c
SHA1 37e3b8bfd5d8ee0401d6417103d2641bec9b0c24
SHA256 3e6fc71be5c7b8684cb9cddc738a8b309a7f02c5c9de80b608fe511917dd64e6
SHA512 a5d9cbfe0790a3361addfd0854e7ca37bfb3623c3f3fa0a3a470719aaf237173d6bc1dc03d71ba4126232b5c8033c8797861cd8f3e371331694c09bed4a8e6ec

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki458401.exe

MD5 1b6a8e974234b1a1d61b66432f80384a
SHA1 aeea542b7d97558454cbb295cadd66b323aa4583
SHA256 ea2cbf3f67b3957398590f809683a44ebd13fd0ac7df662cc98ed02760081b27
SHA512 37aae19625e7cdfc4c42f97c654a7d5577252f4e14bbb0c9b7737d8526aa8e56f27bb87cdd83316fe987a13577d5c72a75a998d80f1872bdbe401ac4139c21fd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki947228.exe

MD5 4fc0d64fc096ebb569ecc4c8ab9df10d
SHA1 78eea312fb2410eff61431194063b13e71649593
SHA256 a20f80ad750f4305be7f4cf6e3a712a8f91bfd1f0090228f24829c6d9828e7c0
SHA512 693968d5796b19c70f8118b7be2ce268a15ca2eafe1c0e8516423fb66efb60fd1ff225b6cfbb540915c8023314f355c26ff68a6872d01eb8f0e85e0d5ffe1c91

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az020016.exe

MD5 e0233372fb5a978e424016b9233a3f95
SHA1 5dbc3e695cbbb7c8d982fac7c330d199cb461141
SHA256 111c507d7b970b8a17f2b1c7828b9dd35f14e73461ac9afa986c9f9dabeffba6
SHA512 4e82c114e995bb3582ed1b478465eea994e478d64f5859bf45ab02452705b56865580f2feddba76ae550787b0d60920c8c984578977e7615060ab9cf1b955e9d

memory/2704-35-0x00000000003C0000-0x00000000003CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu709419.exe

MD5 73d6dee17d685eaf41a7c26aea5beb7d
SHA1 80c90130b4fafa56ff2b6aa79cea05c3c4d6c1ee
SHA256 4e714b44a817eb3a0c322a4c3428b4ee8114e6018d744aca3d8c1a108a91da28
SHA512 3e4f7682f169d555eef104401c8fbb059927dfd4d165e00252f2f210f9caf4016ee50a889dd03837772e854ef07e53fceaf4279ff0738ac72d34606d4a2c8e31

memory/884-41-0x0000000002370000-0x000000000238A000-memory.dmp

memory/884-42-0x0000000004A20000-0x0000000004FC4000-memory.dmp

memory/884-43-0x0000000005010000-0x0000000005028000-memory.dmp

memory/884-44-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-49-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-71-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-70-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-67-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-65-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-63-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-61-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-59-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-57-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-55-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-53-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-51-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-47-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-45-0x0000000005010000-0x0000000005022000-memory.dmp

memory/884-72-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/884-74-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co213719.exe

MD5 19d51f98c9bc342ceeebb44904d2e3f2
SHA1 f1f13d109840255a53922256ad7106c87e2991a1
SHA256 9a9acacf9bf88208d75099aadd288478e3a3082632824f06ce2752f61b3f30b1
SHA512 149d49a2656962a256d35bd56beb07d74e5cbc7db4907fbda037855a79466947a44bfd752af65176520a82cd8ef25393e52d9c8685c0c3a0ee2afe7ea0df1969

memory/1344-79-0x00000000025B0000-0x0000000002618000-memory.dmp

memory/1344-80-0x0000000002620000-0x0000000002686000-memory.dmp

memory/1344-92-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-96-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-114-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-112-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-110-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-109-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-106-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-104-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-102-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-100-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-98-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-94-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-90-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-88-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-86-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-84-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-82-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-81-0x0000000002620000-0x0000000002680000-memory.dmp

memory/1344-2223-0x0000000005440000-0x0000000005472000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/6108-2236-0x00000000006F0000-0x000000000071E000-memory.dmp

memory/6108-2237-0x0000000004ED0000-0x0000000004ED6000-memory.dmp

memory/6108-2238-0x00000000056B0000-0x0000000005CC8000-memory.dmp

memory/6108-2239-0x00000000051A0000-0x00000000052AA000-memory.dmp

memory/6108-2240-0x0000000004F60000-0x0000000004F72000-memory.dmp

memory/6108-2241-0x00000000050D0000-0x000000000510C000-memory.dmp

memory/6108-2242-0x0000000005120000-0x000000000516C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dQo67t57.exe

MD5 ee1f5f0e1168ce5938997c932b4dcd27
SHA1 b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256 dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512 bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft837259.exe

MD5 6734c4780a0ae09bc29f9b6ce31cd41c
SHA1 f8a4520eea9a1b5a772f855903c4dcf3f0947216
SHA256 99c5542c9cd15eda934000f8dd53277961413696de939c3e71751b4775985008
SHA512 4af31eb15c234387f7fa946a515db1ad801d772dfc07e22cdf42949771be16035aa31a124386ab8073cb76fb18e689650a2afe910ccd6b714c952aa7b0cdfa7e

memory/3208-2260-0x00000000008D0000-0x00000000008FE000-memory.dmp

memory/3208-2261-0x00000000011D0000-0x00000000011D6000-memory.dmp