Malware Analysis Report

2025-01-23 06:04

Sample ID 241108-haaj2swqhz
Target 11315f0dd988861ea0c900b78f3e34b3ee961da35e011a17b66edbaaaa14ec87
SHA256 11315f0dd988861ea0c900b78f3e34b3ee961da35e011a17b66edbaaaa14ec87
Tags
amadey healer redline 47f88f lada masi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11315f0dd988861ea0c900b78f3e34b3ee961da35e011a17b66edbaaaa14ec87

Threat Level: Known bad

The file 11315f0dd988861ea0c900b78f3e34b3ee961da35e011a17b66edbaaaa14ec87 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 47f88f lada masi discovery dropper evasion infostealer persistence trojan

RedLine

Healer family

Healer

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Amadey family

Amadey

Redline family

RedLine payload

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 06:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 06:31

Reported

2024-11-08 06:34

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11315f0dd988861ea0c900b78f3e34b3ee961da35e011a17b66edbaaaa14ec87.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az367186.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az367186.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az367186.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az367186.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az367186.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az367186.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co261446.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWL83t64.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az367186.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\11315f0dd988861ea0c900b78f3e34b3ee961da35e011a17b66edbaaaa14ec87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki341905.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWL83t64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11315f0dd988861ea0c900b78f3e34b3ee961da35e011a17b66edbaaaa14ec87.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki341905.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co261446.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft769799.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az367186.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co261446.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWL83t64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 740 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\11315f0dd988861ea0c900b78f3e34b3ee961da35e011a17b66edbaaaa14ec87.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe
PID 740 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\11315f0dd988861ea0c900b78f3e34b3ee961da35e011a17b66edbaaaa14ec87.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe
PID 740 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\11315f0dd988861ea0c900b78f3e34b3ee961da35e011a17b66edbaaaa14ec87.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe
PID 1020 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe
PID 1020 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe
PID 1020 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe
PID 4972 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe
PID 4972 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe
PID 4972 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe
PID 3012 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki341905.exe
PID 3012 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki341905.exe
PID 3012 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki341905.exe
PID 3500 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki341905.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az367186.exe
PID 3500 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki341905.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az367186.exe
PID 3500 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki341905.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe
PID 3500 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki341905.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe
PID 3500 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki341905.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe
PID 3012 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co261446.exe
PID 3012 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co261446.exe
PID 3012 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co261446.exe
PID 4872 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co261446.exe C:\Windows\Temp\1.exe
PID 4872 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co261446.exe C:\Windows\Temp\1.exe
PID 4872 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co261446.exe C:\Windows\Temp\1.exe
PID 4972 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWL83t64.exe
PID 4972 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWL83t64.exe
PID 4972 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWL83t64.exe
PID 3984 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWL83t64.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 3984 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWL83t64.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 3984 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWL83t64.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 1020 wrote to memory of 5224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft769799.exe
PID 1020 wrote to memory of 5224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft769799.exe
PID 1020 wrote to memory of 5224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft769799.exe
PID 5172 wrote to memory of 5428 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5172 wrote to memory of 5428 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5172 wrote to memory of 5428 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\11315f0dd988861ea0c900b78f3e34b3ee961da35e011a17b66edbaaaa14ec87.exe

"C:\Users\Admin\AppData\Local\Temp\11315f0dd988861ea0c900b78f3e34b3ee961da35e011a17b66edbaaaa14ec87.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki341905.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki341905.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az367186.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az367186.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co261446.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co261446.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWL83t64.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWL83t64.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft769799.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft769799.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki036891.exe

MD5 3ca74c686e0bfa171dd175f6313006cd
SHA1 dee0d231c53da94dc791efe2bf6321c538d106c0
SHA256 a20d61ad80349922670ed54c026e63779500992d748fb6d15ef1f0ba05f81e6e
SHA512 88c12335c28d9a4415cf571accf3fbc6c99db270b561da154da18d3f1c5e8fe51fc647d5ae00fce06a5515fcb8fe6cacbecd2c1754509dd29d15f2f83d0fdf07

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki611408.exe

MD5 13699363d2e74d4572cc1d8de9f0c3c4
SHA1 ec3f5be55cd7868ca9ed30deb191e03924a19c29
SHA256 ffd876b15c84f12b84225f66647cac40aa1f520140e6e0194b1a7d5eb2229609
SHA512 d541a99adc896cf07bc6a604223cf23f8b6c7b6e2d68447ff759b4bf0415319a076e8c1be40fcc966ea20b25a7346d0eb12b8c9c3b9e1512cea368f7ea5bd226

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki759481.exe

MD5 c807881a04767a64d0898808fd34eb3b
SHA1 795eac5c26727eb6f46d8df6f6a5679d2459fd5e
SHA256 bb28b3dbf4fe5aaf41974d712fe8b08bc744974cf63fd59ef4273762d333882c
SHA512 02bd3465c4d6147833c60365961f82093ececccce9bf4bde20e7b12799c02ee722af7fc3e011d32876b3e48b062fd53bf51fbb8de18ec480f073ca6697fde366

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki341905.exe

MD5 9c0e6cb43aa73d6f728b4d70723cc62d
SHA1 72c7c8e2640ccdef6f03d2db8a6b6f5dac9a55b8
SHA256 1ec35a7094ec07b8cf3fa20a3f09a39a81dd82f0b18dc1f42bbff19a5965cb2b
SHA512 c71e67cb3aae7beffedca76f0063ca2a4b73eea311f4c40b11800f6fa42677fa1284126f510008618973c980fdd41b6d45f8b85acd144fc909af0dd389133a81

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az367186.exe

MD5 6c94eb056a187b5548595dc8cfc97b1d
SHA1 52f12562abdbce64a72c0668e74e26e2d48b2407
SHA256 8e0c9536bd5fe0d04ee5ded32726fa988a4bd5ebdb2ccd38e21ee90eb37e5d8c
SHA512 b8e66b5baa9bfe3b2dba36c21645cf5db2656f4d679eda8356da12d6bc6a5a9d3902e5c06261a6d0565e5fa2943ddd8b34b75fce85057646fb061c8d91a37ad7

memory/3312-35-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu382857.exe

MD5 f9d9008f4e49416943a9ce08944a0a95
SHA1 a0f8baf28ca32b8ee5aa829ed565550a0501fc98
SHA256 bda3b3c4f4cc9e86a07629169a57bf792269c5e7ee2c6e5003943ebfe6fd9ee1
SHA512 9b086e030fa540a8a7a203ccf94226de5e15ca04d2b2e59dad828e3c7b5dafd5724263a0874e0528995821f35958016e4b2846e449434a0dede810b4c98146d1

memory/3548-41-0x00000000026B0000-0x00000000026CA000-memory.dmp

memory/3548-42-0x0000000004F70000-0x0000000005514000-memory.dmp

memory/3548-43-0x0000000002A00000-0x0000000002A18000-memory.dmp

memory/3548-47-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-71-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-69-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-67-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-65-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-63-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-61-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-60-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-58-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-55-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-53-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-51-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-49-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-44-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-45-0x0000000002A00000-0x0000000002A12000-memory.dmp

memory/3548-72-0x0000000000400000-0x000000000080A000-memory.dmp

memory/3548-74-0x0000000000400000-0x000000000080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co261446.exe

MD5 b64c719eb2e82e03358215e53b8adc89
SHA1 317852f3b8d553c76d170e7689c40019bf3fca30
SHA256 c37c29a8369aa78b1604fc47cbde57d4ee50af260fd6fb279f3f320c53d3667a
SHA512 1d5e6f9e9f6cdee7fde469ca59d7a64101222328b39475a4997ad66f40bc1b8896cd35c7473384cab4b70d787a8c55de504fc501d6d2455bc7a872188b5d33de

memory/4872-79-0x0000000002950000-0x00000000029B8000-memory.dmp

memory/4872-80-0x0000000005520000-0x0000000005586000-memory.dmp

memory/4872-100-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-114-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-112-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-110-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-108-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-106-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-104-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-102-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-98-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-96-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-94-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-93-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-88-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-86-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-84-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-82-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-90-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-81-0x0000000005520000-0x0000000005580000-memory.dmp

memory/4872-2223-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/4884-2237-0x0000000000980000-0x00000000009AE000-memory.dmp

memory/4884-2238-0x0000000002C30000-0x0000000002C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWL83t64.exe

MD5 ee1f5f0e1168ce5938997c932b4dcd27
SHA1 b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256 dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512 bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8

memory/4884-2242-0x00000000058F0000-0x0000000005F08000-memory.dmp

memory/4884-2245-0x00000000053E0000-0x00000000054EA000-memory.dmp

memory/4884-2246-0x0000000005300000-0x0000000005312000-memory.dmp

memory/4884-2247-0x0000000005360000-0x000000000539C000-memory.dmp

memory/4884-2256-0x00000000054F0000-0x000000000553C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft769799.exe

MD5 4180a91e71794df60824e4024ce0dedb
SHA1 92a513453dabe31bf1a35b3431dc79e9da306823
SHA256 43c6526b45dc2c9db60681975050b35b2e80a01606ad9e3dcdfee71a8cfe2bcf
SHA512 b8a10052710cb5cabeb5dc0f262146246fa4baa7ff5ddda7f130b632dfc25420d3f12bba4177f2d80581c872d4c9c70ebbcd250f66446041214f34a11b0735af

memory/5224-2260-0x0000000000360000-0x000000000038E000-memory.dmp

memory/5224-2261-0x00000000009E0000-0x00000000009E6000-memory.dmp