Malware Analysis Report

2025-01-23 06:04

Sample ID 241108-lsq7aszhjd
Target 26c2c89f7deedcae2c6b4739a9a0c8036a9b7643d2451c8996d66de22a27f546
SHA256 26c2c89f7deedcae2c6b4739a9a0c8036a9b7643d2451c8996d66de22a27f546
Tags
amadey healer redline 47f88f lada masi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26c2c89f7deedcae2c6b4739a9a0c8036a9b7643d2451c8996d66de22a27f546

Threat Level: Known bad

The file 26c2c89f7deedcae2c6b4739a9a0c8036a9b7643d2451c8996d66de22a27f546 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 47f88f lada masi discovery dropper evasion infostealer persistence trojan

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

Redline family

Healer

Amadey family

Amadey

Detects Healer an antivirus disabler dropper

Healer family

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 09:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 09:48

Reported

2024-11-08 09:50

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26c2c89f7deedcae2c6b4739a9a0c8036a9b7643d2451c8996d66de22a27f546.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az736005.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az736005.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az736005.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az736005.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az736005.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az736005.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co952061.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIf24t21.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az736005.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki932617.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\26c2c89f7deedcae2c6b4739a9a0c8036a9b7643d2451c8996d66de22a27f546.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIf24t21.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft020260.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\26c2c89f7deedcae2c6b4739a9a0c8036a9b7643d2451c8996d66de22a27f546.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki932617.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co952061.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az736005.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co952061.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIf24t21.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3280 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\26c2c89f7deedcae2c6b4739a9a0c8036a9b7643d2451c8996d66de22a27f546.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe
PID 3280 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\26c2c89f7deedcae2c6b4739a9a0c8036a9b7643d2451c8996d66de22a27f546.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe
PID 3280 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\26c2c89f7deedcae2c6b4739a9a0c8036a9b7643d2451c8996d66de22a27f546.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe
PID 2248 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe
PID 2248 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe
PID 2248 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe
PID 2876 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe
PID 2876 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe
PID 2876 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe
PID 1160 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki932617.exe
PID 1160 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki932617.exe
PID 1160 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki932617.exe
PID 4912 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki932617.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az736005.exe
PID 4912 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki932617.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az736005.exe
PID 4912 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki932617.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe
PID 4912 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki932617.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe
PID 4912 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki932617.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe
PID 1160 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co952061.exe
PID 1160 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co952061.exe
PID 1160 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co952061.exe
PID 896 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co952061.exe C:\Windows\Temp\1.exe
PID 896 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co952061.exe C:\Windows\Temp\1.exe
PID 896 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co952061.exe C:\Windows\Temp\1.exe
PID 2876 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIf24t21.exe
PID 2876 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIf24t21.exe
PID 2876 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIf24t21.exe
PID 3492 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIf24t21.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 3492 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIf24t21.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 3492 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIf24t21.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 2248 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft020260.exe
PID 2248 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft020260.exe
PID 2248 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft020260.exe
PID 5020 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5020 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5020 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\26c2c89f7deedcae2c6b4739a9a0c8036a9b7643d2451c8996d66de22a27f546.exe

"C:\Users\Admin\AppData\Local\Temp\26c2c89f7deedcae2c6b4739a9a0c8036a9b7643d2451c8996d66de22a27f546.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki932617.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki932617.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az736005.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az736005.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4244 -ip 4244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 988

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co952061.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co952061.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 896 -ip 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1380

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIf24t21.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIf24t21.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft020260.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft020260.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki409523.exe

MD5 f047bbc5565fa795e4baa19c555fe1b9
SHA1 92972fc0ffe5bd956eae81e7004a6818db4f27e9
SHA256 750e47be02250510f7997437c0857039261c0598d5f6b14c85a3ace9bdf1aa17
SHA512 8b99a794f9081646718a5dbb1b8e6ee86d4bf5710c6334a6d2928bddbb4c470d2810024d1cf20b5f7f84246848faae3966694e3428a211cd383ca7c6c8912dea

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki607343.exe

MD5 2060ca6f34a020121a9ebce9e14ab039
SHA1 701b436b52a16cc2d0e69afdde28957ef38c5938
SHA256 cd4a7e6e4a498f8b6f0b0fb0ba2cc3e49bb0dd5d978da40553b770ae0396106b
SHA512 fd6100ce741a2bc787daf7b5644aab37d93a4de1e3372f5a5dc20fee143173619fb4032da69c08757c7eee8c48521f79b14d1a4eb1e5447f926d372b1eb2284a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki809612.exe

MD5 6a1f2a1b02940eaef9dc110ab478e2c6
SHA1 1928b9e04d0476bbc9cf16f22ed7440cf1efd11f
SHA256 e432d8d7034c378143c6d94eea6556496871adc707546a8aa9f54050b5f1e7bb
SHA512 7bd4282ae6145b562d0b8a03bb18d3b7bc1ace9ab5f2ac3fb358fc9db6b71180f0c0c7570407bcbceba9a6ec08323367e34bcb43df1cdfa0da0ca679bd890599

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki932617.exe

MD5 70e6251a8e18ad397463b1b74c4690c3
SHA1 a277abd36e1f4a11123ebadf2c95b3812dd6000d
SHA256 62b8d59a9bc9e6948dda7846d43e6ebc2a03d69720dc2abfdedc5ab5bd082fb9
SHA512 a947bb0e3609c8ad589bbae282aba2d4e40cd3757485e9a0e5b9028d946b930e8ae387a56de452c3113f90ef29db7fde21757732adbc5d032f3bf73c886e3a8a

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az736005.exe

MD5 ec91863599d430ad5850b59af117f9d4
SHA1 d0ffb97ea2c5d3fad45e15a4a3055cace7e5d286
SHA256 f84d980ad769a059b0b1c21114add09e2bc344f277f69b9be8dedc9e2d6cfd8e
SHA512 24037d0cd0973d36371ea032ea26c44e2a12249e78b335872f76da5d7b4ec647ac1279d32e116c5ffcd4b38c8db2b3d0196918e3d128ed50bcb3de76a7aaf9fe

memory/3628-35-0x0000000000760000-0x000000000076A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu949982.exe

MD5 dc83cf3a60c3f6081bb0df1275bea278
SHA1 6d7e4fc8fa2d0e3b56cab80b697cb094e37e7093
SHA256 eefd2b02bcf479e15f3da8734918a5760b0b9875559cda4934c74c065e9cadf3
SHA512 743519a07091b00289395a0b3a30a789e2a8fedbc1614be25c76286e94a1c24a0f794c688dd023eb530c47bc1b92ea4671f23a7095c961903df358f46b29addc

memory/4244-41-0x0000000002570000-0x000000000258A000-memory.dmp

memory/4244-42-0x0000000004C80000-0x0000000005224000-memory.dmp

memory/4244-43-0x0000000002710000-0x0000000002728000-memory.dmp

memory/4244-45-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-53-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-51-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-49-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-47-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-44-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-71-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-69-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-67-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-65-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-63-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-61-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-59-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-57-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-55-0x0000000002710000-0x0000000002722000-memory.dmp

memory/4244-73-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co952061.exe

MD5 e89b4224b8d42544d657d05454856c2f
SHA1 9ed328e63adc781be5d0544c43d8586c6cb22b02
SHA256 c93de0eed6366b1d85d7c457ff5cf7a2cbc28bda14fc7fb61c84f9701b1c4641
SHA512 d6629a7a2bc1dad2ff462db0f2ceb0354da190c313208e1c08872515dffac91e49a4c3be4649f8e4fc0176840e3c883e4f476756e2bd87a10fd7be5e4c85284a

memory/896-79-0x0000000002340000-0x00000000023A8000-memory.dmp

memory/896-80-0x0000000004C20000-0x0000000004C86000-memory.dmp

memory/896-82-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-88-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-114-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-112-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-110-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-108-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-106-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-104-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-102-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-98-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-96-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-94-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-92-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-90-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-86-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-84-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-100-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-81-0x0000000004C20000-0x0000000004C80000-memory.dmp

memory/896-2223-0x0000000005410000-0x0000000005442000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/2768-2236-0x0000000000170000-0x000000000019E000-memory.dmp

memory/2768-2237-0x0000000000840000-0x0000000000846000-memory.dmp

memory/2768-2238-0x0000000005100000-0x0000000005718000-memory.dmp

memory/2768-2239-0x0000000004BF0000-0x0000000004CFA000-memory.dmp

memory/2768-2240-0x0000000004B00000-0x0000000004B12000-memory.dmp

memory/2768-2241-0x0000000004B60000-0x0000000004B9C000-memory.dmp

memory/2768-2242-0x0000000004BA0000-0x0000000004BEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dIf24t21.exe

MD5 ee1f5f0e1168ce5938997c932b4dcd27
SHA1 b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256 dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512 bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft020260.exe

MD5 931c428378fa037b1609447929e457f3
SHA1 1cc6ac87614253a7c3215a357e7a9e3b6f34c1ec
SHA256 3614831a1c8c6dbd0be5c8ee0018fd5a3b6deb8f74e313a676cd8a6390bd4192
SHA512 3f1ab4b551dc1716d7a2420dd47f99ea4056a011d99ba10767a6f58d829d723a61fc68dec29359343d7aec52778b4175bcfdf305cedd72ed9c401821e62a9b50

memory/2580-2260-0x0000000000250000-0x000000000027E000-memory.dmp

memory/2580-2261-0x0000000002620000-0x0000000002626000-memory.dmp