Malware Analysis Report

2025-01-23 06:04

Sample ID 241108-n8zjqasara
Target 5872f7357924a586622c9a2d63a802fc9539ee06b7e76186eb40b4c60ca3d6be
SHA256 5872f7357924a586622c9a2d63a802fc9539ee06b7e76186eb40b4c60ca3d6be
Tags
amadey healer redline 47f88f lada maxi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5872f7357924a586622c9a2d63a802fc9539ee06b7e76186eb40b4c60ca3d6be

Threat Level: Known bad

The file 5872f7357924a586622c9a2d63a802fc9539ee06b7e76186eb40b4c60ca3d6be was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 47f88f lada maxi discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

Healer family

Amadey

Healer

RedLine payload

Redline family

Amadey family

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 12:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 12:04

Reported

2024-11-08 12:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5872f7357924a586622c9a2d63a802fc9539ee06b7e76186eb40b4c60ca3d6be.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az292689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az292689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az292689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az292689.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az292689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az292689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co552927.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbr70t77.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az292689.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki577167.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5872f7357924a586622c9a2d63a802fc9539ee06b7e76186eb40b4c60ca3d6be.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft164353.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki577167.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co552927.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbr70t77.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5872f7357924a586622c9a2d63a802fc9539ee06b7e76186eb40b4c60ca3d6be.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az292689.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co552927.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbr70t77.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\5872f7357924a586622c9a2d63a802fc9539ee06b7e76186eb40b4c60ca3d6be.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe
PID 2240 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\5872f7357924a586622c9a2d63a802fc9539ee06b7e76186eb40b4c60ca3d6be.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe
PID 2240 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\5872f7357924a586622c9a2d63a802fc9539ee06b7e76186eb40b4c60ca3d6be.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe
PID 2244 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe
PID 2244 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe
PID 2244 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe
PID 3340 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe
PID 3340 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe
PID 3340 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe
PID 216 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki577167.exe
PID 216 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki577167.exe
PID 216 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki577167.exe
PID 4032 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki577167.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az292689.exe
PID 4032 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki577167.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az292689.exe
PID 4032 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki577167.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe
PID 4032 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki577167.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe
PID 4032 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki577167.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe
PID 216 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co552927.exe
PID 216 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co552927.exe
PID 216 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co552927.exe
PID 4216 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co552927.exe C:\Windows\Temp\1.exe
PID 4216 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co552927.exe C:\Windows\Temp\1.exe
PID 4216 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co552927.exe C:\Windows\Temp\1.exe
PID 3340 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbr70t77.exe
PID 3340 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbr70t77.exe
PID 3340 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbr70t77.exe
PID 840 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbr70t77.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 840 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbr70t77.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 840 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbr70t77.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 2244 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft164353.exe
PID 2244 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft164353.exe
PID 2244 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft164353.exe
PID 3908 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3908 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3908 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5872f7357924a586622c9a2d63a802fc9539ee06b7e76186eb40b4c60ca3d6be.exe

"C:\Users\Admin\AppData\Local\Temp\5872f7357924a586622c9a2d63a802fc9539ee06b7e76186eb40b4c60ca3d6be.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki577167.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki577167.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az292689.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az292689.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4188 -ip 4188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co552927.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co552927.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4216 -ip 4216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1560

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbr70t77.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbr70t77.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft164353.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft164353.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki556486.exe

MD5 290804a826fd9e56678c77923a38df9f
SHA1 fcd33684f016dcfb08be1dc48d990a7136766d5d
SHA256 6cd12a37b3fbc48ee9cacb5a32000eb2e28f46c80fb4a61ce99afc8cc50802e6
SHA512 13f615f9fa08b4f817915f35626f4d95d663c5a8ee4624800aac0ab6836592d276044e8cea0d476342f095b573b6b731f6479fb5fc33f25d4be216a16fc22b69

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki048457.exe

MD5 c1c7efd0da891da58b4d7ceb8a48bad0
SHA1 d196590702bb875619dd8799dfeb6c4f9de4f0c5
SHA256 c5446865089b26651f90042a978deb4b795a6cf1e6e506cd225f0090e669d89d
SHA512 bfd615ecd746a3bce09e115cd667a0c09b3f0ae1fd6aeca0ab233367b9702f5cbdbfb1cd9f38cca2f0d4545362c15f53e2765e67b51f24f5c39758c5f741e320

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki236943.exe

MD5 14ea59d396ab981970a53abfac72a3af
SHA1 4ef6b03e1540ba52aaa05aec73e197baabceec8d
SHA256 06862c527d1fe7317b875aa61d3622b8baa11816ddf96e8e0685a36e0878fc61
SHA512 af261d0da392e8ec49b9650365f6d11fd3f08222b061e594195345d9c88133ee71037935e89a2719993977e95a697ce5c613d1438677410e89022c5a4502c672

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki577167.exe

MD5 caa2f9ad868712cd03710c71a61942da
SHA1 f910e975e8d9e6dcf5f10b7701496e08d807f276
SHA256 2ca55d7b1d90c194d701d948dac302bd8ef230b01fc53cbb1b886d9bcc026dd9
SHA512 93525a850a8a34ef992fc94c1f2eb74b41670984a3f17776dae0623eadbc7420e4d5c1ed44a1e90757fc315a23540990009808f80cb12711375214f8eb0c0452

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az292689.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1656-35-0x00000000008D0000-0x00000000008DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu013381.exe

MD5 b463dd386a7973efeffc09efc72fe5f9
SHA1 89839427e4ac9a8829ffc92f83b5a72515d67ce9
SHA256 0a4dbd786146aa7ffa6e2b3b20cc1b4cdf5c1feb33f7c3304f44620124c27c4d
SHA512 9db10205ec7661facfb24ba025ff1a7d97959ce39a7f7c6db7add3942c41581bfe941ab1feae84620e8c1ef03a8204db7d3506fd7d2890c58f0cd9bebef10c41

memory/4188-41-0x0000000002640000-0x000000000265A000-memory.dmp

memory/4188-42-0x0000000004E60000-0x0000000005404000-memory.dmp

memory/4188-43-0x0000000002740000-0x0000000002758000-memory.dmp

memory/4188-44-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-59-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-71-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-69-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-67-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-65-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-63-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-61-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-57-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-55-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-53-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-51-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-49-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-47-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-45-0x0000000002740000-0x0000000002752000-memory.dmp

memory/4188-72-0x0000000000400000-0x000000000080A000-memory.dmp

memory/4188-74-0x0000000000400000-0x000000000080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co552927.exe

MD5 3edf822ef8715dbe8314e25f00e218ff
SHA1 80678681460ad9420042565ec4044aa67e970871
SHA256 f0c3b342b4bb8794876255023898a149b0127d199f28ea68a6c7036bbf7e770a
SHA512 80958c607c669fbc07cff64fec5c587218b7c0cccaec9763fa1cdfb6c6be356e0d99f5c3584ad7d766776aff297ce05f5c8c330b7db86378349a13d899c40b57

memory/4216-79-0x0000000002770000-0x00000000027D8000-memory.dmp

memory/4216-80-0x0000000002B60000-0x0000000002BC6000-memory.dmp

memory/4216-110-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-106-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-96-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-92-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-84-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-82-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-114-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-112-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-108-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-104-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-102-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-101-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-99-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-94-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-90-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-88-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-86-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-81-0x0000000002B60000-0x0000000002BC0000-memory.dmp

memory/4216-2223-0x00000000058A0000-0x00000000058D2000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/2828-2237-0x00000000005D0000-0x00000000005FE000-memory.dmp

memory/2828-2238-0x0000000004EF0000-0x0000000004EF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbr70t77.exe

MD5 ee1f5f0e1168ce5938997c932b4dcd27
SHA1 b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256 dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512 bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8

memory/2828-2243-0x0000000005580000-0x0000000005B98000-memory.dmp

memory/2828-2244-0x0000000005070000-0x000000000517A000-memory.dmp

memory/2828-2245-0x0000000004F60000-0x0000000004F72000-memory.dmp

memory/2828-2246-0x0000000004F80000-0x0000000004FBC000-memory.dmp

memory/2828-2250-0x0000000005000000-0x000000000504C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft164353.exe

MD5 f3f0110dd728ebd7a2e20609f3b7ff33
SHA1 9e846ddfc4e53793c77a8b74395ed1c1c73da027
SHA256 f7dbb53256eb8a1896925f31a12ef486afea188abd1ff3b67ae7325e5e756751
SHA512 81da25c6e399a6f312473b567541a72cb9a7907dec4a572af2e3b44fe8ff37465a06652b8cf903e152518f518b16a5055c598f34dd96306aa1b620d0b0a0bc4f

memory/4912-2261-0x0000000000B90000-0x0000000000BC0000-memory.dmp

memory/4912-2262-0x0000000002BF0000-0x0000000002BF6000-memory.dmp