Malware Analysis Report

2025-01-23 06:04

Sample ID 241108-nt2qja1hll
Target 86eb3ab9f0ac317fec0fbedbfd9ad86d247fa452d4d176e3689be6d93c4c1937
SHA256 86eb3ab9f0ac317fec0fbedbfd9ad86d247fa452d4d176e3689be6d93c4c1937
Tags
amadey healer redline 47f88f lada maxi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86eb3ab9f0ac317fec0fbedbfd9ad86d247fa452d4d176e3689be6d93c4c1937

Threat Level: Known bad

The file 86eb3ab9f0ac317fec0fbedbfd9ad86d247fa452d4d176e3689be6d93c4c1937 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 47f88f lada maxi discovery dropper evasion infostealer persistence trojan

RedLine payload

Amadey

RedLine

Amadey family

Healer family

Detects Healer an antivirus disabler dropper

Healer

Redline family

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 11:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 11:42

Reported

2024-11-08 11:44

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86eb3ab9f0ac317fec0fbedbfd9ad86d247fa452d4d176e3689be6d93c4c1937.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az068654.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az068654.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az068654.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az068654.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az068654.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az068654.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9317.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpo50s75.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az068654.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki898655.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\86eb3ab9f0ac317fec0fbedbfd9ad86d247fa452d4d176e3689be6d93c4c1937.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft408016.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki898655.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9317.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpo50s75.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\86eb3ab9f0ac317fec0fbedbfd9ad86d247fa452d4d176e3689be6d93c4c1937.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az068654.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9317.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3880 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\86eb3ab9f0ac317fec0fbedbfd9ad86d247fa452d4d176e3689be6d93c4c1937.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe
PID 3880 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\86eb3ab9f0ac317fec0fbedbfd9ad86d247fa452d4d176e3689be6d93c4c1937.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe
PID 3880 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\86eb3ab9f0ac317fec0fbedbfd9ad86d247fa452d4d176e3689be6d93c4c1937.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe
PID 4376 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe
PID 4376 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe
PID 4376 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe
PID 4012 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe
PID 4012 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe
PID 4012 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe
PID 756 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki898655.exe
PID 756 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki898655.exe
PID 756 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki898655.exe
PID 2264 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki898655.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az068654.exe
PID 2264 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki898655.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az068654.exe
PID 2264 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki898655.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe
PID 2264 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki898655.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe
PID 2264 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki898655.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe
PID 756 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9317.exe
PID 756 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9317.exe
PID 756 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9317.exe
PID 1568 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9317.exe C:\Windows\Temp\1.exe
PID 1568 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9317.exe C:\Windows\Temp\1.exe
PID 1568 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9317.exe C:\Windows\Temp\1.exe
PID 4012 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpo50s75.exe
PID 4012 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpo50s75.exe
PID 4012 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpo50s75.exe
PID 2312 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpo50s75.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 2312 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpo50s75.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 2312 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpo50s75.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 4376 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft408016.exe
PID 4376 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft408016.exe
PID 4376 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft408016.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86eb3ab9f0ac317fec0fbedbfd9ad86d247fa452d4d176e3689be6d93c4c1937.exe

"C:\Users\Admin\AppData\Local\Temp\86eb3ab9f0ac317fec0fbedbfd9ad86d247fa452d4d176e3689be6d93c4c1937.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki898655.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki898655.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az068654.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az068654.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4500 -ip 4500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9317.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9317.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1568 -ip 1568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1440

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpo50s75.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpo50s75.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft408016.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft408016.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki459079.exe

MD5 e3e8620116944e50819d5df5f4de3e58
SHA1 5aa9957c14f9eb9fb12a2ffef1dacab860d7d23e
SHA256 eb99631495d56b9693c9bd2572203132cf45d7d61853cfc06f17a9b0ed260fb8
SHA512 1100f237b39089ef67963b0f789b287e54e9f1fd108c594fa33ed93a4fcd3393fc16c54648d36c4e8cc778b63f5ce9133e15c21e4ff55cac45e1ff437c8fa14d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki144989.exe

MD5 4266ba3dad89dbf09c341deb69496792
SHA1 551ab92e43021fefff29419e6c699774cb85bea1
SHA256 1ae1620187220e09b6065176b45d56d1f3f7a4009e386e30b73a63c7a1806820
SHA512 20d9b64ecd15d9eea22825c22a98f39a6d7d34d5c5a56d0ac80a070281a50893f7b1c31ac97e63ac95e7b02c30013c96459840e5d94cbe82f3f1c783f4479f56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki879284.exe

MD5 9614ad544b5213f8c77059fe161a13de
SHA1 6860a14ee4cc3dd73482bd003c5cdf36bef700f9
SHA256 34b300d469566709af31818bdae928b6d0374762dc02a44a579e7461f55a0072
SHA512 a62262697a2548a108824308151471c05357c5fd3fbcf39ad10373989d813778da9a4d654f4b66961cc50d380b00bab13b9a7523e7b30c1f89af8db966fc38ed

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki898655.exe

MD5 a3693d2b4671e687dc3db6784d7fcc1d
SHA1 3ad35e79ffecbab0362b8a3861b4f513aff7f1a0
SHA256 a6f73f719a87944a32f75e77ea520ffbc65bdd404ba55a316d0a5c268337d8da
SHA512 76f4acaa7be1051e5a8cc993123f76f97eab7fd7431caf50e6e61db2dc0874d46e235f2f5ae47d4bccf36c4d3268672067182411ca6c291bd84aacaef3b5c611

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az068654.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1436-35-0x0000000000C00000-0x0000000000C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu738733.exe

MD5 b0a0be45e55cf403b0498906433ddb4f
SHA1 0faae6279e1b34f6f6969044cd2fbb091d3bec89
SHA256 0f9a3593a2fdb8ec535510b1a76a655d9c922100688d2f3467dc427af64caf43
SHA512 c3c9d4c90fcecf9ff043e01cff4220bd7d6e0a49c127f02684d93c1194101de3096799ee8b03ca0553a72197bc84a0640a07abc054be71ddb0bd96b3ac651ef6

memory/4500-41-0x0000000002570000-0x000000000258A000-memory.dmp

memory/4500-42-0x0000000004B30000-0x00000000050D4000-memory.dmp

memory/4500-43-0x0000000004A40000-0x0000000004A58000-memory.dmp

memory/4500-44-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-51-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-71-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-69-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-67-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-65-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-63-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-61-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-59-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-57-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-55-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-53-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-49-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-47-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-45-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4500-73-0x0000000000400000-0x00000000004AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9317.exe

MD5 4bc2d697645382b5f6edef9c3bc5e7ba
SHA1 b240c237ba2ec61dd6cdbf3a70d28bd4f4eac2d5
SHA256 2f8e34a81924db1c38c56143bfdc45c5eb3c4c15c12ea56ce0ab698801c2c439
SHA512 082ff3e795bac9cb44be37746abe0eac969be270fc3fcd4c86dcb333513418ba51e2d37bfd567014c1881553672585977b8dd5bb62512d3745c5841484eacc4d

memory/1568-79-0x0000000004B70000-0x0000000004BD8000-memory.dmp

memory/1568-80-0x0000000004BF0000-0x0000000004C56000-memory.dmp

memory/1568-108-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-114-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-112-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-110-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-106-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-105-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-102-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-100-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-98-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-96-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-94-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-92-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-88-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-86-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-84-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-83-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-90-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-81-0x0000000004BF0000-0x0000000004C50000-memory.dmp

memory/1568-2223-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/3004-2236-0x0000000000AF0000-0x0000000000B1E000-memory.dmp

memory/3004-2237-0x0000000001230000-0x0000000001236000-memory.dmp

memory/3004-2238-0x0000000005A70000-0x0000000006088000-memory.dmp

memory/3004-2239-0x0000000005560000-0x000000000566A000-memory.dmp

memory/3004-2240-0x0000000005470000-0x0000000005482000-memory.dmp

memory/3004-2241-0x00000000054D0000-0x000000000550C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpo50s75.exe

MD5 ee1f5f0e1168ce5938997c932b4dcd27
SHA1 b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256 dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512 bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8

memory/3004-2246-0x0000000005670000-0x00000000056BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft408016.exe

MD5 f3f0110dd728ebd7a2e20609f3b7ff33
SHA1 9e846ddfc4e53793c77a8b74395ed1c1c73da027
SHA256 f7dbb53256eb8a1896925f31a12ef486afea188abd1ff3b67ae7325e5e756751
SHA512 81da25c6e399a6f312473b567541a72cb9a7907dec4a572af2e3b44fe8ff37465a06652b8cf903e152518f518b16a5055c598f34dd96306aa1b620d0b0a0bc4f

memory/3180-2259-0x0000000000030000-0x0000000000060000-memory.dmp

memory/3180-2260-0x0000000004850000-0x0000000004856000-memory.dmp