Malware Analysis Report

2025-08-11 06:40

Sample ID 241109-eb9trazkdn
Target 32c11fceac0ed60a88504fdf5098899c35ee5c72df942e2d7b71c44ef7e14db2N
SHA256 32c11fceac0ed60a88504fdf5098899c35ee5c72df942e2d7b71c44ef7e14db2
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32c11fceac0ed60a88504fdf5098899c35ee5c72df942e2d7b71c44ef7e14db2

Threat Level: Known bad

The file 32c11fceac0ed60a88504fdf5098899c35ee5c72df942e2d7b71c44ef7e14db2N was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine payload

RedLine

Healer

Detects Healer an antivirus disabler dropper

Amadey

Amadey family

Healer family

Redline family

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:47

Reported

2024-11-09 03:49

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32c11fceac0ed60a88504fdf5098899c35ee5c72df942e2d7b71c44ef7e14db2N.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21721075.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78787419.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\32c11fceac0ed60a88504fdf5098899c35ee5c72df942e2d7b71c44ef7e14db2N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f96870762.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b19512101.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d28170587.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\32c11fceac0ed60a88504fdf5098899c35ee5c72df942e2d7b71c44ef7e14db2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21721075.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78787419.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21721075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b19512101.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d28170587.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\32c11fceac0ed60a88504fdf5098899c35ee5c72df942e2d7b71c44ef7e14db2N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe
PID 4272 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\32c11fceac0ed60a88504fdf5098899c35ee5c72df942e2d7b71c44ef7e14db2N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe
PID 4272 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\32c11fceac0ed60a88504fdf5098899c35ee5c72df942e2d7b71c44ef7e14db2N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe
PID 5048 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe
PID 5048 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe
PID 5048 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe
PID 1956 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe
PID 1956 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe
PID 1956 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe
PID 1344 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe
PID 1344 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe
PID 1344 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe
PID 2940 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21721075.exe
PID 2940 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21721075.exe
PID 2940 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21721075.exe
PID 2800 wrote to memory of 5300 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21721075.exe C:\Windows\Temp\1.exe
PID 2800 wrote to memory of 5300 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21721075.exe C:\Windows\Temp\1.exe
PID 2940 wrote to memory of 5412 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b19512101.exe
PID 2940 wrote to memory of 5412 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b19512101.exe
PID 2940 wrote to memory of 5412 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b19512101.exe
PID 1344 wrote to memory of 5984 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78787419.exe
PID 1344 wrote to memory of 5984 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78787419.exe
PID 1344 wrote to memory of 5984 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78787419.exe
PID 5984 wrote to memory of 5884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78787419.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5984 wrote to memory of 5884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78787419.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5984 wrote to memory of 5884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78787419.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1956 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d28170587.exe
PID 1956 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d28170587.exe
PID 1956 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d28170587.exe
PID 5884 wrote to memory of 6328 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5884 wrote to memory of 6328 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5884 wrote to memory of 6328 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5884 wrote to memory of 6360 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5884 wrote to memory of 6360 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5884 wrote to memory of 6360 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6360 wrote to memory of 6180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6360 wrote to memory of 6180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6360 wrote to memory of 6180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6360 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6360 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6360 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6360 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6360 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6360 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6360 wrote to memory of 5516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6360 wrote to memory of 5516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6360 wrote to memory of 5516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6360 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6360 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6360 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6360 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6360 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6360 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5048 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f96870762.exe
PID 5048 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f96870762.exe
PID 5048 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f96870762.exe

Processes

C:\Users\Admin\AppData\Local\Temp\32c11fceac0ed60a88504fdf5098899c35ee5c72df942e2d7b71c44ef7e14db2N.exe

"C:\Users\Admin\AppData\Local\Temp\32c11fceac0ed60a88504fdf5098899c35ee5c72df942e2d7b71c44ef7e14db2N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21721075.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21721075.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b19512101.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b19512101.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5412 -ip 5412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 1260

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78787419.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78787419.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d28170587.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d28170587.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1260

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f96870762.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f96870762.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 67.208.201.84.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oJ163219.exe

MD5 dd11ae8a536756291a3194373c207abb
SHA1 8167d4170609eca9c65e5f162573c98b6862aebb
SHA256 11b4d2ec282a6f2355fb6c3e1dfa2cb39c643b426e15287a0a4808672b6a8e2e
SHA512 dde83e753103a8ee6469c3489ed0342a174501e744f6319f059a5cb79f197e089b05c0914865801b19f68e420599e64b04ea1a2fa00940334449358ec8639df7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb904508.exe

MD5 02f2ef6d96ab7a872b63b044976ac592
SHA1 21a4672deda2cb3e1ba11d95fc6fddce563190a6
SHA256 92a88705c3ef5dce2d2d326faf8c2740ae589129b963321f0b224a5047201754
SHA512 fcadab8b073697625b90faf72b8dbc1429a633f900d1bbf6163bce666b21a824c9143d9d09d567c8492643d112bef0205175b8746340426f012e008555bab5e3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sy879703.exe

MD5 6f0e9b0135575afd888a01903d00ca0a
SHA1 27177d558b049fb5b4b498834767678a946cea44
SHA256 6f8e18ba9647af101e14d4e5c2fe77b2b79fdc6fbc1abb870c3f20badce0a43a
SHA512 ed9d60d68951dbf1b23429ab6711e442cf5b618134d9f57e5bcc95a2b03a2416507a675676b597b7b89bc8e3d382a4b381e93cc635cc3be6ebe241ba5ce19179

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ck056856.exe

MD5 4b5b1b55f061df8c84522b2a9793e5c6
SHA1 4d891899afb4b49ab4ddb1ec174463947b7a1810
SHA256 74ffaedbf3a7e929a2ec5fb205df72b38e20e1744b7bb6b537f277c478ddc769
SHA512 deb64b5f6e498f45834730ce62f8bdb8f473a2779905632c83facea01ebd805568426d448fe7d43388677159cc3f056137424b9d583f9295db5fb08372304730

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21721075.exe

MD5 52acde2d86d4d43e762dbd5d09cf965e
SHA1 149344321a7c4d0bae36de08f25ccc59fd93b98b
SHA256 c74e0a3a72d04d6d7dc4aaf50e747096a8a04ae47316a9638dbc298e6a08e3b0
SHA512 f0b8676cf323761fa74f4b70c4fc25e4e0954dd12c92f70ffba6f0b044bc6e5d26d94a30a9cb57ad1789ac86d9a9c1f9848102a69719a0e6f63ce9b70a88f40d

memory/2800-35-0x0000000002480000-0x00000000024D8000-memory.dmp

memory/2800-36-0x00000000049C0000-0x0000000004F64000-memory.dmp

memory/2800-37-0x0000000004FB0000-0x0000000005006000-memory.dmp

memory/2800-95-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-101-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-99-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-97-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-93-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-91-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-89-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-87-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-85-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-83-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-81-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-77-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-75-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-73-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-71-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-69-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-67-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-65-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-63-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-59-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-55-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-53-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-49-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-47-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-45-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-43-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-42-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-39-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-79-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-61-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-57-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-51-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-38-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/2800-2166-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b19512101.exe

MD5 5a722dd32679f4c1ca815c10d2de0eca
SHA1 5a814ad014213c9cdd19e24d8af7c865fdea649d
SHA256 fef0f005cb263399ea575af1e0e3b8af7c8aa0ae99f427fa77003139c84695b9
SHA512 94129b6e350c92257dd43bad592801c134db44da64545c081a1622249358f4d39489086b808798e79fc9e96dbb2db8cc9a2b5c41dc90f94927d8592c3f010b32

memory/5300-2181-0x0000000000E70000-0x0000000000E7A000-memory.dmp

memory/5412-4312-0x0000000005750000-0x00000000057E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78787419.exe

MD5 1b467d6e9ac468ed8d820cccde804110
SHA1 538ea63f78cfc5b59677d4ea4ca9c5645dfc580b
SHA256 780e9447c82f9a576ba80e744d66df8b05e1bddafb462a31f761802e99dcd12c
SHA512 89c42f2852dabb9e7ea17348822ab32c6241c853fd4a6888e04b6130cf68b6f3a31c4624ded057b5be238adfe8bdfa375b40fc5db5c819d90b8ba9b031a2cac4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d28170587.exe

MD5 c33f74883c6313a9637a62555f2453d0
SHA1 1e7215cb8b62ce724e81244fc189caf557c22663
SHA256 7685525b32c9dcf8c88b3649de72a30636004a1e85bf29629c3d578182acde6d
SHA512 d68e2b85d7a3bb0112662974729c01f0ec7e1edbb93c652f5fc46c6c8d4582974792c516852ebf7767f7970718419d704edcc668c188cc0df704cf018753c48a

memory/5352-4332-0x0000000004FF0000-0x0000000005058000-memory.dmp

memory/5352-4333-0x0000000005690000-0x00000000056F6000-memory.dmp

memory/5352-6480-0x00000000058A0000-0x00000000058D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f96870762.exe

MD5 ae80aca261142d4967a9e861212d8399
SHA1 a46a85e6cc637e1c8cdee783e84efe1912c2eae1
SHA256 f03d6c4e3cbc9f81ca19fdc856aa3eb3473399ae680eb01db7fd460fc6fd4601
SHA512 23e6f9cd6f0d34f2cc80a34bb8066ce5e0f762b6e46fff6f89af10f6f35aca1a3c9e6ba0b9361b03fc2413b7071db1ffb719da048cbdf02367908474e1dbdf5d

memory/536-6486-0x0000000000970000-0x00000000009A0000-memory.dmp

memory/536-6487-0x0000000005250000-0x0000000005256000-memory.dmp

memory/536-6488-0x000000000ACB0000-0x000000000B2C8000-memory.dmp

memory/536-6489-0x000000000A7E0000-0x000000000A8EA000-memory.dmp

memory/536-6490-0x000000000A710000-0x000000000A722000-memory.dmp

memory/536-6491-0x000000000A770000-0x000000000A7AC000-memory.dmp

memory/536-6492-0x0000000004B10000-0x0000000004B5C000-memory.dmp