Malware Analysis Report

2025-08-11 06:41

Sample ID 241109-ebzzjszkcq
Target d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988
SHA256 d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988

Threat Level: Known bad

The file d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

Healer family

Amadey family

Healer

Redline family

RedLine

Amadey

Modifies Windows Defender Real-time Protection settings

Loads dropped DLL

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:46

Reported

2024-11-09 03:49

Platform

win7-20241010-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2448 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2448 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2448 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2448 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2448 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2448 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2448 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 2844 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2844 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2844 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2844 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2844 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2844 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2844 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2752 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2752 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2752 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2752 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2752 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2752 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2752 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2812 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2812 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2812 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2812 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2812 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2812 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2812 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 2812 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2812 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2812 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2812 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2812 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2812 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2812 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2080 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2080 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2080 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2080 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2080 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2080 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2080 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2752 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2752 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2752 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2752 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2752 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2752 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2752 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 428 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 428 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 428 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 428 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 428 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 428 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 428 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 428 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe

"C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {440FC36F-B9C4-4F4E-BC27-85E02C523373} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp

Files

memory/2448-0-0x00000000044A0000-0x00000000045AA000-memory.dmp

memory/2448-1-0x00000000044A0000-0x00000000045AA000-memory.dmp

memory/2448-2-0x00000000045D0000-0x00000000046E3000-memory.dmp

memory/2448-3-0x0000000000400000-0x0000000000517000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe

MD5 cec1ce5318555d73f57204ffa15da4f4
SHA1 8e7ecd5aa0e6b005fbea795900618e94b2880674
SHA256 5d5ffc47ae1d8ded67771c9d546a13793a0622cb98f5238d4069866f84a6f7bc
SHA512 2eb122871e256625688e9470d19518cb195ec233b018d0890a7d065403a3c5630ea9a049de48adfcb5d88cfb3f25b6674e1fc90191c48aea31194c616894ad26

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe

MD5 4ae31f6e2fe3b5635820cc5936ce08c2
SHA1 78399a6911db1a73d83bb61df042a7b3b087e705
SHA256 7e8a5f1286d45a482013057e9aa18e9cfc1adc9237a32882683995241712d04b
SHA512 a5e376db14e26924139ce3dadcb1e3f8390f6e475948aca693f8d9936392134c4ebd8724950e0c46f9cb197fc2c0e4e8d0f286db892c990e099e0dd4f6f60091

\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe

MD5 336f38a46355bec86647c050e5457b7f
SHA1 8b5c06095b8f340abe622b75df17715cdec1515f
SHA256 c2acc3656220a7b5c1c4c5009680d326f439daff81f5269d9a45c54a20867f7f
SHA512 b6772ca9bcc9bed3fe52d167a28d1ab803be9b3daeefdf325909c6edb9cc85837fb1ea2d95b8b123945e642f342a04b9b13ba264ae75e3f6f0bf7021444d8cc7

\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1824-42-0x0000000001100000-0x000000000110A000-memory.dmp

memory/2448-43-0x00000000044A0000-0x00000000045AA000-memory.dmp

memory/2448-45-0x00000000045D0000-0x00000000046E3000-memory.dmp

memory/2448-44-0x0000000000400000-0x0000000002C9C000-memory.dmp

memory/2448-46-0x0000000000400000-0x0000000000517000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe

MD5 f8b49ca0965b0a1a4989039c682f5ad3
SHA1 66322c1d801a7c90c46a289521401e5c6fd758a5
SHA256 6b6a03c0cea0d5c524201918e24ed767f2345dbb82f83da75653a31dc4a99d73
SHA512 33abef8277003f8f27eb364c60d2cd8c78f3acf6402a3036cbfea055f354bc7cc4a8355bdd9ed8e330e983caf7be01d0e27f9cfe67201896e62f313617f57062

memory/1988-73-0x0000000004950000-0x000000000498C000-memory.dmp

memory/1988-74-0x0000000004990000-0x00000000049CA000-memory.dmp

memory/1988-97-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-136-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-134-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-133-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-130-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-128-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-126-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-124-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-122-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-120-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-118-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-116-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-114-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-112-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-110-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-108-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-106-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-104-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-102-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-100-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-98-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-95-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-92-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-90-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-88-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-86-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-84-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-82-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-80-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-78-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-76-0x0000000004990000-0x00000000049C5000-memory.dmp

memory/1988-75-0x0000000004990000-0x00000000049C5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 03:46

Reported

2024-11-09 03:49

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 3952 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 3952 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe
PID 744 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 744 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 744 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe
PID 2896 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2896 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 2896 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe
PID 856 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 856 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe
PID 856 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 856 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 856 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe
PID 2316 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2316 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2316 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2896 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2896 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 2896 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe
PID 4908 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4908 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4908 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4908 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 3808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 3808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 3808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4168 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe

"C:\Users\Admin\AppData\Local\Temp\d7f0994343a10af33d3ffa6f0d3f1309b20956662ccac59533f6c475a2a17988.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp

Files

memory/3952-1-0x0000000004AF0000-0x0000000004BFC000-memory.dmp

memory/3952-2-0x0000000004C00000-0x0000000004D13000-memory.dmp

memory/3952-3-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki436607.exe

MD5 cec1ce5318555d73f57204ffa15da4f4
SHA1 8e7ecd5aa0e6b005fbea795900618e94b2880674
SHA256 5d5ffc47ae1d8ded67771c9d546a13793a0622cb98f5238d4069866f84a6f7bc
SHA512 2eb122871e256625688e9470d19518cb195ec233b018d0890a7d065403a3c5630ea9a049de48adfcb5d88cfb3f25b6674e1fc90191c48aea31194c616894ad26

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki586823.exe

MD5 4ae31f6e2fe3b5635820cc5936ce08c2
SHA1 78399a6911db1a73d83bb61df042a7b3b087e705
SHA256 7e8a5f1286d45a482013057e9aa18e9cfc1adc9237a32882683995241712d04b
SHA512 a5e376db14e26924139ce3dadcb1e3f8390f6e475948aca693f8d9936392134c4ebd8724950e0c46f9cb197fc2c0e4e8d0f286db892c990e099e0dd4f6f60091

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki970331.exe

MD5 336f38a46355bec86647c050e5457b7f
SHA1 8b5c06095b8f340abe622b75df17715cdec1515f
SHA256 c2acc3656220a7b5c1c4c5009680d326f439daff81f5269d9a45c54a20867f7f
SHA512 b6772ca9bcc9bed3fe52d167a28d1ab803be9b3daeefdf325909c6edb9cc85837fb1ea2d95b8b123945e642f342a04b9b13ba264ae75e3f6f0bf7021444d8cc7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az503960.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2400-32-0x00000000000C0000-0x00000000000CA000-memory.dmp

memory/3952-33-0x0000000004AF0000-0x0000000004BFC000-memory.dmp

memory/3952-35-0x0000000004C00000-0x0000000004D13000-memory.dmp

memory/3952-34-0x0000000000400000-0x0000000002C9C000-memory.dmp

memory/3952-36-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu062300.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf554524.exe

MD5 f8b49ca0965b0a1a4989039c682f5ad3
SHA1 66322c1d801a7c90c46a289521401e5c6fd758a5
SHA256 6b6a03c0cea0d5c524201918e24ed767f2345dbb82f83da75653a31dc4a99d73
SHA512 33abef8277003f8f27eb364c60d2cd8c78f3acf6402a3036cbfea055f354bc7cc4a8355bdd9ed8e330e983caf7be01d0e27f9cfe67201896e62f313617f57062

memory/4388-55-0x0000000004A10000-0x0000000004A4C000-memory.dmp

memory/4388-56-0x0000000007190000-0x0000000007734000-memory.dmp

memory/4388-57-0x0000000007780000-0x00000000077BA000-memory.dmp

memory/4388-59-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-67-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-120-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-115-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-113-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-111-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-109-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-107-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-106-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-103-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-101-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-99-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-97-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-95-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-93-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-91-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-89-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-87-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-85-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-83-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-81-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-79-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-77-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-75-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-71-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-70-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-65-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-63-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-61-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-117-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-73-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-58-0x0000000007780000-0x00000000077B5000-memory.dmp

memory/4388-852-0x0000000009D50000-0x0000000009E5A000-memory.dmp

memory/4388-851-0x0000000009D30000-0x0000000009D42000-memory.dmp

memory/4388-850-0x000000000A2B0000-0x000000000A8C8000-memory.dmp

memory/4388-853-0x0000000009E70000-0x0000000009EAC000-memory.dmp

memory/4388-854-0x0000000006CC0000-0x0000000006D0C000-memory.dmp