Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-egtdyszlbq
Target ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee
SHA256 ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee

Threat Level: Known bad

The file ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey family

Healer

RedLine payload

RedLine

Amadey

Redline family

Detects Healer an antivirus disabler dropper

Healer family

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:55

Reported

2024-11-09 03:57

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe
PID 3480 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe
PID 3480 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe
PID 3972 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe
PID 3972 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe
PID 3972 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe
PID 2556 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe
PID 2556 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe
PID 2556 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe
PID 3128 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe
PID 3128 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe
PID 3128 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe
PID 3128 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe
PID 3128 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe
PID 3128 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe
PID 2556 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe
PID 2556 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe
PID 2556 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe
PID 1344 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1344 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1344 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3972 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe
PID 3972 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe
PID 3972 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe
PID 4004 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4004 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4004 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4004 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2732 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2732 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2732 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2732 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2732 wrote to memory of 644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2732 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2732 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2732 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2732 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2732 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2732 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee.exe

"C:\Users\Admin\AppData\Local\Temp\ff89993416757600a3101735bdd43da863c7179a74859d347515e1293f4178ee.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3056 -ip 3056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Av657546.exe

MD5 2b00e235acbb373db3983401fbb14b7d
SHA1 b5639bbfb2631461ec64e1ec8b449f49273c70b6
SHA256 5eb43bb9b9620694be3ea8819454a98fd04e4ee5e9dd69eda6c36c3f659b2475
SHA512 1a35b3843841f9e0092d4d5c76166f8ddd478b3fa39aa79dd44695675554846be4fd46a24d7686827f3425d0c952274b0b78f82054179f856baaaf6e5d0ec470

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qF794022.exe

MD5 d3067e5ceebb2770391ec066a9b771b1
SHA1 aa4047d6d0920db0fac7ddb0202ab9df2da54660
SHA256 d249eeb50b6a37e00ecb73a6579b4add315c89177de55008120b402d5e13f741
SHA512 26551a60d6530859610f5c8d3a5b2be6e18e7333f00749f60f1b281743b29051e2d6e960ab1cab56c32f1e28d467364a536a31d236511d1751e7cf300fbac522

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE113926.exe

MD5 9d15b42ee28573d800aae84e1ff644a7
SHA1 ec6345b3d26b957c094029b5f14558315bc40c42
SHA256 ec38afdde1c30cf94a2105090201ff908143cd27851d571fa68b31e9782d3389
SHA512 3ece2c397847d02385d3ad4eb96e0e13513e5b7cfbd99f13b77854218b3d4f82d6e88a724cd542ad4f8bc11aba45a1116ab598c7c0bc30e8342531121131c90b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\168602685.exe

MD5 2b71f4b18ac8214a2bff547b6ce2f64f
SHA1 b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256 f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA512 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

memory/2216-28-0x00000000021D0000-0x00000000021EA000-memory.dmp

memory/2216-29-0x0000000004C20000-0x00000000051C4000-memory.dmp

memory/2216-30-0x00000000023C0000-0x00000000023D8000-memory.dmp

memory/2216-44-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-58-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-56-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-54-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-52-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-50-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-48-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-46-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-42-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-40-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-38-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-34-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-31-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-36-0x00000000023C0000-0x00000000023D3000-memory.dmp

memory/2216-32-0x00000000023C0000-0x00000000023D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\243464673.exe

MD5 1afdceb2c35119d44aed2452d04c24fe
SHA1 87e9c8ad7c48dbc712b4b45619de3afa3949334e
SHA256 540ac0d593777ac27b9ef7e82b6d345315c17e31fac25dc08c91dece2edb5f41
SHA512 9678694355f89ba318893a115aff4e28a3f93f34cc16e675258a7605b6b5dc38a50d3a9a76fa040746d8fc08f66b274ad69101799284631d95bae3c038fbf3d1

memory/3056-92-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\321650139.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/3056-94-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\475052364.exe

MD5 fc899291613a1ad0747199dda6f2857a
SHA1 7d456bc8b31b0b92a8471dd5b9297bbba9446450
SHA256 1ce52d5605bd9939fb425ccba8015149658d28d0772055df8fcc589b36f2c7e2
SHA512 aa586280c3fb9327620ab2d5b90dca6fc92c89a09dbf11c67fd49a6f4048594423b5a58816edee3bac327fc03eca446057d35ff74ccb5443eadfea786a45a0b9

memory/3256-112-0x0000000004BA0000-0x0000000004BDC000-memory.dmp

memory/3256-113-0x0000000007740000-0x000000000777A000-memory.dmp

memory/3256-114-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3256-119-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3256-117-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3256-115-0x0000000007740000-0x0000000007775000-memory.dmp

memory/3256-906-0x0000000009C70000-0x000000000A288000-memory.dmp

memory/3256-907-0x000000000A330000-0x000000000A342000-memory.dmp

memory/3256-908-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/3256-909-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/3256-910-0x00000000048C0000-0x000000000490C000-memory.dmp