Malware Analysis Report

2025-08-06 00:59

Sample ID 241109-fpy5vayblk
Target 1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8
SHA256 1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8

Threat Level: Known bad

The file 1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Redline family

Detects Healer an antivirus disabler dropper

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

Amadey

RedLine payload

Amadey family

RedLine

Executes dropped EXE

Windows security modification

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:03

Reported

2024-11-09 05:06

Platform

win7-20240903-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe
PID 2212 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe
PID 2212 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe
PID 2212 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe
PID 2212 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe
PID 2212 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe
PID 2212 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe
PID 2528 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe
PID 2528 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe
PID 2528 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe
PID 2528 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe
PID 2528 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe
PID 2528 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe
PID 2528 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe
PID 3028 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe
PID 3028 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe
PID 3028 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe
PID 3028 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe
PID 3028 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe
PID 3028 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe
PID 3028 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe
PID 2968 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe
PID 2968 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe
PID 2968 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe
PID 2968 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe
PID 2968 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe
PID 2968 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe
PID 2968 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe
PID 2968 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe
PID 2968 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe
PID 2968 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe
PID 2968 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe
PID 2968 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe
PID 2968 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe
PID 2968 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe
PID 2500 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2500 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2500 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2500 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2500 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2500 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2500 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe
PID 3028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe
PID 3028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe
PID 3028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe
PID 3028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe
PID 3028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe
PID 3028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe
PID 2728 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe

"C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {03E602F0-9F9A-4CD7-8C27-19F03AD681F2} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp

Files

memory/2212-0-0x0000000002D10000-0x0000000002E19000-memory.dmp

memory/2212-1-0x0000000002D10000-0x0000000002E19000-memory.dmp

memory/2212-2-0x00000000045B0000-0x00000000046C2000-memory.dmp

memory/2212-3-0x0000000000400000-0x0000000000516000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe

MD5 64d18c9c8a3aa979fed8dad660b471db
SHA1 441b06acb48582314ef0362a67e0f91666e9c2c7
SHA256 15a24de616c6923f3a41639bf68add8ca0dba9400fa3032c6183e1001e9202b4
SHA512 5015704bb7944e42a99b434fb694dd4632878b1e291a2c955911c7ea6fc3b39b431b6c4a69a8644c72d22b2b7ca9237304a3f75f264e263694d1b1f433f5c6ac

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe

MD5 0146a00360dfca1b26fb4bda8388957a
SHA1 d7eb07b054774c33a5fbad90c0af343cc6d4073a
SHA256 a970b81d5a976949105ca4f53432719d8018763ab6f9ac388943fbe2dc4878a5
SHA512 6c1cbc1caaa920e0fa52661dce0c949a01fd41ffd40e5d56b8605198a3634a07aa7601dd1da3665e110fbed70e381269568cd76dbf23549823a0b2f2b39dc40b

\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe

MD5 baf8d0a246ea3cbb6705edaed4b04119
SHA1 63c354f0de064986d77db462f21e92999ea851ff
SHA256 906ab9aba66e50b109249c614418db88b42e79bd7acf5ed9b35439e8fd48c0b9
SHA512 c70625442a4dde9936b6304a647c8f1c0c9249dd9d7d378bd7ba092dc0713d6fd75fa04cf0114b46c69a79d3ae10c8cdafffb2656329c279e8b00c4a29e57e7c

\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/488-42-0x00000000001A0000-0x00000000001AA000-memory.dmp

memory/2212-43-0x0000000002D10000-0x0000000002E19000-memory.dmp

memory/2212-44-0x00000000045B0000-0x00000000046C2000-memory.dmp

memory/2212-46-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2212-45-0x0000000000400000-0x0000000002C9B000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe

MD5 498dd29067e16586fb7ddc0d5b4864c4
SHA1 200cb18439b05e9083ca9e7fceeee7be33570cef
SHA256 a81d9526f6a98494eb9239ad98ce1dbd95d8b75f0164102b117840ef43c81f15
SHA512 0bddb7580fe79ac08e0ad59ab51ed85d2d3c552585dff6f19c8b2fd2235c18eb318e1080ea988cfe0735d574f856d8afd303ec55af65bc556d699f1407656cb2

memory/2632-73-0x00000000031C0000-0x00000000031FC000-memory.dmp

memory/2632-74-0x0000000004700000-0x000000000473A000-memory.dmp

memory/2632-110-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-75-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-124-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-76-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-134-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-78-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-80-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-82-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-84-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-86-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-88-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-90-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-92-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-94-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-96-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-98-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-100-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-102-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-104-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-106-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-108-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-119-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-120-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-136-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-132-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-130-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-128-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-126-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-122-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-116-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-114-0x0000000004700000-0x0000000004735000-memory.dmp

memory/2632-112-0x0000000004700000-0x0000000004735000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 05:03

Reported

2024-11-09 05:06

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe
PID 1488 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe
PID 1488 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe
PID 64 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe
PID 64 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe
PID 64 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe
PID 3916 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe
PID 3916 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe
PID 3916 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe
PID 3476 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe
PID 3476 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe
PID 3476 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe
PID 3476 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe
PID 3476 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe
PID 3560 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3560 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3560 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3916 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe
PID 3916 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe
PID 3916 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe
PID 1968 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4224 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4224 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4224 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4224 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4224 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4224 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4224 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4224 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4224 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4224 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4224 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe

"C:\Users\Admin\AppData\Local\Temp\1f475ec273650de8e8a745559fed16e3eeabdb8ff8ed2563bcb3a4746c8021e8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp

Files

memory/1488-1-0x0000000004A00000-0x0000000004B17000-memory.dmp

memory/1488-2-0x0000000004B80000-0x0000000004C92000-memory.dmp

memory/1488-3-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki292083.exe

MD5 64d18c9c8a3aa979fed8dad660b471db
SHA1 441b06acb48582314ef0362a67e0f91666e9c2c7
SHA256 15a24de616c6923f3a41639bf68add8ca0dba9400fa3032c6183e1001e9202b4
SHA512 5015704bb7944e42a99b434fb694dd4632878b1e291a2c955911c7ea6fc3b39b431b6c4a69a8644c72d22b2b7ca9237304a3f75f264e263694d1b1f433f5c6ac

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki388889.exe

MD5 0146a00360dfca1b26fb4bda8388957a
SHA1 d7eb07b054774c33a5fbad90c0af343cc6d4073a
SHA256 a970b81d5a976949105ca4f53432719d8018763ab6f9ac388943fbe2dc4878a5
SHA512 6c1cbc1caaa920e0fa52661dce0c949a01fd41ffd40e5d56b8605198a3634a07aa7601dd1da3665e110fbed70e381269568cd76dbf23549823a0b2f2b39dc40b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki680722.exe

MD5 baf8d0a246ea3cbb6705edaed4b04119
SHA1 63c354f0de064986d77db462f21e92999ea851ff
SHA256 906ab9aba66e50b109249c614418db88b42e79bd7acf5ed9b35439e8fd48c0b9
SHA512 c70625442a4dde9936b6304a647c8f1c0c9249dd9d7d378bd7ba092dc0713d6fd75fa04cf0114b46c69a79d3ae10c8cdafffb2656329c279e8b00c4a29e57e7c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az478957.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4524-32-0x0000000000980000-0x000000000098A000-memory.dmp

memory/1488-33-0x0000000004A00000-0x0000000004B17000-memory.dmp

memory/1488-35-0x0000000004B80000-0x0000000004C92000-memory.dmp

memory/1488-34-0x0000000000400000-0x0000000002C9B000-memory.dmp

memory/1488-36-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu783884.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf378659.exe

MD5 498dd29067e16586fb7ddc0d5b4864c4
SHA1 200cb18439b05e9083ca9e7fceeee7be33570cef
SHA256 a81d9526f6a98494eb9239ad98ce1dbd95d8b75f0164102b117840ef43c81f15
SHA512 0bddb7580fe79ac08e0ad59ab51ed85d2d3c552585dff6f19c8b2fd2235c18eb318e1080ea988cfe0735d574f856d8afd303ec55af65bc556d699f1407656cb2

memory/2596-55-0x0000000004BC0000-0x0000000004BFC000-memory.dmp

memory/2596-56-0x0000000007220000-0x00000000077C4000-memory.dmp

memory/2596-57-0x0000000004D50000-0x0000000004D8A000-memory.dmp

memory/2596-61-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-71-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-119-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-117-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-115-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-113-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-111-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-107-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-105-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-103-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-101-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-99-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-97-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-95-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-93-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-91-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-89-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-85-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-84-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-81-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-79-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-77-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-75-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-73-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-69-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-67-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-65-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-63-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-109-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-87-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-59-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-58-0x0000000004D50000-0x0000000004D85000-memory.dmp

memory/2596-852-0x0000000009D50000-0x0000000009E5A000-memory.dmp

memory/2596-851-0x0000000009D30000-0x0000000009D42000-memory.dmp

memory/2596-850-0x000000000A2B0000-0x000000000A8C8000-memory.dmp

memory/2596-853-0x0000000009E70000-0x0000000009EAC000-memory.dmp

memory/2596-854-0x0000000004B30000-0x0000000004B7C000-memory.dmp