Malware Analysis Report

2025-08-06 01:25

Sample ID 241109-gt3jhaykh1
Target fa0538138ae47aed4ddb4ed587f873ae6a0325655707fea80a9a2a1247ea7b8a
SHA256 fa0538138ae47aed4ddb4ed587f873ae6a0325655707fea80a9a2a1247ea7b8a
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa0538138ae47aed4ddb4ed587f873ae6a0325655707fea80a9a2a1247ea7b8a

Threat Level: Known bad

The file fa0538138ae47aed4ddb4ed587f873ae6a0325655707fea80a9a2a1247ea7b8a was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Modifies Windows Defender Real-time Protection settings

Amadey

Healer

Healer family

Redline family

RedLine payload

Amadey family

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 06:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 06:06

Reported

2024-11-09 06:09

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa0538138ae47aed4ddb4ed587f873ae6a0325655707fea80a9a2a1247ea7b8a.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76937131.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c77542637.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fa0538138ae47aed4ddb4ed587f873ae6a0325655707fea80a9a2a1247ea7b8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fa0538138ae47aed4ddb4ed587f873ae6a0325655707fea80a9a2a1247ea7b8a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b21279656.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c77542637.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f04152706.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76937131.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d35590366.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76937131.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b21279656.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d35590366.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4736 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\fa0538138ae47aed4ddb4ed587f873ae6a0325655707fea80a9a2a1247ea7b8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe
PID 4736 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\fa0538138ae47aed4ddb4ed587f873ae6a0325655707fea80a9a2a1247ea7b8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe
PID 4736 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\fa0538138ae47aed4ddb4ed587f873ae6a0325655707fea80a9a2a1247ea7b8a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe
PID 1256 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe
PID 1256 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe
PID 1256 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe
PID 3980 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe
PID 3980 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe
PID 3980 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe
PID 4300 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe
PID 4300 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe
PID 4300 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe
PID 4312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76937131.exe
PID 4312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76937131.exe
PID 4312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76937131.exe
PID 1488 wrote to memory of 5472 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76937131.exe C:\Windows\Temp\1.exe
PID 1488 wrote to memory of 5472 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76937131.exe C:\Windows\Temp\1.exe
PID 4312 wrote to memory of 5680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b21279656.exe
PID 4312 wrote to memory of 5680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b21279656.exe
PID 4312 wrote to memory of 5680 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b21279656.exe
PID 4300 wrote to memory of 5308 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c77542637.exe
PID 4300 wrote to memory of 5308 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c77542637.exe
PID 4300 wrote to memory of 5308 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c77542637.exe
PID 5308 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c77542637.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5308 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c77542637.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5308 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c77542637.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3980 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d35590366.exe
PID 3980 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d35590366.exe
PID 3980 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d35590366.exe
PID 3148 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3148 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3148 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3148 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3148 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3148 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 6716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4560 wrote to memory of 6716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4560 wrote to memory of 6716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4560 wrote to memory of 7048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4560 wrote to memory of 7048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4560 wrote to memory of 7048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4560 wrote to memory of 4160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4560 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4560 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4560 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4560 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4560 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1256 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f04152706.exe
PID 1256 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f04152706.exe
PID 1256 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f04152706.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fa0538138ae47aed4ddb4ed587f873ae6a0325655707fea80a9a2a1247ea7b8a.exe

"C:\Users\Admin\AppData\Local\Temp\fa0538138ae47aed4ddb4ed587f873ae6a0325655707fea80a9a2a1247ea7b8a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76937131.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76937131.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b21279656.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b21279656.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5680 -ip 5680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 1260

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c77542637.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c77542637.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d35590366.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d35590366.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 368 -ip 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1260

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f04152706.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f04152706.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NR754039.exe

MD5 70af0bfc05f34c08c00d34a8eb3e8059
SHA1 4b0cb0fc6bbfa447d5b9397f0624fa7908db3ba7
SHA256 57fe448776da62e24e92a98c1c985fbe57ffc3f19a4ca2eaa1c9a8f6c9193208
SHA512 31fdde530ac7fb8f5731d6ab4071f79817ba149f004d112c05b943136e577629af8f36828f7dfffee19bf5ba4ae6131b992f773c1121378979ba4f3156756e90

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zf530855.exe

MD5 6ee39cb70b1f12ef8227d3acbfb099a8
SHA1 52f6baface32c78aec211e46083b430a0ad9ac0b
SHA256 95a5eba98fbd2eace63aec464e0e19f470d16687f256556330273f880cc627ca
SHA512 c7bf246ecdda77c908f41d9371529ad560a5b17727d4e83bd83b3e4ded694511b5ade86f127e089fa558e0a4e25b19620774c1a45d0727a1242903bc454afd8a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rJ203202.exe

MD5 fc76f0680b8c7803e84e39a7de29ba4f
SHA1 133b955667414fdb24c6f13b205171a9567644c4
SHA256 ff0a6c18a67609fa9b1041c0b71954edf411104675fd0844f978a5330dc699db
SHA512 bc410ec095c72169ee796d02e328639643ca2fd28a5deb39a19faccc725d12a880727d1a365bacb36038f14fcd3548b6bd944da853a6df908bbbe6bd3190fb9d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zL888612.exe

MD5 2f0c327a8e014fad520e6194ae0ad49e
SHA1 b497666b7ae6fbf7492ca2c7a13551fc1df6b6c4
SHA256 9152a3f943f27d834489359f45f912b81cf74eb5f0b54288a38d117dcd5cc72c
SHA512 f79a1981a63342c1b216b5d908405fe26b7f6ede0241ba9b870d9094724a1c3d039b48aee8bd977d76b114e7c267a702e699cd59ad79cc8eedfc83909f5bf70b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a76937131.exe

MD5 1fbcc3d4f60d42aa4d28f74411f65f3c
SHA1 861530fd635b145ee6aab83396cef9d469d34172
SHA256 d6cae518c6952355b018626f377c7ef50e72fa9cc1dc4bcdc7108e284ea3ebea
SHA512 21493decf0fca589846c0bac8cdb1ea8c2350c6c20d697e673635a26aeaf698a13ce2919fa68a97e25325e8f32c917e3b6ba1203287fda1383755c2c201fd60b

memory/1488-35-0x00000000025E0000-0x0000000002638000-memory.dmp

memory/1488-36-0x00000000049E0000-0x0000000004F84000-memory.dmp

memory/1488-37-0x0000000004FD0000-0x0000000005026000-memory.dmp

memory/1488-81-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-63-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-53-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-41-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-102-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-99-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-97-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-96-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-93-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-91-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-89-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-87-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-85-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-83-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-79-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-77-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-75-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-73-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-71-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-69-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-67-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-65-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-61-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-59-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-57-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-55-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-51-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-49-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-47-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-45-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-43-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-39-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-38-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1488-2166-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b21279656.exe

MD5 e04819c27255e1fa888fa4558ee359cc
SHA1 60f174670db0f7d117bdabcf2945ecad29706a9f
SHA256 0188eb711e772165c233a1d02a003e8aa2b8b90e3c325e94f7f826fa5e0a27cc
SHA512 9d7d921e6710241c4adb4e4509ac7f22507e0216c91d58dadc74af2df74ae6f917cf5530ec23ffaf3e032066adc1a2f7773edeac57d553bcd38942d3d2eb5482

memory/5472-2182-0x0000000000C20000-0x0000000000C2A000-memory.dmp

memory/5680-4312-0x0000000005750000-0x00000000057E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c77542637.exe

MD5 57a60b29f42e6550b5cf9be5587fb905
SHA1 a5ce59f84fb919bcefe3a5fbb7fad897014293c1
SHA256 2024693c603e10f36ae62f244a8df2590ce743cb0a3684e7a6f640971b387ee8
SHA512 1090671e51bd0282e8bb632e9aaef57d28885fd989da9472613c416473f2bd891ca73bcb3c97b555916efeb0f9f324ce70192e0c57803f4f771df01e04baf862

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d35590366.exe

MD5 82a310e2356012b3b220048e26c2382d
SHA1 b2de18704376c38c203d6e75e0cb082d73a7bde3
SHA256 5d89b624d470d836e6e3d4923aad1ac4477200e4c09d233cd0de27f40b5141b8
SHA512 e98d6eb22da60f8778e5e444657942194300c0600a0e283641d001d4ca0420ed9ca92600067aca6c27428aed6fe68697537d5e5fa7e03d23aeb29a9c72917f72

memory/368-4332-0x0000000004EE0000-0x0000000004F48000-memory.dmp

memory/368-4333-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/368-6480-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f04152706.exe

MD5 599c12324eb7d2819d168157faa0f0ee
SHA1 bea19e1f4c44d4197647fa68e153f31de52c1e61
SHA256 56d344599f497cb825342dadac93679cb841de0924ae7a80610b6e34000ea064
SHA512 0b4a323b123a1d4ebd970c82fc2e420041cca6b2c3c0fa3b057dfbf710de6a24c18e5593273ee356f00995b78c1e662671a0dad303451af7a5402b8c423196de

memory/3416-6486-0x0000000000EA0000-0x0000000000ED0000-memory.dmp

memory/3416-6487-0x0000000003160000-0x0000000003166000-memory.dmp

memory/3416-6488-0x0000000006070000-0x0000000006688000-memory.dmp

memory/3416-6489-0x0000000005B60000-0x0000000005C6A000-memory.dmp

memory/3416-6490-0x0000000005860000-0x0000000005872000-memory.dmp

memory/3416-6491-0x00000000058C0000-0x00000000058FC000-memory.dmp

memory/3416-6493-0x0000000005A50000-0x0000000005A9C000-memory.dmp