Malware Analysis Report

2025-06-15 22:33

Sample ID 241109-xxqbcazkav
Target 527c2858f891102ffde752e81478a98873d20c019d85a7f220035112ba3d3fbe
SHA256 527c2858f891102ffde752e81478a98873d20c019d85a7f220035112ba3d3fbe
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

527c2858f891102ffde752e81478a98873d20c019d85a7f220035112ba3d3fbe

Threat Level: Known bad

The file 527c2858f891102ffde752e81478a98873d20c019d85a7f220035112ba3d3fbe was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Redline family

Amadey

RedLine payload

RedLine

Amadey family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Healer family

Healer

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:14

Reported

2024-11-09 19:16

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\527c2858f891102ffde752e81478a98873d20c019d85a7f220035112ba3d3fbe.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\370385170.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\527c2858f891102ffde752e81478a98873d20c019d85a7f220035112ba3d3fbe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\527c2858f891102ffde752e81478a98873d20c019d85a7f220035112ba3d3fbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\370385170.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\480893262.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\480893262.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\370385170.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\527c2858f891102ffde752e81478a98873d20c019d85a7f220035112ba3d3fbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe
PID 2844 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\527c2858f891102ffde752e81478a98873d20c019d85a7f220035112ba3d3fbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe
PID 2844 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\527c2858f891102ffde752e81478a98873d20c019d85a7f220035112ba3d3fbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe
PID 3112 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe
PID 3112 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe
PID 3112 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe
PID 3304 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe
PID 3304 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe
PID 3304 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe
PID 2248 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe
PID 2248 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe
PID 2248 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe
PID 2248 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe
PID 2248 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe
PID 2248 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe
PID 3304 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\370385170.exe
PID 3304 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\370385170.exe
PID 3304 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\370385170.exe
PID 1760 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\370385170.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1760 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\370385170.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1760 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\370385170.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3112 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\480893262.exe
PID 3112 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\480893262.exe
PID 3112 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\480893262.exe
PID 2076 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2076 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2076 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2076 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4892 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4892 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4892 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4892 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4892 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4892 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4892 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4892 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4892 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4892 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4892 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\527c2858f891102ffde752e81478a98873d20c019d85a7f220035112ba3d3fbe.exe

"C:\Users\Admin\AppData\Local\Temp\527c2858f891102ffde752e81478a98873d20c019d85a7f220035112ba3d3fbe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4588 -ip 4588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 1076

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\370385170.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\370385170.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\480893262.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\480893262.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OI530521.exe

MD5 be8c27f946078dfe76f55fd542652a17
SHA1 f1f20cc94ee0b705e144821180bc371a5bb9aa55
SHA256 0741455c9385d886b526deb54e70dfa63698b21410de93fcc136de53fc4c7c64
SHA512 1e5525b3d65f2c18138913926f1c6d32e5fe963105806fe9d519e32f9be4ca142a5264081e3abb084ac13946f70daad8bf3da9dafbf50c520e584bcec688a4ce

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pK526318.exe

MD5 e93815908f74048fb8dc6654624febc0
SHA1 d9f9734822d21740aae52acfd17949206dcfa71a
SHA256 dd63eb2da70996894ba59321e7ff7735af2fee52c9f1cb4e3eafc896b359677b
SHA512 3c0c4bb3f0d368825d9012e48cfd563781b455ff22e901cc23537847916900314e161674b9f1bfcd7bb8b8629ac6bff6f4059f7315ba933d0f4dae9817653636

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NN388877.exe

MD5 9051ad35928fc126e4244006b7269be6
SHA1 93c8a4316c261cba6132d46f386a2e897c045c78
SHA256 989afd42e6885e1b3c632bd6075f08ce25c18e4766e3cfd8757607d5a011ed52
SHA512 ac603789a0f4e3d3d8ef176e99be2336a23488943dfe0961f45fb729aab0f07a78c4b8d233438636cbe21d79d5b6112fb03e9e77b79986d4193246a2de7aca07

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169128747.exe

MD5 a165b5f6b0a4bdf808b71de57bf9347d
SHA1 39a7b301e819e386c162a47e046fa384bb5ab437
SHA256 68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA512 3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

memory/2180-28-0x00000000024A0000-0x00000000024BA000-memory.dmp

memory/2180-29-0x0000000004B40000-0x00000000050E4000-memory.dmp

memory/2180-30-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

memory/2180-34-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-58-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-56-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-54-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-52-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-50-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-48-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-46-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-44-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-42-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-40-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-38-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-36-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-32-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/2180-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\240391504.exe

MD5 cffc5c57359ebe7d8de6e8dd4d1d0d18
SHA1 c712397d76308a645e9fba5e34f0967858a44b1c
SHA256 2d10203702e811c25cb05cca7952ed932c65a5af62951f92deb6704450d65d6c
SHA512 ac91185a9316b0c750b2327bcc9f47657abecd5aea2edee7acb99144a4a965a9035559ea6f21f4bd718c3d729802a1cfda7611866a2d4754b088fdb9de9ebef6

memory/4588-93-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\370385170.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\480893262.exe

MD5 3cc833b875ca4fba54da3be3411d5dce
SHA1 251810e2b24b6f5df13a9561c520f9b6dcaa5ac3
SHA256 721b684fe65d2c2ed3f75fd0547cef4e34c0d087a82b9de04109b1e9ee913980
SHA512 64d31b4b89348ecb89e4f7340c82f89a0cbee5d10a3be234cb0fe2f9a20138f3282ca08a87c8e86b3c79c3152099115fdda631b84e2b3406cebe1d48d6dcd429

memory/1428-112-0x0000000002550000-0x000000000258C000-memory.dmp

memory/1428-113-0x0000000002600000-0x000000000263A000-memory.dmp

memory/1428-117-0x0000000002600000-0x0000000002635000-memory.dmp

memory/1428-115-0x0000000002600000-0x0000000002635000-memory.dmp

memory/1428-114-0x0000000002600000-0x0000000002635000-memory.dmp

memory/1428-119-0x0000000002600000-0x0000000002635000-memory.dmp

memory/1428-906-0x0000000007530000-0x0000000007B48000-memory.dmp

memory/1428-907-0x0000000007BF0000-0x0000000007C02000-memory.dmp

memory/1428-908-0x0000000007C10000-0x0000000007D1A000-memory.dmp

memory/1428-909-0x0000000007D30000-0x0000000007D6C000-memory.dmp

memory/1428-910-0x0000000002480000-0x00000000024CC000-memory.dmp