Malware Analysis Report

2025-06-15 22:33

Sample ID 241109-xzbkzazgrh
Target 63ae322c56a4013c1d60080c290db9abcfe8efa0404b72ded0c3f7f1567e6fbaN
SHA256 63ae322c56a4013c1d60080c290db9abcfe8efa0404b72ded0c3f7f1567e6fba
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63ae322c56a4013c1d60080c290db9abcfe8efa0404b72ded0c3f7f1567e6fba

Threat Level: Known bad

The file 63ae322c56a4013c1d60080c290db9abcfe8efa0404b72ded0c3f7f1567e6fbaN was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

RedLine

Amadey family

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

Amadey

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:17

Reported

2024-11-09 19:19

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63ae322c56a4013c1d60080c290db9abcfe8efa0404b72ded0c3f7f1567e6fbaN.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30455456.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c62285251.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\63ae322c56a4013c1d60080c290db9abcfe8efa0404b72ded0c3f7f1567e6fbaN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\63ae322c56a4013c1d60080c290db9abcfe8efa0404b72ded0c3f7f1567e6fbaN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b31150111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d31605503.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f99598195.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30455456.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c62285251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30455456.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b31150111.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d31605503.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3780 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\63ae322c56a4013c1d60080c290db9abcfe8efa0404b72ded0c3f7f1567e6fbaN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe
PID 3780 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\63ae322c56a4013c1d60080c290db9abcfe8efa0404b72ded0c3f7f1567e6fbaN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe
PID 3780 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\63ae322c56a4013c1d60080c290db9abcfe8efa0404b72ded0c3f7f1567e6fbaN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe
PID 1056 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe
PID 1056 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe
PID 1056 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe
PID 4024 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe
PID 4024 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe
PID 4024 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe
PID 1268 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe
PID 1268 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe
PID 1268 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe
PID 1380 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30455456.exe
PID 1380 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30455456.exe
PID 1380 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30455456.exe
PID 1236 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30455456.exe C:\Windows\Temp\1.exe
PID 1236 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30455456.exe C:\Windows\Temp\1.exe
PID 1380 wrote to memory of 5672 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b31150111.exe
PID 1380 wrote to memory of 5672 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b31150111.exe
PID 1380 wrote to memory of 5672 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b31150111.exe
PID 1268 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c62285251.exe
PID 1268 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c62285251.exe
PID 1268 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c62285251.exe
PID 1112 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c62285251.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1112 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c62285251.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1112 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c62285251.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4024 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d31605503.exe
PID 4024 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d31605503.exe
PID 4024 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d31605503.exe
PID 3724 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3724 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3724 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3724 wrote to memory of 5416 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3724 wrote to memory of 5416 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3724 wrote to memory of 5416 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5416 wrote to memory of 5580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5416 wrote to memory of 5580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5416 wrote to memory of 5580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5416 wrote to memory of 5804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5416 wrote to memory of 5804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5416 wrote to memory of 5804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5416 wrote to memory of 5924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5416 wrote to memory of 5924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5416 wrote to memory of 5924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5416 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5416 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5416 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5416 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5416 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5416 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5416 wrote to memory of 5864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5416 wrote to memory of 5864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5416 wrote to memory of 5864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1056 wrote to memory of 6428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f99598195.exe
PID 1056 wrote to memory of 6428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f99598195.exe
PID 1056 wrote to memory of 6428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f99598195.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63ae322c56a4013c1d60080c290db9abcfe8efa0404b72ded0c3f7f1567e6fbaN.exe

"C:\Users\Admin\AppData\Local\Temp\63ae322c56a4013c1d60080c290db9abcfe8efa0404b72ded0c3f7f1567e6fbaN.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30455456.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30455456.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b31150111.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b31150111.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5672 -ip 5672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 1256

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c62285251.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c62285251.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d31605503.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d31605503.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5032 -ip 5032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1252

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f99598195.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f99598195.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE606234.exe

MD5 f9e7fc4c2d269f265123bd7bbb8273a4
SHA1 5d2058cde5875369b10806f977d6623d8a3f7bdc
SHA256 3ad830e85f989bd812b96a525123bf2f22dbee7ce17b0a966866102c3d8bae88
SHA512 3d8af5729a3b6cce28d71a2325e93b1ed83d64f5b2c08ec1532d265c6f5c5dfda608b1fe85608618d50db0a19980910fa28b1344b51d36129e1c748157b94dad

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ej741818.exe

MD5 aab070e5656e5b4bdebb70b65e0eb263
SHA1 4e208630f9a968d61f3d4fad6a467ae5fb247cb7
SHA256 1f591690a84d1d6e245d2f7dec62b873395dcc61807891283ec0d6bf5438264d
SHA512 eabe9ca4d4807b048cc537d636f8532e723ef29198298d9a9280a79e1fdd01bcc480c054e493f6ff8da78b66b1bbf7e13c6d9cdc0a0334363687d83f7447d8f0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JV814224.exe

MD5 2eb2a087a44d5945200ebc1f6d2e3ed4
SHA1 a375395a9db9e9f5d2e4a17b3de3429718cde52f
SHA256 3fb198e1d7c3dcd68933abb49119fe062c5349098fdddee37af075b86c46245d
SHA512 97be359f77feba898802d814f43cb98014c7e8f800c52a679c084b9434f8103464b96e932a98450443bebd321ca457bdce7c8280b542121b6a24f83d01f144f8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Iw630812.exe

MD5 245666d019af6076a90c3e349f8cb1d6
SHA1 1d838283de0a408e0fb58397fb7fbf6863418ba5
SHA256 1cbad9669d4db2539fe2a1f84280e2b8540b1ff2670b0ecf7d2efd2becacac4f
SHA512 2e3003938bb766985a789b725024824c16dc26d38700f55fdc434492fd97984bf7b95607d491d7f6a5621af6f00ff51daa9dbddcf41f5cdb1d97b678d5cf5141

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30455456.exe

MD5 78ca54a77ae6b2ebd1742d43bc2b166d
SHA1 1660a6ca41dbc4563abd4da8d94980aebac453e7
SHA256 8d5d89f3b7d7f59693fe965d576dffc795ed8ddebe93041c118a5108c1448041
SHA512 6637126e06009168225dc844a38eae08a6c8b64e10edc9feb8863d5120c83e2c6b6eadbf724c7d2a6a43d7ea35307b86e823ae27f39055ee93f845d549d55abe

memory/1236-35-0x0000000002400000-0x0000000002458000-memory.dmp

memory/1236-36-0x00000000049E0000-0x0000000004F84000-memory.dmp

memory/1236-37-0x0000000004FD0000-0x0000000005026000-memory.dmp

memory/1236-99-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-101-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-97-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-95-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-93-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-91-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-89-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-87-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-85-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-83-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-81-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-77-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-75-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-73-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-71-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-69-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-67-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-65-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-63-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-61-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-57-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-55-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-53-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-51-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-49-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-47-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-45-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-43-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-39-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-79-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-59-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-41-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-38-0x0000000004FD0000-0x0000000005021000-memory.dmp

memory/1236-2166-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b31150111.exe

MD5 7edd3c6f26aaf6cece240bfb771d3299
SHA1 911f4d739ccd50023037e1e8dd08918e068022b7
SHA256 cb29785bffc9632c5acb9a50e23e0e8df978f772e94471f15eee6e0ef1c326ad
SHA512 231cd08c0e54b87a845ed0ac50e7c65734628afd15f7f7788b203071199fd20b4d2f864021af8189b9af8e68fbfc98da62274582a92d10688dd327cc8a3be455

memory/5636-2182-0x0000000000D40000-0x0000000000D4A000-memory.dmp

memory/5672-4312-0x0000000005750000-0x00000000057E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c62285251.exe

MD5 849b96fff066448788c01a4e4f53dfdf
SHA1 9638c0a294636ba6388b4e142724d324d979f95e
SHA256 d6205e7b7b57af2dbf63e9cc43d7a4918172da8a82ba01d787c9ca8c04f52048
SHA512 b03f4593e94fd7fedcb7bfa74c14a587ebb4389c2ae8fa7e22c3616c621ed7c21198077ce0d4064ff12a31c10a6abc075d57345b782e0f6c233622ddac016026

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d31605503.exe

MD5 e3916636dab8efab853f94bdd692efa1
SHA1 33b01ca241c69c5239cb6b25d7830fc76122f8a9
SHA256 cfaf533f6776e820dfeb08ee8b73605037832c0373f86ff5e8849aa826d71bde
SHA512 d0e44a0b890e9f1c56c3ac30e9bf423800e03c65d937ac9de32973600fc961f1f17fc909605da36001b97e57e87c56e0663c7fad4d2ce3c00bdff641c2ff1d79

memory/5032-4332-0x0000000004E20000-0x0000000004E88000-memory.dmp

memory/5032-4333-0x0000000004E90000-0x0000000004EF6000-memory.dmp

memory/5032-6480-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f99598195.exe

MD5 58dae70b0842d0d4cccbfa860e90da3d
SHA1 2ec9ddee41ba4e850537cb70a8a8bbcf42d25dff
SHA256 2cca5c718cb85833e8594082e28c3d229d0d3b9a58867b4423cc744bf2636210
SHA512 d63ccab9743d5ad76b0145c90b9cc0a49bb0d92554fea7171217f50a7121157bf10550f8777a8dabf6637967172cfe167e09f75f8780c9f6b0b37de95b1ff117

memory/6428-6486-0x0000000000DD0000-0x0000000000E00000-memory.dmp

memory/6428-6487-0x00000000055B0000-0x00000000055B6000-memory.dmp

memory/6428-6488-0x0000000005D40000-0x0000000006358000-memory.dmp

memory/6428-6489-0x0000000005830000-0x000000000593A000-memory.dmp

memory/6428-6490-0x0000000005750000-0x0000000005762000-memory.dmp

memory/6428-6491-0x00000000057B0000-0x00000000057EC000-memory.dmp

memory/6428-6492-0x0000000005940000-0x000000000598C000-memory.dmp