Malware Analysis Report

2024-11-13 17:36

Sample ID 241110-b3vmcswgql
Target 13ac3efec993c6818e6d255e7cf2d9dbbef04d8d854e5c997a43fe5672709032
SHA256 13ac3efec993c6818e6d255e7cf2d9dbbef04d8d854e5c997a43fe5672709032
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13ac3efec993c6818e6d255e7cf2d9dbbef04d8d854e5c997a43fe5672709032

Threat Level: Known bad

The file 13ac3efec993c6818e6d255e7cf2d9dbbef04d8d854e5c997a43fe5672709032 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Redline family

Detects Healer an antivirus disabler dropper

RedLine payload

Amadey family

Amadey

Healer family

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:40

Reported

2024-11-10 01:43

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13ac3efec993c6818e6d255e7cf2d9dbbef04d8d854e5c997a43fe5672709032.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\319219348.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\13ac3efec993c6818e6d255e7cf2d9dbbef04d8d854e5c997a43fe5672709032.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\319219348.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\13ac3efec993c6818e6d255e7cf2d9dbbef04d8d854e5c997a43fe5672709032.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\417887497.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\417887497.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\319219348.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4408 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\13ac3efec993c6818e6d255e7cf2d9dbbef04d8d854e5c997a43fe5672709032.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe
PID 4408 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\13ac3efec993c6818e6d255e7cf2d9dbbef04d8d854e5c997a43fe5672709032.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe
PID 4408 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\13ac3efec993c6818e6d255e7cf2d9dbbef04d8d854e5c997a43fe5672709032.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe
PID 2012 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe
PID 2012 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe
PID 2012 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe
PID 4564 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe
PID 4564 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe
PID 4564 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe
PID 3740 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe
PID 3740 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe
PID 3740 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe
PID 3740 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe
PID 3740 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe
PID 3740 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe
PID 4564 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\319219348.exe
PID 4564 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\319219348.exe
PID 4564 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\319219348.exe
PID 3064 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\319219348.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3064 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\319219348.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3064 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\319219348.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2012 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\417887497.exe
PID 2012 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\417887497.exe
PID 2012 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\417887497.exe
PID 1580 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1580 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1580 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1580 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 3116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 3116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 3116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 888 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 888 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 888 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 888 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 888 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 888 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 888 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 888 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 888 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 888 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 888 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 888 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\13ac3efec993c6818e6d255e7cf2d9dbbef04d8d854e5c997a43fe5672709032.exe

"C:\Users\Admin\AppData\Local\Temp\13ac3efec993c6818e6d255e7cf2d9dbbef04d8d854e5c997a43fe5672709032.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1568 -ip 1568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\319219348.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\319219348.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\417887497.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\417887497.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn344101.exe

MD5 05182e39e02da6b15bb4cd02d77b5038
SHA1 edafe6c4de7a123d43208eeefa55ddd10557ae73
SHA256 9de01618c2b91eefc5800163e6d3f4cbc085ac5656d46e090210f78150546044
SHA512 20d7a13097669ba8645201b4a2e66a985dae9e22f044b272f777b4c27d4ce04bd883f36602c2db3439876b0fd5813f71a6159ec9d6103fae06ef4f7dfc602729

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bR154927.exe

MD5 23a9e352f0c969cf2ba7052fd5f94f20
SHA1 10fc97f8899ed6f52bd01603203b6198166432df
SHA256 01b03d7f3d40ba821d46bfd1a38c16175fdc6ab66bc92e47414e7c27dc3fdb6c
SHA512 68352e327d331796bd2df50565c41d48f5eab840f98f6ce4a0fb7dba2be8d2eee800f1df2f71d6a34ea662b69fe4214877dd328ce8160ece4910055f961f5761

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pG968957.exe

MD5 73bfebad9b603c800ab92d38eb969824
SHA1 a867650ae0570d000bba3b423d0468450703f05f
SHA256 e69e545a27d9af8e59d4fd88f01c909157ad5eb136c48518e159210682324f99
SHA512 18c9a4397b865f25f3425a23315f1f4def211708e8009b42b74515eb94b115eaa02fe5036e598aec66f6a365dbf0cbec37153b6343ce76d6f67cd31c58146f63

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145019496.exe

MD5 3d10b67208452d7a91d7bd7066067676
SHA1 e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA256 5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512 b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

memory/2888-28-0x00000000023C0000-0x00000000023DA000-memory.dmp

memory/2888-29-0x0000000004BD0000-0x0000000005174000-memory.dmp

memory/2888-30-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

memory/2888-52-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-50-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-48-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-46-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-44-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-42-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-40-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-38-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-58-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-56-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-54-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-36-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-34-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-32-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

memory/2888-31-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284004981.exe

MD5 35d7b6cd3132a98f77c183d59304d814
SHA1 22c457824e0b296738eb01f0f833e13a7399fad6
SHA256 218041b492a7b38e85f68c0c532da7e233b16dba7a345eca49c922432f1c7c84
SHA512 16ce435f10589b0fd01b14c7a50739ada1a5c5ec20de1a32667450c2ff5f0ffc87b19c5afe5b10558f5984f1f03986efdccf002a53cabde7be308d234172c5f4

memory/1568-92-0x0000000000400000-0x0000000002B9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\319219348.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/1568-94-0x0000000000400000-0x0000000002B9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\417887497.exe

MD5 f6f7fe154a6f190e0ecb8316a36c370f
SHA1 0e9d78080d5102a0967fdf1f7939c0e3b09ecb3e
SHA256 15a6b9f5414f42b18d4805aed89ee1aab8f3ae41682c3a746a3dec3a9f090ad8
SHA512 8f23c502185f36caed3abceb32eb20c912df70d4b5d326bdbb6e59a838eebcba81b1358cd461727806f9e6954d5908c0a429eb313a98cbfeff911880c5cf2fc2

memory/4280-112-0x0000000007130000-0x000000000716C000-memory.dmp

memory/4280-113-0x0000000007790000-0x00000000077CA000-memory.dmp

memory/4280-117-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4280-119-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4280-115-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4280-114-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4280-906-0x0000000009C90000-0x000000000A2A8000-memory.dmp

memory/4280-907-0x000000000A340000-0x000000000A352000-memory.dmp

memory/4280-908-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/4280-909-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/4280-910-0x0000000006C20000-0x0000000006C6C000-memory.dmp