Malware Analysis Report

2024-11-15 09:56

Sample ID 241110-bvydaayrfr
Target a0fccc1062b35f528c928316463f193f96003d30df52eedd94df608961a6f16a
SHA256 a0fccc1062b35f528c928316463f193f96003d30df52eedd94df608961a6f16a
Tags
amadey healer redline 47f88f lada mari discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0fccc1062b35f528c928316463f193f96003d30df52eedd94df608961a6f16a

Threat Level: Known bad

The file a0fccc1062b35f528c928316463f193f96003d30df52eedd94df608961a6f16a was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 47f88f lada mari discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

Amadey family

RedLine

Healer

Healer family

RedLine payload

Amadey

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:28

Reported

2024-11-10 01:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0fccc1062b35f528c928316463f193f96003d30df52eedd94df608961a6f16a.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az753917.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az753917.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az753917.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az753917.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az753917.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az753917.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co236328.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPB87t79.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az753917.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a0fccc1062b35f528c928316463f193f96003d30df52eedd94df608961a6f16a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki045112.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki045112.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPB87t79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a0fccc1062b35f528c928316463f193f96003d30df52eedd94df608961a6f16a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co236328.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft928502.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az753917.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co236328.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 832 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a0fccc1062b35f528c928316463f193f96003d30df52eedd94df608961a6f16a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe
PID 832 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a0fccc1062b35f528c928316463f193f96003d30df52eedd94df608961a6f16a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe
PID 832 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a0fccc1062b35f528c928316463f193f96003d30df52eedd94df608961a6f16a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe
PID 1940 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe
PID 1940 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe
PID 1940 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe
PID 4424 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe
PID 4424 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe
PID 4424 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe
PID 3340 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki045112.exe
PID 3340 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki045112.exe
PID 3340 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki045112.exe
PID 1108 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki045112.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az753917.exe
PID 1108 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki045112.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az753917.exe
PID 1108 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki045112.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe
PID 1108 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki045112.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe
PID 1108 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki045112.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe
PID 3340 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co236328.exe
PID 3340 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co236328.exe
PID 3340 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co236328.exe
PID 2536 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co236328.exe C:\Windows\Temp\1.exe
PID 2536 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co236328.exe C:\Windows\Temp\1.exe
PID 2536 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co236328.exe C:\Windows\Temp\1.exe
PID 4424 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPB87t79.exe
PID 4424 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPB87t79.exe
PID 4424 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPB87t79.exe
PID 3288 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPB87t79.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 3288 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPB87t79.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 3288 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPB87t79.exe C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
PID 1940 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft928502.exe
PID 1940 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft928502.exe
PID 1940 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft928502.exe
PID 4900 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4900 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4900 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0fccc1062b35f528c928316463f193f96003d30df52eedd94df608961a6f16a.exe

"C:\Users\Admin\AppData\Local\Temp\a0fccc1062b35f528c928316463f193f96003d30df52eedd94df608961a6f16a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki045112.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki045112.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az753917.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az753917.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3580 -ip 3580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co236328.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co236328.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2536 -ip 2536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1384

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPB87t79.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPB87t79.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft928502.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft928502.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 193.201.9.43:80 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki837750.exe

MD5 99b8fae9de0c91dde743dd2417b00118
SHA1 0e6aabb5bc88f88d509665ea2857ea25acf24993
SHA256 1283dd5e4f11103502b815fdec7caf3da478e8e02326490c2d92c1fc2a4bc418
SHA512 637547ae0aa298b070411becf16ea8baff4d2029899dfd30e0dfc06d0467255c141afc993406bbb13aaae7763480ba64b38cfcc7928f611ceed8e635a67d6553

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki718407.exe

MD5 f674ff3e9dd512332bbd2e9e59e80d66
SHA1 152bb11500dd3f48a224a57593a8ea1ae65f7f0c
SHA256 4965d94aff4ece2a1b548e32c5c897be31193b97bb52e29e9ac78549bf08a27f
SHA512 267f17284a6513c38292fa903f8104c22e0fee0360dd68302ce5361d17abd27c6f73bf6231a1e04bb932ff38eb046f9538beab311abf6c9717db158a96c6b78e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki000200.exe

MD5 774b98dfa9dd0154bc3f4a24c3fa43cd
SHA1 80f7f0dfb045541cafcb6a8e7a116c857ac5798f
SHA256 0c93a05ccf19ca923ec10d3a70489faac8192a53a57c4cfffe4f8f697436f5ca
SHA512 f84322fb7b1f25a9e301d1711f8631ed9d2d457e0dda2c26f6c466cb89f02299bdc6d2757d1235ca25690b52a5a9942b446a28773d5c24849c80120c82855d5b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki045112.exe

MD5 465beda77db4e5447fed76a887209acd
SHA1 3c3656a58a586f5f5fdc6815cd0b88591a792d5f
SHA256 5e6dd6d541563eacbad98684d69d2a33b623ee5ae783f90cf28408c5f2a7ff54
SHA512 c2e1e11af6f3382b7e084a734088ea8e7f8943a7593370b1e2a2d554473015e3fe127206f52c1cd69afbb42121f8e55e411056b5cc7f7d63a27df9a827ef5f36

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az753917.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1984-35-0x0000000000C80000-0x0000000000C8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu409301.exe

MD5 cc7319174b57902b41f6c7c825ca49da
SHA1 e006093245d0799b0fa97948b97d235b05e8fce7
SHA256 88904dc19ac782f0a87ac5eb9fd6be8ae4c0703a5a850d93715e565062a04c7a
SHA512 6ed7c1a6e9dacf035a732c162f9d17d74e1d4b8e4e3e8442ed5ec49ba8d6293ef7c0f33a3a2653d0f3497c9c181debca1b1aa9ec7577d2b86a94b29dfeaf1f32

memory/3580-41-0x0000000002570000-0x000000000258A000-memory.dmp

memory/3580-42-0x0000000004C30000-0x00000000051D4000-memory.dmp

memory/3580-43-0x0000000004A60000-0x0000000004A78000-memory.dmp

memory/3580-44-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-51-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-71-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-69-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-67-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-65-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-63-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-62-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-59-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-57-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-55-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-53-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-49-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-47-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-45-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/3580-72-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/3580-74-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\co236328.exe

MD5 064f513da50f492fff9adb44a8ca3424
SHA1 be6e8e6eec80d04a45f3854aed3c0ed43f780258
SHA256 69821ef3f9b3ee2c645b118c3a0d13f7800e7867838b79deb6ff02def06ddc7f
SHA512 d7fda0157db77a32bac5e33725e11662468f246fbfb71345c3f8ee8820edbd88f7457f4d63f285fab7f5ec66583e1ff15709c43ff9c042d34fd6b7ed27948d6e

memory/2536-79-0x0000000002620000-0x0000000002688000-memory.dmp

memory/2536-80-0x0000000005220000-0x0000000005286000-memory.dmp

memory/2536-94-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-97-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-114-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-110-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-108-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-106-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-105-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-103-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-100-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-98-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-92-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-90-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-89-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-87-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-84-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-112-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-82-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-81-0x0000000005220000-0x0000000005280000-memory.dmp

memory/2536-2223-0x0000000005410000-0x0000000005442000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/1720-2236-0x0000000000540000-0x000000000056E000-memory.dmp

memory/1720-2237-0x00000000026B0000-0x00000000026B6000-memory.dmp

memory/1720-2238-0x0000000005470000-0x0000000005A88000-memory.dmp

memory/1720-2239-0x0000000004F90000-0x000000000509A000-memory.dmp

memory/1720-2240-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPB87t79.exe

MD5 ee1f5f0e1168ce5938997c932b4dcd27
SHA1 b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256 dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512 bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8

memory/1720-2244-0x0000000004F20000-0x0000000004F5C000-memory.dmp

memory/1720-2246-0x00000000050A0000-0x00000000050EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft928502.exe

MD5 43e730ad5332edc6be89afaf8f9bf4ea
SHA1 e99ba2aef949461631ac632dc3a65ff81271d141
SHA256 5a14f162b174548258dd0e16fee7569eefe73cb04f0304911bd687fa9fac0da8
SHA512 ece1de5783397c7e7770f0f4448682aaf330676ee5abe208ad537a8c1c99a0b413c6a61b906a74fbdfcdbf9d42e9720f52385d0cf14ab9dac1df014cc80a3cf0

memory/4288-2260-0x0000000000D60000-0x0000000000D90000-memory.dmp

memory/4288-2261-0x0000000005400000-0x0000000005406000-memory.dmp