Malware Analysis Report

2025-05-28 18:49

Sample ID 241110-d9q9maykfv
Target 94cbe1829ceae60d3d72c9ea945b5ee51520876c171e1ec74a31dcc60979b712
SHA256 94cbe1829ceae60d3d72c9ea945b5ee51520876c171e1ec74a31dcc60979b712
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94cbe1829ceae60d3d72c9ea945b5ee51520876c171e1ec74a31dcc60979b712

Threat Level: Known bad

The file 94cbe1829ceae60d3d72c9ea945b5ee51520876c171e1ec74a31dcc60979b712 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

Amadey family

Healer family

Redline family

RedLine

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:42

Reported

2024-11-10 03:45

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94cbe1829ceae60d3d72c9ea945b5ee51520876c171e1ec74a31dcc60979b712.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333603298.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\94cbe1829ceae60d3d72c9ea945b5ee51520876c171e1ec74a31dcc60979b712.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333603298.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\94cbe1829ceae60d3d72c9ea945b5ee51520876c171e1ec74a31dcc60979b712.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\420868863.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\420868863.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333603298.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5080 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\94cbe1829ceae60d3d72c9ea945b5ee51520876c171e1ec74a31dcc60979b712.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe
PID 5080 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\94cbe1829ceae60d3d72c9ea945b5ee51520876c171e1ec74a31dcc60979b712.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe
PID 5080 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\94cbe1829ceae60d3d72c9ea945b5ee51520876c171e1ec74a31dcc60979b712.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe
PID 4732 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe
PID 4732 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe
PID 4732 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe
PID 4900 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe
PID 4900 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe
PID 4900 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe
PID 3900 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe
PID 3900 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe
PID 3900 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe
PID 3900 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe
PID 3900 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe
PID 3900 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe
PID 4900 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333603298.exe
PID 4900 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333603298.exe
PID 4900 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333603298.exe
PID 372 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333603298.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 372 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333603298.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 372 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333603298.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4732 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\420868863.exe
PID 4732 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\420868863.exe
PID 4732 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\420868863.exe
PID 4600 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4600 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4600 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4600 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3080 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3080 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3080 wrote to memory of 4192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3080 wrote to memory of 4192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3080 wrote to memory of 4192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3080 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 3116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3080 wrote to memory of 3116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3080 wrote to memory of 3116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3080 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3080 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3080 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\94cbe1829ceae60d3d72c9ea945b5ee51520876c171e1ec74a31dcc60979b712.exe

"C:\Users\Admin\AppData\Local\Temp\94cbe1829ceae60d3d72c9ea945b5ee51520876c171e1ec74a31dcc60979b712.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 408 -ip 408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1076

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333603298.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333603298.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\420868863.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\420868863.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xY597826.exe

MD5 356c487c96721146a63f2e8040391a57
SHA1 c838abd0801657e7c6a416fb00fdf46d0b6e1974
SHA256 485bf05fc539627ba3cf4e0da08d888ee51536dc40e478d13a81691d3478a614
SHA512 45e7e2fc644f11d31aecf9ebbf6b39eac887f0ff7520c249e9d47a3495be288ab125d5a2c98181110165ceb9592729ebde75bf85b5e966b87ecb9d376345a5ee

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BA113132.exe

MD5 85fecf6b72058f5c000364e13cddf1d8
SHA1 0cc30c18cce141af5bcaf5203c47bafd2e96bad2
SHA256 1bbbba64338563c7db060a0c9b4372792b7c2c081cf0086f8f6d1424b5e4efbd
SHA512 556f3dc4780383b16bf594dea295aa40abbe6a5924dea28a8649dc4ee118f9c567e5a4afb305fc0a9d9117f79eb9b02fa1e48bccdfc812867dce5683df2a16d3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BO037891.exe

MD5 15dee508636f87b626b7ff0960e22579
SHA1 45758d6cf96855e6c745c5449f4879d6fd787fe1
SHA256 39b2ec824c7ce37e845800635ff31686633f4716cdc7ef2a39a250477ae6a175
SHA512 b7067f135fa35ed69d01b8bb04dfdcda67d0d051d7bf6c6529c50e255feea37e866b458694541dcdad149410b86490162616002d69ed9e5f848c2ebefdc7c6b6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\102536992.exe

MD5 7cde207e539b3d05abea96e4db24fea9
SHA1 a147baa9c33cfbe6239c0ad52a399f2b0a1974af
SHA256 d805d69423832ad21f12b957f56d5bcc4334b791233a5b0e789aeebe9dbe69bc
SHA512 a00b233ddbf255d44a7fc376bc8e34f92a7eab3c085f5548f4ccdbeabf33c59e8d4d622182136bafd4f261148cca0f7c5e30615d67c92a023b3d1740e8bf4ad6

memory/5000-28-0x00000000008D0000-0x00000000008EA000-memory.dmp

memory/5000-29-0x0000000004A50000-0x0000000004FF4000-memory.dmp

memory/5000-30-0x00000000024B0000-0x00000000024C8000-memory.dmp

memory/5000-52-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-58-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-56-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-54-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-50-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-48-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-46-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-45-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-40-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-38-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-36-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-34-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-32-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-42-0x00000000024B0000-0x00000000024C3000-memory.dmp

memory/5000-31-0x00000000024B0000-0x00000000024C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\216299277.exe

MD5 90fdccedec8ddffabd7ea43c6eae08ff
SHA1 42ff695eb40dd477770fe5f31d64fa17d441b697
SHA256 384b7b43931e84103447cb2ccab215bc9f949417990123ea24df54b408ce75b3
SHA512 5cd54e0394b2814bc6eac8ef0287a9c4ad8130fccaec5145d5cb02e4905b3e862766820b8b4e7f8f3279ee3c139c557c43fe3cad6a14fdd373464612dff17d9c

memory/408-64-0x0000000002240000-0x000000000225A000-memory.dmp

memory/408-65-0x0000000002390000-0x00000000023A8000-memory.dmp

memory/408-83-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-85-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-93-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-91-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-89-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-87-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-81-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-79-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-77-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-75-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-73-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-71-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-69-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-67-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-66-0x0000000002390000-0x00000000023A2000-memory.dmp

memory/408-94-0x0000000000400000-0x0000000000466000-memory.dmp

memory/408-96-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333603298.exe

MD5 74868a83e0d9cd4ef927bb51c929db13
SHA1 614e37c314bb4c635cae2be6419566687bfda3aa
SHA256 65bf2557142ec07761a872f6734bb13e27fe54acceba7efd728c745fc277eb6b
SHA512 8bdcc0a912bc192c22fad5184990d8e2cb029ce34410cb4a5871d966232c3ba399d77271645f0cbbb82e88f066e505be0f78d526d5694fc63845e878638b68d2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\420868863.exe

MD5 408555640538f3bba3572e284e29e584
SHA1 eb4b9baaa7b9de5bd9fa60fd312cb66c0b86bb42
SHA256 febcd65c7e03525f5c67b59672157aa92013fbe75929701ca609bea61140642c
SHA512 b2e9aeb955eaa997e4c73770bb128ac18efbdf30eb4111ebca0f6a48f881394f76599aa547f244671336cdf3f4aed67551d8d48895160101adc4fce6c2098bcf

memory/5020-114-0x0000000002390000-0x00000000023CC000-memory.dmp

memory/5020-115-0x0000000002650000-0x000000000268A000-memory.dmp

memory/5020-121-0x0000000002650000-0x0000000002685000-memory.dmp

memory/5020-119-0x0000000002650000-0x0000000002685000-memory.dmp

memory/5020-117-0x0000000002650000-0x0000000002685000-memory.dmp

memory/5020-116-0x0000000002650000-0x0000000002685000-memory.dmp

memory/5020-908-0x0000000007570000-0x0000000007B88000-memory.dmp

memory/5020-909-0x0000000007C00000-0x0000000007C12000-memory.dmp

memory/5020-910-0x0000000007C20000-0x0000000007D2A000-memory.dmp

memory/5020-911-0x0000000007D40000-0x0000000007D7C000-memory.dmp

memory/5020-912-0x0000000002580000-0x00000000025CC000-memory.dmp