Malware Analysis Report

2025-04-03 14:21

Sample ID 241110-ddrwaaxnat
Target c6e1f006250de7846ba4f5b56d7cbc14d6d189ef05d4c88731a8b6dd7ddac082
SHA256 c6e1f006250de7846ba4f5b56d7cbc14d6d189ef05d4c88731a8b6dd7ddac082
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6e1f006250de7846ba4f5b56d7cbc14d6d189ef05d4c88731a8b6dd7ddac082

Threat Level: Known bad

The file c6e1f006250de7846ba4f5b56d7cbc14d6d189ef05d4c88731a8b6dd7ddac082 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

RedLine

Amadey family

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine payload

Healer

Detects Healer an antivirus disabler dropper

Amadey

Healer family

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:53

Reported

2024-11-10 02:56

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6e1f006250de7846ba4f5b56d7cbc14d6d189ef05d4c88731a8b6dd7ddac082.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340285167.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c6e1f006250de7846ba4f5b56d7cbc14d6d189ef05d4c88731a8b6dd7ddac082.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\443079551.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6e1f006250de7846ba4f5b56d7cbc14d6d189ef05d4c88731a8b6dd7ddac082.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340285167.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\443079551.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4884 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\c6e1f006250de7846ba4f5b56d7cbc14d6d189ef05d4c88731a8b6dd7ddac082.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe
PID 4884 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\c6e1f006250de7846ba4f5b56d7cbc14d6d189ef05d4c88731a8b6dd7ddac082.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe
PID 4884 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\c6e1f006250de7846ba4f5b56d7cbc14d6d189ef05d4c88731a8b6dd7ddac082.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe
PID 3160 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe
PID 3160 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe
PID 3160 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe
PID 4304 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe
PID 4304 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe
PID 4304 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe
PID 2296 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe
PID 2296 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe
PID 2296 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe
PID 2296 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe
PID 2296 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe
PID 2296 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe
PID 4304 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340285167.exe
PID 4304 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340285167.exe
PID 4304 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340285167.exe
PID 692 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340285167.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 692 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340285167.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 692 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340285167.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3160 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\443079551.exe
PID 3160 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\443079551.exe
PID 3160 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\443079551.exe
PID 2564 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2564 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2564 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2564 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3360 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3360 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3360 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3360 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3360 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3360 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3360 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3360 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3360 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3360 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3360 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3360 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3360 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3360 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3360 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3360 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3360 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3360 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c6e1f006250de7846ba4f5b56d7cbc14d6d189ef05d4c88731a8b6dd7ddac082.exe

"C:\Users\Admin\AppData\Local\Temp\c6e1f006250de7846ba4f5b56d7cbc14d6d189ef05d4c88731a8b6dd7ddac082.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4168 -ip 4168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340285167.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340285167.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\443079551.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\443079551.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI155237.exe

MD5 77acd827c97038b30fdd54c3a621d527
SHA1 97992d6c20a61a42aa783f0d2aa3c15a0e32e222
SHA256 dbbc449e89755208f9f9222651ed74e2ce5193a8ea12b614573e583e40c2d109
SHA512 9ffcb7f3181d397c7484d8af566753bf6d2876dbf225bfc982241dc05b0bf3b20867403ac788251f1031c0944877ef1675ee86a93ad5cea95a45fc1c4623d5aa

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KI217545.exe

MD5 339ba075a4ec5f994e1c038793fe711b
SHA1 6bde981b1e21a2084025e4221929c56f4eced044
SHA256 cb2c438dc08e41eb42741b7adc19e3e395536aa2b0b6917eb1721394eed37e2d
SHA512 f3d6d08236b37a98a818fb1697e261a8a48e91c22832a81ffa7b5c8717b368bf43d136898b66a10fc8059b23236fa7fb983720519a5a24e7c7ab62fa67bf50f1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QX835663.exe

MD5 45245548f98c898cf77fed32840881ba
SHA1 7e47b98ebf760852a41a29499eb29910fd67fd79
SHA256 3d0a4915fb026cf3b11d0c32d2ad7571baf17879cbefdd8ee3e8b7fb49905ebf
SHA512 5390762d1a1eeb69084aa25e459cfa6f98af8c62fed2bc37a3c40b15b040d6272551ebc2457853c06721733c6ee44b81756d4ce581d2c189dbfeb74e2f9b8f8e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\140404847.exe

MD5 2b71f4b18ac8214a2bff547b6ce2f64f
SHA1 b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256 f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA512 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

memory/4032-28-0x0000000002270000-0x000000000228A000-memory.dmp

memory/4032-29-0x00000000049B0000-0x0000000004F54000-memory.dmp

memory/4032-30-0x0000000004980000-0x0000000004998000-memory.dmp

memory/4032-58-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-56-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-54-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-52-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-50-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-48-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-46-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-45-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-42-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-40-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-39-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-36-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-35-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-32-0x0000000004980000-0x0000000004993000-memory.dmp

memory/4032-31-0x0000000004980000-0x0000000004993000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\283366059.exe

MD5 a0e4b1c8e4daab44b812627cd17524cd
SHA1 fd753fda82be95ccf682bcd7d8077ee10de9456b
SHA256 adb772df56b58af4210e084c20a7b7756258d7a248f84fc87ab3bf472e6816b0
SHA512 9ceae0882f5acd23eb11175dd716bdddd1fdacb8951a5167cba492e4f08870f1dc8a09eaa8a0c3ec3a33bb18e1a7334f28e933f3ccd44e2a9975862cf66f3003

memory/4168-93-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340285167.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\443079551.exe

MD5 8f2e26cebe30b07cfbb72bd2cebb88fd
SHA1 8207879049935fd6f23035382da8fbbb5d251411
SHA256 8cffa7c2e843121dfda37435fcefd7027771018b76ebc67b351ea1b55a5a5328
SHA512 85bd1f882186c6d8d382c427a5b547d7cd9cf77d7b03307fc7782185e52e6c5f04e68220ea7dd5b51317c0b07f2ac3fd9e9e1d609228720841ce38e1d1cb3252

memory/2284-112-0x0000000004C50000-0x0000000004C8C000-memory.dmp

memory/2284-113-0x00000000077B0000-0x00000000077EA000-memory.dmp

memory/2284-115-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/2284-119-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/2284-117-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/2284-114-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/2284-906-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

memory/2284-907-0x000000000A330000-0x000000000A342000-memory.dmp

memory/2284-908-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/2284-909-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/2284-910-0x0000000006CF0000-0x0000000006D3C000-memory.dmp