Malware Analysis Report

2025-04-03 14:21

Sample ID 241110-de9sgsybmd
Target a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712
SHA256 a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712

Threat Level: Known bad

The file a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Amadey family

RedLine payload

Healer family

Healer

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine

Amadey

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:56

Reported

2024-11-10 02:59

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3076 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe
PID 3076 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe
PID 3076 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe
PID 4252 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe
PID 4252 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe
PID 4252 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe
PID 3036 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe
PID 3036 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe
PID 3036 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe
PID 3100 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe
PID 3100 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe
PID 3100 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe
PID 3100 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe
PID 3100 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe
PID 3100 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe
PID 3036 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe
PID 3036 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe
PID 3036 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe
PID 3948 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3948 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3948 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4252 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe
PID 4252 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe
PID 4252 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe
PID 4852 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4852 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4852 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4852 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1208 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1208 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1208 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1208 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1208 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1208 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1208 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1208 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1208 wrote to memory of 5960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1208 wrote to memory of 5960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1208 wrote to memory of 5960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712.exe

"C:\Users\Admin\AppData\Local\Temp\a4ee47d67806fed8ba868f9359ed7b6168d7d4494068c539c20d7ec09704b712.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi705263.exe

MD5 611e8951df4e9e37c95d726b8f8564da
SHA1 85e70c7474fd68f5f4e3818a5fc135548aa20752
SHA256 4de4a6e11c0ec208d40221f2f965119766272d0a419b391e7fc32823fb5730a6
SHA512 46c5f10abfa94a43cd25ca81527e45a3d228c04f87ba8a2c4d52a357f9038bc04c4ccc48f42788046dd5c87b24210a0428ca9054cd679565b3255c6a7d2ed226

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QA767361.exe

MD5 552d980f8a030b3f730c6d670d840482
SHA1 a827ec9d289e1d436e31383b1326d5c01092486d
SHA256 549359e402e56bf0327f60630f82d453862b4b47301c6a7e0b52fe0e70c379f2
SHA512 62b867105b74e4bf979e015da998a732a4f827767b2b1c5947d515c164798ea2cd4ecd66facadf614d18fd81fbacc7ae6c6a978079d234d2f46bc4f5ed617098

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jM276425.exe

MD5 3125a292f523186fa323160973d737a8
SHA1 5e50c46532de6f7a11483e72e9716b4d6f9ae1db
SHA256 6e6314e4e31c91b43810d82bf1bb3d4cbfddb807e4133609bfcc2b0336d6aa92
SHA512 be081d909c8549947a1c458f9b9e27781adcb37bef9cd83112391bf4beddd8bd70860499e6233d35813a2f35dd011adc9d777aa3033ad36e8d032f1ea6e0dbbc

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124254912.exe

MD5 3ca926f984d0345bb4e8f5da60b5ce60
SHA1 01002765e2a05ef53d17161ab33eff9c3acb6811
SHA256 661c0ca77d12801bb38ffe2c1176fcbedb5e27d48cddd497cff3d686ef957050
SHA512 c763ed6883b586886a536fd68ccff3a56264648fe452a2902a1c5e763c8bd229a1234a3bf0947b371bfe798ce8c2e7e9f9d1ce60934c4d772b6d21881ab5e9ec

memory/4912-28-0x0000000002390000-0x00000000023AA000-memory.dmp

memory/4912-29-0x0000000004A70000-0x0000000005014000-memory.dmp

memory/4912-30-0x00000000023B0000-0x00000000023C8000-memory.dmp

memory/4912-32-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-58-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-56-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-54-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-52-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-50-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-48-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-46-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-44-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-42-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-40-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-38-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-36-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-34-0x00000000023B0000-0x00000000023C3000-memory.dmp

memory/4912-31-0x00000000023B0000-0x00000000023C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\201924211.exe

MD5 4ed6a0366c72512d62a7ad5d247f197d
SHA1 6625d1d0acb5aa13a7308d6e7b513701013c85ba
SHA256 0db0cc094af86f920a75399910a8f1f0eaa0160f85d2dd28e828b7f394225810
SHA512 aadca7b2b848d30b927a441661d45bc3ff4a2ecf0893be2dea726edcda247c164d07014e4760298d56b8c5663b0812ac08d3dc85f898fdb3e5482bb0150b68ba

memory/4348-64-0x0000000002520000-0x000000000253A000-memory.dmp

memory/4348-65-0x0000000002750000-0x0000000002768000-memory.dmp

memory/4348-66-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-73-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-91-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-89-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-87-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-85-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-83-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-81-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-79-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-77-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-75-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-71-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-93-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-69-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-67-0x0000000002750000-0x0000000002762000-memory.dmp

memory/4348-95-0x0000000000400000-0x0000000000803000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\377868088.exe

MD5 e75a91e7755850f71b6953b84a7012d3
SHA1 ef7e204760db4dd3aca0eb4cde71852e06a3b1fb
SHA256 a418fecad082441529e41a846c18e0008f4a8296f9032bac69a323016141ca46
SHA512 10a2467c1868116993583215c9a76dceced8693597155615cc5fce76cc0d746a74daccca5be0a0dfad0e7687938b07b77dfb699dcb59cc79f36d66b50556bae7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448479176.exe

MD5 316c81a0df44146be1b882ce0ef2559f
SHA1 ccca202e11580b3fdee5639fc010922de89e42e0
SHA256 7820877d631bbe05bd858033b085ea2568f0616eb192ab871003f7745b1cc436
SHA512 b0fd3719e0e90798c894988c08078a9988dcaaae1df50bcf9236f2626e98ec0f21bae8564b28c09504a74689d9ea92d55f86c7f69563e5dec83a9356c6ff677c

memory/4024-114-0x0000000002710000-0x000000000274C000-memory.dmp

memory/4024-115-0x0000000004E20000-0x0000000004E5A000-memory.dmp

memory/4024-116-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/4024-117-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/4024-119-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/4024-121-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/4024-908-0x0000000007F20000-0x0000000008538000-memory.dmp

memory/4024-909-0x0000000007980000-0x0000000007992000-memory.dmp

memory/4024-910-0x00000000079A0000-0x0000000007AAA000-memory.dmp

memory/4024-911-0x0000000007AC0000-0x0000000007AFC000-memory.dmp

memory/4024-912-0x00000000048D0000-0x000000000491C000-memory.dmp