Malware Analysis Report

2025-04-03 14:20

Sample ID 241110-djnqtayapr
Target 1810602d099efd49fdd2f01f2a204130549abf86c9373211a064fc820746bbf5
SHA256 1810602d099efd49fdd2f01f2a204130549abf86c9373211a064fc820746bbf5
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1810602d099efd49fdd2f01f2a204130549abf86c9373211a064fc820746bbf5

Threat Level: Known bad

The file 1810602d099efd49fdd2f01f2a204130549abf86c9373211a064fc820746bbf5 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey

Healer family

Modifies Windows Defender Real-time Protection settings

Healer

Redline family

RedLine

Detects Healer an antivirus disabler dropper

Amadey family

RedLine payload

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:02

Reported

2024-11-10 03:05

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1810602d099efd49fdd2f01f2a204130549abf86c9373211a064fc820746bbf5.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306432944.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1810602d099efd49fdd2f01f2a204130549abf86c9373211a064fc820746bbf5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\456450865.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1810602d099efd49fdd2f01f2a204130549abf86c9373211a064fc820746bbf5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306432944.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\456450865.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306432944.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 440 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\1810602d099efd49fdd2f01f2a204130549abf86c9373211a064fc820746bbf5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe
PID 440 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\1810602d099efd49fdd2f01f2a204130549abf86c9373211a064fc820746bbf5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe
PID 440 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\1810602d099efd49fdd2f01f2a204130549abf86c9373211a064fc820746bbf5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe
PID 3512 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe
PID 3512 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe
PID 3512 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe
PID 1520 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe
PID 1520 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe
PID 1520 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe
PID 3740 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe
PID 3740 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe
PID 3740 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe
PID 3740 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe
PID 3740 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe
PID 3740 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe
PID 1520 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306432944.exe
PID 1520 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306432944.exe
PID 1520 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306432944.exe
PID 5056 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306432944.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5056 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306432944.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5056 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306432944.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3512 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\456450865.exe
PID 3512 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\456450865.exe
PID 3512 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\456450865.exe
PID 3212 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3212 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3212 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3212 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 4380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 4380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 4380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2388 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1810602d099efd49fdd2f01f2a204130549abf86c9373211a064fc820746bbf5.exe

"C:\Users\Admin\AppData\Local\Temp\1810602d099efd49fdd2f01f2a204130549abf86c9373211a064fc820746bbf5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3592 -ip 3592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306432944.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306432944.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\456450865.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\456450865.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eC763345.exe

MD5 9658d825578bee83529db3e7d7375fc2
SHA1 c545cfe83f281bd2e2a105cb93ca142722d51424
SHA256 cc15c9ffc1092c704699e0dd9fad2194e8f1619b0f53b0766867e378134afb36
SHA512 1e0a64b58429dc00ca553012caf4e2bae04488d470fcf13e625319852e2fc265065488ca65f281f92c571dd225de593463cdf4a1b6daac4f0ee8e631aa6acec6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ym887402.exe

MD5 621b93de781dfc5ffd19379456c5c610
SHA1 54cbbf440545f61225052839d5084430b275c9d0
SHA256 217f14033c0155ffde5eaed2564d5814413232a05502417d07e8794e45d23ac3
SHA512 0333429a286fa41cbc3bfbd4e5eaed2bc9effe7c1fde525387036e71bae34342cc0bafec23dba9211285d28883f54af7f893a11ec4047a5d6cefbc4330458bce

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ589288.exe

MD5 5b8c92aae38a3a13bacc38a52192a43d
SHA1 36d9c3f298d3450982c21f84f407fb5e53bb04f2
SHA256 896fe1e54aeae17f804fc1006f8ae92f12af4e7bdcdb9d95b39683465d847cff
SHA512 dc6b149bde264ccde5746ec7026dbe0ec35809ec5b2b6ba60772bfc9af2ee7f52ba05b094338426bb0db4eeeebcc63acca429a3f3685f8a5dd7a6498d44733d1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\139024041.exe

MD5 2b71f4b18ac8214a2bff547b6ce2f64f
SHA1 b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256 f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA512 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

memory/532-28-0x0000000002300000-0x000000000231A000-memory.dmp

memory/532-29-0x0000000004A20000-0x0000000004FC4000-memory.dmp

memory/532-30-0x0000000004980000-0x0000000004998000-memory.dmp

memory/532-58-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-56-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-54-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-52-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-50-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-49-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-46-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-44-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-42-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-40-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-38-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-36-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-34-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-32-0x0000000004980000-0x0000000004993000-memory.dmp

memory/532-31-0x0000000004980000-0x0000000004993000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\225771995.exe

MD5 0d437e30918658231e556ad3073b8241
SHA1 95173f41e288e2075996ff0550b3f75c3d9c8168
SHA256 ccbc034f98c0bef85a744fb70414f1b1b5e3801de9c8cfe33ff1fbbd53e389fc
SHA512 21d4be8bc5c6710dea02c8094e0983cca9a48aacd25d37854455edd48af20c94146b91743b7b0af4c4f55abda36b78602af163ddfacefc94b2ea20faf68f524e

memory/3592-92-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306432944.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/3592-94-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\456450865.exe

MD5 a060009ae37328685da8b75df4634b34
SHA1 95eb70b73724f8d65a2b43381d1b31b2d60292c2
SHA256 18889fddac78827f6a02a866ce0e642929f992d8e9b981f1a05a6b5a008a9acd
SHA512 3a32e8b58397c86a7fbe36270786764ec2898c6f55eb76544dc10bd15a9031e31c6a7a781313110dbd623950d0daf924a734456122fbb29a5e1e21a5cb094143

memory/1244-112-0x0000000004AC0000-0x0000000004AFC000-memory.dmp

memory/1244-113-0x00000000077B0000-0x00000000077EA000-memory.dmp

memory/1244-117-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1244-119-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1244-115-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1244-114-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1244-906-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

memory/1244-907-0x000000000A330000-0x000000000A342000-memory.dmp

memory/1244-908-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/1244-909-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/1244-911-0x00000000049C0000-0x0000000004A0C000-memory.dmp