Malware Analysis Report

2025-04-03 14:20

Sample ID 241110-dlgehsxpcy
Target 97f14ee7e1a48a81d2faba8e152a96374986b5f8dd638a05cb192eef4f4e539e
SHA256 97f14ee7e1a48a81d2faba8e152a96374986b5f8dd638a05cb192eef4f4e539e
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97f14ee7e1a48a81d2faba8e152a96374986b5f8dd638a05cb192eef4f4e539e

Threat Level: Known bad

The file 97f14ee7e1a48a81d2faba8e152a96374986b5f8dd638a05cb192eef4f4e539e was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

Amadey family

Healer family

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:05

Reported

2024-11-10 03:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\97f14ee7e1a48a81d2faba8e152a96374986b5f8dd638a05cb192eef4f4e539e.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\329242243.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\97f14ee7e1a48a81d2faba8e152a96374986b5f8dd638a05cb192eef4f4e539e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\97f14ee7e1a48a81d2faba8e152a96374986b5f8dd638a05cb192eef4f4e539e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\329242243.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\430764933.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\430764933.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 920 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\97f14ee7e1a48a81d2faba8e152a96374986b5f8dd638a05cb192eef4f4e539e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe
PID 920 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\97f14ee7e1a48a81d2faba8e152a96374986b5f8dd638a05cb192eef4f4e539e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe
PID 920 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\97f14ee7e1a48a81d2faba8e152a96374986b5f8dd638a05cb192eef4f4e539e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe
PID 3060 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe
PID 3060 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe
PID 3060 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe
PID 3308 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe
PID 3308 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe
PID 3308 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe
PID 4200 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe
PID 4200 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe
PID 4200 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe
PID 4200 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe
PID 4200 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe
PID 4200 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe
PID 3308 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\329242243.exe
PID 3308 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\329242243.exe
PID 3308 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\329242243.exe
PID 4328 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\329242243.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4328 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\329242243.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4328 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\329242243.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3060 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\430764933.exe
PID 3060 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\430764933.exe
PID 3060 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\430764933.exe
PID 2588 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 116 wrote to memory of 4348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\97f14ee7e1a48a81d2faba8e152a96374986b5f8dd638a05cb192eef4f4e539e.exe

"C:\Users\Admin\AppData\Local\Temp\97f14ee7e1a48a81d2faba8e152a96374986b5f8dd638a05cb192eef4f4e539e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1772 -ip 1772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\329242243.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\329242243.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\430764933.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\430764933.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP936080.exe

MD5 6aeef611a38819f02a151ca5d1d9e4be
SHA1 1487403ccc4e2e32a05adc4cb6ddb0fd844a7697
SHA256 58f450820c9c4e653b8c4c538b0f283a650eb0b7359e269818968af55460179b
SHA512 20204a0dc55f9fce2408109884a769e27b72fdc915778965a4bc9d1c98be09dcd46d4ebfb4f4221748b4638b50362a14016059356856f16f5c5c585d8e77bd47

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SW299282.exe

MD5 483929a1ef5f8c706e578c6171c4a115
SHA1 24dad03ed64177596659255746104dd0baeb42b1
SHA256 9452702544c73bdc0a4d5e1563e0649fd24e5cf7012eef0c5197b0a5444bfe99
SHA512 6056cc1f75eb6b7bd59ffc265717d4e1c9222eee21f9ebc2be4cb991f81fadeb8f23875545ba64c875a3588481e51cbce6e0513a58d1255a6f81b5ee7ac1306f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GE459970.exe

MD5 52e581c3b61095555ef49feee086b9d6
SHA1 4a20b871172bcb3673e6935d7374f922c5dcd3b5
SHA256 d628b923d216323f173a6372283387bc057fa196677f252e3e738a44df758c4d
SHA512 4f29de55f76980777182e91e85a64bdfe0b9ff13df4263a36ba12164c13da6c183dc9b5f4a3c0b31905d88d4935d475c6d72b2d75700e310f171c5e7649bea26

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123322240.exe

MD5 a165b5f6b0a4bdf808b71de57bf9347d
SHA1 39a7b301e819e386c162a47e046fa384bb5ab437
SHA256 68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA512 3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

memory/3116-28-0x00000000023B0000-0x00000000023CA000-memory.dmp

memory/3116-29-0x00000000049C0000-0x0000000004F64000-memory.dmp

memory/3116-30-0x0000000002410000-0x0000000002428000-memory.dmp

memory/3116-32-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-57-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-58-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-54-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-52-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-51-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-48-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-46-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-44-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-42-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-40-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-38-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-36-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-34-0x0000000002410000-0x0000000002423000-memory.dmp

memory/3116-31-0x0000000002410000-0x0000000002423000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\248345410.exe

MD5 9aef30a232f96d5574e3198fc5c4a92f
SHA1 1edcd59566736cf90f879a121ee8e18432b7e512
SHA256 0bccddf54970fb7541c3a53da71b3d8245669e7595e213206dba448625571f68
SHA512 fbbc510f46f20de603b0d0e6de5f818f757ae84429d82a58b3b9fc1f69fca4aa0e90df535d09c1bae3c550eceb95cadab1ce5b6219cde699b6cc050dc2f1fdf4

memory/1772-93-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\329242243.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\430764933.exe

MD5 986c8a2bd1a33b9449c3233e59904360
SHA1 21f6fd03c4324db471297af55d675a1ea526e4f7
SHA256 ee67bea50795ac79e7aeee3825301f3909f1d3f2c042272f3d173563f99cf945
SHA512 c1b193d594a5f3f9a9154f83ed3dd0b850785ee1b467b0d98553f75cc293a375d6294bf8acdf0dd63813c56ab769f5b7f54188ba27e7e0bfa8e04726ce68eeff

memory/3236-112-0x00000000022F0000-0x000000000232C000-memory.dmp

memory/3236-113-0x00000000023C0000-0x00000000023FA000-memory.dmp

memory/3236-119-0x00000000023C0000-0x00000000023F5000-memory.dmp

memory/3236-117-0x00000000023C0000-0x00000000023F5000-memory.dmp

memory/3236-115-0x00000000023C0000-0x00000000023F5000-memory.dmp

memory/3236-114-0x00000000023C0000-0x00000000023F5000-memory.dmp

memory/3236-906-0x00000000077D0000-0x0000000007DE8000-memory.dmp

memory/3236-907-0x0000000002730000-0x0000000002742000-memory.dmp

memory/3236-908-0x0000000007DF0000-0x0000000007EFA000-memory.dmp

memory/3236-909-0x0000000002760000-0x000000000279C000-memory.dmp

memory/3236-910-0x0000000002200000-0x000000000224C000-memory.dmp