Malware Analysis Report

2025-08-11 07:52

Sample ID 241111-gndyysxpbr
Target 9c17d097bd37612d6846ee1ca9515683b2058872e6fee6b3c2079b0772022e63
SHA256 9c17d097bd37612d6846ee1ca9515683b2058872e6fee6b3c2079b0772022e63
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c17d097bd37612d6846ee1ca9515683b2058872e6fee6b3c2079b0772022e63

Threat Level: Known bad

The file 9c17d097bd37612d6846ee1ca9515683b2058872e6fee6b3c2079b0772022e63 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer family

Amadey

Amadey family

Healer

Detects Healer an antivirus disabler dropper

RedLine

Redline family

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:56

Reported

2024-11-11 05:59

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c17d097bd37612d6846ee1ca9515683b2058872e6fee6b3c2079b0772022e63.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358993230.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9c17d097bd37612d6846ee1ca9515683b2058872e6fee6b3c2079b0772022e63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9c17d097bd37612d6846ee1ca9515683b2058872e6fee6b3c2079b0772022e63.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358993230.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402340599.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402340599.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358993230.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\9c17d097bd37612d6846ee1ca9515683b2058872e6fee6b3c2079b0772022e63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe
PID 2960 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\9c17d097bd37612d6846ee1ca9515683b2058872e6fee6b3c2079b0772022e63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe
PID 2960 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\9c17d097bd37612d6846ee1ca9515683b2058872e6fee6b3c2079b0772022e63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe
PID 2436 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe
PID 2436 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe
PID 2436 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe
PID 4832 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe
PID 4832 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe
PID 4832 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe
PID 4740 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe
PID 4740 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe
PID 4740 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe
PID 4740 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe
PID 4740 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe
PID 4740 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe
PID 4832 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358993230.exe
PID 4832 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358993230.exe
PID 4832 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358993230.exe
PID 4572 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358993230.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4572 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358993230.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4572 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358993230.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2436 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402340599.exe
PID 2436 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402340599.exe
PID 2436 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402340599.exe
PID 3512 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3512 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3512 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3512 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4852 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4852 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4852 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4852 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4852 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4852 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4852 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4852 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4852 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4852 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4852 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c17d097bd37612d6846ee1ca9515683b2058872e6fee6b3c2079b0772022e63.exe

"C:\Users\Admin\AppData\Local\Temp\9c17d097bd37612d6846ee1ca9515683b2058872e6fee6b3c2079b0772022e63.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4076 -ip 4076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358993230.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358993230.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402340599.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402340599.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ni709248.exe

MD5 537b211c91532a6edffdf4beefbe7f6f
SHA1 fbb71e220f4782aa3e73da586c8683612fb75870
SHA256 87a1db85dfa8656a23a7a790dcc7e16abff25823e03ca87b11fe8f137bf00f9d
SHA512 01944c8bd6bad807a7f683d3ee531a7a969fa18dfa488f981147eef447d01382d13adcc0f578bd265d79b3a5aa8c9916a4fa7c29b8047ffa0b5e7db268cadc9d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu069292.exe

MD5 c3fc7b343280e3b9bda8f7a1d5bbe623
SHA1 d649b8cb3064b6ba34a387ac41e02fea407c0b49
SHA256 2a331f139aed50d56cf690653431cf7a4b546e4bed09135c43934a03b54ec2a7
SHA512 e255a5d5b39d9ac6b6d618ceb3d625ad099db4bdc9709a230a4c498198e5babbf2de1da49a5609876ac979fd9cf4675738c028e48c3fd222df55baf0487872d7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oB356522.exe

MD5 d604565d90f0cdca904388a977239605
SHA1 add2a009266082b058f335e7883da1ec6307b525
SHA256 7b4fc8e65fd578f978a3fb452cf9ab85de7f3589ff23c1f7a07ff12e1c27b5d6
SHA512 e68f95f355c1c3687aaebb8f2b8ae7a2840c24886c154dad9d30b7735f0f299911ac3d1caea74fb09323acaec5dd34c8b563f09cfa35d61648857c4456c61be2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\147819860.exe

MD5 a165b5f6b0a4bdf808b71de57bf9347d
SHA1 39a7b301e819e386c162a47e046fa384bb5ab437
SHA256 68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA512 3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

memory/2588-28-0x0000000000860000-0x000000000087A000-memory.dmp

memory/2588-29-0x0000000004990000-0x0000000004F34000-memory.dmp

memory/2588-30-0x0000000004910000-0x0000000004928000-memory.dmp

memory/2588-31-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-58-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-56-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-54-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-52-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-50-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-48-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-46-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-45-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-42-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-40-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-38-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-36-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-34-0x0000000004910000-0x0000000004923000-memory.dmp

memory/2588-32-0x0000000004910000-0x0000000004923000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\251385678.exe

MD5 18dd6c110ce37571d65095b79be04d38
SHA1 e31c441feedbd5809b1f1166f5f7366dab87e2d6
SHA256 4e1fbf50f79aaabe476b980dc51b9294c0d01f7a5f5d9cca575ce5ca16064262
SHA512 08ad29daede96cd3a5785c0cd2aadf1423b82cac32847111509d7998100fee2447b762c4aa80f97c2523cd56ab081039250f8d94a021cd5753b8829c0f3cbea9

memory/4076-92-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4076-94-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358993230.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402340599.exe

MD5 3dd199a3ad8a49ee58eb2318f408f177
SHA1 94240fc948119acecf67ea1cd39628870e58b65d
SHA256 f25ad748658ff7aeb1cef54ba4fe1b660eab68b77da708ee80484006bfc0f38f
SHA512 38a18c3764ac48cbdb52b109f6cf1eb143e719d3523a201b4d22537f9c74e53a52cc769d2744d57172541a992ecd0dee42bef1bddb882cc15a0c69ebac860387

memory/4236-112-0x00000000023A0000-0x00000000023DC000-memory.dmp

memory/4236-113-0x0000000002600000-0x000000000263A000-memory.dmp

memory/4236-117-0x0000000002600000-0x0000000002635000-memory.dmp

memory/4236-119-0x0000000002600000-0x0000000002635000-memory.dmp

memory/4236-115-0x0000000002600000-0x0000000002635000-memory.dmp

memory/4236-114-0x0000000002600000-0x0000000002635000-memory.dmp

memory/4236-906-0x0000000007560000-0x0000000007B78000-memory.dmp

memory/4236-907-0x0000000007BF0000-0x0000000007C02000-memory.dmp

memory/4236-908-0x0000000007C10000-0x0000000007D1A000-memory.dmp

memory/4236-909-0x0000000007D30000-0x0000000007D6C000-memory.dmp

memory/4236-910-0x0000000002570000-0x00000000025BC000-memory.dmp