Malware Analysis Report

2025-08-10 14:35

Sample ID 241111-gqxh3sthnn
Target d4207886d86a88ce0de12059eb8d902e4d883800d292e06692159cfc656b1261N
SHA256 d4207886d86a88ce0de12059eb8d902e4d883800d292e06692159cfc656b1261
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4207886d86a88ce0de12059eb8d902e4d883800d292e06692159cfc656b1261

Threat Level: Known bad

The file d4207886d86a88ce0de12059eb8d902e4d883800d292e06692159cfc656b1261N was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Healer family

Amadey

Redline family

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Amadey family

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:01

Reported

2024-11-11 06:03

Platform

win10v2004-20241007-en

Max time kernel

114s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4207886d86a88ce0de12059eb8d902e4d883800d292e06692159cfc656b1261N.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399405203.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d4207886d86a88ce0de12059eb8d902e4d883800d292e06692159cfc656b1261N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399405203.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\469968309.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d4207886d86a88ce0de12059eb8d902e4d883800d292e06692159cfc656b1261N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\469968309.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399405203.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3572 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\d4207886d86a88ce0de12059eb8d902e4d883800d292e06692159cfc656b1261N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe
PID 3572 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\d4207886d86a88ce0de12059eb8d902e4d883800d292e06692159cfc656b1261N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe
PID 3572 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\d4207886d86a88ce0de12059eb8d902e4d883800d292e06692159cfc656b1261N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe
PID 980 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe
PID 980 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe
PID 980 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe
PID 372 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe
PID 372 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe
PID 372 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe
PID 2044 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe
PID 2044 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe
PID 2044 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe
PID 2044 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe
PID 2044 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe
PID 2044 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe
PID 372 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399405203.exe
PID 372 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399405203.exe
PID 372 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399405203.exe
PID 3348 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399405203.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3348 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399405203.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3348 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399405203.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 980 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\469968309.exe
PID 980 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\469968309.exe
PID 980 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\469968309.exe
PID 652 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 652 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 652 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 652 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4408 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4408 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4408 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4408 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4408 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4408 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4408 wrote to memory of 184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4408 wrote to memory of 184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4408 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4408 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4408 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d4207886d86a88ce0de12059eb8d902e4d883800d292e06692159cfc656b1261N.exe

"C:\Users\Admin\AppData\Local\Temp\d4207886d86a88ce0de12059eb8d902e4d883800d292e06692159cfc656b1261N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1908 -ip 1908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399405203.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399405203.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\469968309.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\469968309.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TE431034.exe

MD5 ddb6a822495e21d604c997d8210f16f3
SHA1 58e15eb373a68e7184b87382d680711217e64944
SHA256 1197a27ab8ed34fbf0d841852bbc6880b47b79d4c0b262690c97fb81d6e63187
SHA512 d35c1d1edcd4131c0f1ff6e3021a80a01e90e6b16544527c60c24042dd4e66e0c006e5801b25450cc9d567a4f0352154d57ab08e08474f75a36138b92b2e0d15

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dq632512.exe

MD5 40895ebb376626c8bc9af9af921281e0
SHA1 5b36af3884787a078b79909ec4accfe02522448d
SHA256 71c10d2ac9c9021b5f8235e57f4f840697545ebf948696c90839a70cf61ed1ea
SHA512 24d242ec97dbfb38ec5ce04822f033f53b34716e87f0cc6d4a76a9936ffce7cca34d33f068cbad434e6dc462406a79d52aaf5ac95b4f2ecead5be36bc84ea1bc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ni821398.exe

MD5 9d53426fc34b0033f58fcc39c15db186
SHA1 f25aa9d15f1f0d073589508c721a9185e8e2bd4b
SHA256 9d1cddbf7ef796c763b9f4bc936494df41c9452d94481307d12bf3a763cc8777
SHA512 3ee5430fc67a3ce746ec3aa315447a7e48eec0a07cf605a265104fdc1362ffb4e42c68793f153e14ca1ef82ecf9694aea5f79a1168ec4c9f66de666873d5b751

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123707762.exe

MD5 a165b5f6b0a4bdf808b71de57bf9347d
SHA1 39a7b301e819e386c162a47e046fa384bb5ab437
SHA256 68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA512 3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

memory/3172-28-0x0000000002360000-0x000000000237A000-memory.dmp

memory/3172-29-0x0000000004960000-0x0000000004F04000-memory.dmp

memory/3172-30-0x0000000004F50000-0x0000000004F68000-memory.dmp

memory/3172-39-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-58-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-56-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-54-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-52-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-50-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-48-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-46-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-44-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-42-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-40-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-36-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-34-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-32-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/3172-31-0x0000000004F50000-0x0000000004F63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\284277546.exe

MD5 452fb73896925cc8cda6546947a8afac
SHA1 5a8aafd3eb43bb7e54841e5f97313b62138f93ee
SHA256 1ce0e9441da837afe63ee8899e092bc580c1e9317aeed009d7fa44c804d7d635
SHA512 9c5aef0391491117516c3b386c077b36b932a9710bb8048d6efd7e9451ae405dee368b424c2c5d95b168dfd627f4cc3500790df60b6330c1499aac9f5ac7115f

memory/1908-92-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1908-94-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399405203.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\469968309.exe

MD5 0eb5171eb6aaf7c7a6f3573d9bfd03d2
SHA1 0b92b5651edde693bce2061667904c839474c834
SHA256 aa297ebe53de9b8c626c5eb1fa1099c53f9150f2c975143bb672500963f17d92
SHA512 c49b3fa03b6279ed6ab1000d923aeb884d9dc1f2a63e9ae2f400b5d51b46a5329db602b8e9c3193715785ef73a60e09cab1a7bf89dd8fc253e55bb42b5546b17

memory/3632-112-0x0000000004A00000-0x0000000004A3C000-memory.dmp

memory/3632-113-0x0000000004A80000-0x0000000004ABA000-memory.dmp

memory/3632-117-0x0000000004A80000-0x0000000004AB5000-memory.dmp

memory/3632-115-0x0000000004A80000-0x0000000004AB5000-memory.dmp

memory/3632-114-0x0000000004A80000-0x0000000004AB5000-memory.dmp

memory/3632-119-0x0000000004A80000-0x0000000004AB5000-memory.dmp

memory/3632-906-0x0000000007C40000-0x0000000008258000-memory.dmp

memory/3632-907-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/3632-908-0x0000000007620000-0x000000000772A000-memory.dmp

memory/3632-909-0x0000000007730000-0x000000000776C000-memory.dmp

memory/3632-910-0x0000000002500000-0x000000000254C000-memory.dmp