Malware Analysis Report

2025-08-05 11:06

Sample ID 241111-hnnntsvhnc
Target 0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0
SHA256 0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0

Threat Level: Known bad

The file 0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Redline family

RedLine payload

Healer family

Amadey family

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

Amadey

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:53

Reported

2024-11-11 06:55

Platform

win7-20240903-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe
PID 2848 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe
PID 2848 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe
PID 2848 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe
PID 2848 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe
PID 2848 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe
PID 2848 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe
PID 2732 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe
PID 2732 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe
PID 2732 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe
PID 2732 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe
PID 2732 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe
PID 2732 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe
PID 2732 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe
PID 3048 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe
PID 3048 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe
PID 3048 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe
PID 3048 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe
PID 3048 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe
PID 3048 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe
PID 3048 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe
PID 2756 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe
PID 2756 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe
PID 2756 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe
PID 2756 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe
PID 2756 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe
PID 2756 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe
PID 2756 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe
PID 2756 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe
PID 2756 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe
PID 2756 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe
PID 2756 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe
PID 2756 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe
PID 2756 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe
PID 2756 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe
PID 1344 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1344 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1344 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1344 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1344 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1344 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1344 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3048 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe
PID 3048 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe
PID 3048 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe
PID 3048 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe
PID 3048 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe
PID 3048 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe
PID 3048 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe

"C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {604B9B53-3A9D-489E-9E9A-98BD4C82E82C} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp

Files

memory/2848-0-0x0000000004550000-0x0000000004653000-memory.dmp

memory/2848-1-0x0000000004550000-0x0000000004653000-memory.dmp

memory/2848-2-0x0000000004700000-0x000000000480C000-memory.dmp

memory/2848-3-0x0000000000400000-0x0000000000510000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe

MD5 f4d5446b7526a88d296ff84e4bfa576e
SHA1 32adb32e235180b3b5c6af08258814db484a9ca6
SHA256 e5ebec2cbd517d24bce4c8ab411b51551ec1700cbc253db0acc9512d4f2fbaf1
SHA512 832ee4d62e735c16c447a00665eca7eac12cad02ebb0875fbbbc5a349bfc4fcebcbea69a2235f63311f688c1d5810b688d4e1fe425b1fbf69fd7c71a1bc6cc1d

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe

MD5 f97e5dc74a30ee94dcd9308c9a15d629
SHA1 aa6f4d56ef656fe46759455cd31c621c449c290c
SHA256 e35c7c46ffdb9c2c6fadaa6efa1023d434207e8001a6a6b1868904df955eb3e8
SHA512 4ed2494373693007585ff62aded6e5d08b1b081b37452d031dff4ef0fd9a8c3f4b0a45b0454c0d1519057596b50b05b51c8de901ae2cbe088ee286439da1ca85

\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe

MD5 14959501f275d4d39bb38ad94bc50210
SHA1 4203952ae7f7090a696ccb225a7b23d511887a6e
SHA256 7c81324faf9ef8d1dd51c2041f137a0f957f1a517f8a6b1864cac31839091252
SHA512 8cd9fc7e75a4c90806fc060c13c1cb844d0238f0a5ad2d73374aabde7a5dc2d97be8bc065eddb9254fefd59f963eb94617dd8e740cd74a013df945cc173b3ef3

\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2608-42-0x0000000000820000-0x000000000082A000-memory.dmp

memory/2848-43-0x0000000004550000-0x0000000004653000-memory.dmp

memory/2848-44-0x0000000004700000-0x000000000480C000-memory.dmp

memory/2848-46-0x0000000000400000-0x0000000000510000-memory.dmp

memory/2848-45-0x0000000000400000-0x0000000002C95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe

MD5 de8348a2854e7a051783fc14fb28b95e
SHA1 7cf59b54a2f5898b02c66d58899c7585e7423eac
SHA256 1c5ba61085c5579040b75e5c05357eb0f0f14ae0265b8941cd38f62a623ed57a
SHA512 233c668ca4f8df9e2d603e09fb69647465c1a00fb58c8277585fbd4983cf3c49480b892bc4288eae6d16d2e281c602d69da3fa82b03a249f45eaad16194621ad

memory/2504-73-0x0000000004DA0000-0x0000000004DDC000-memory.dmp

memory/2504-74-0x0000000004DE0000-0x0000000004E1A000-memory.dmp

memory/2504-112-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-92-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-76-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-75-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-136-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-134-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-132-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-131-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-128-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-126-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-124-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-122-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-120-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-118-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-116-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-114-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-110-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-108-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-106-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-105-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-102-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-100-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-98-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-96-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-94-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-90-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-88-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-86-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-84-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-82-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-80-0x0000000004DE0000-0x0000000004E15000-memory.dmp

memory/2504-78-0x0000000004DE0000-0x0000000004E15000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 06:53

Reported

2024-11-11 06:55

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3760 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe
PID 3760 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe
PID 3760 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe
PID 4572 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe
PID 4572 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe
PID 4572 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe
PID 3140 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe
PID 3140 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe
PID 3140 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe
PID 4740 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe
PID 4740 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe
PID 4740 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe
PID 4740 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe
PID 4740 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe
PID 2080 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2080 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2080 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3140 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe
PID 3140 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe
PID 3140 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe
PID 2984 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2984 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2984 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2984 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3964 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3964 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3964 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3964 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3964 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3964 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3964 wrote to memory of 4380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3964 wrote to memory of 4380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3964 wrote to memory of 4380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3964 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3964 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3964 wrote to memory of 2424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3964 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3964 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3964 wrote to memory of 4228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3964 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3964 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3964 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe

"C:\Users\Admin\AppData\Local\Temp\0ea229125a2edfddb562641226298b4a4b4166f10118bd4d0b48f9b63ee9c0f0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.142:38452 tcp

Files

memory/3760-1-0x0000000004B00000-0x0000000004C0D000-memory.dmp

memory/3760-2-0x0000000004C10000-0x0000000004D1C000-memory.dmp

memory/3760-3-0x0000000000400000-0x0000000000510000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe

MD5 f4d5446b7526a88d296ff84e4bfa576e
SHA1 32adb32e235180b3b5c6af08258814db484a9ca6
SHA256 e5ebec2cbd517d24bce4c8ab411b51551ec1700cbc253db0acc9512d4f2fbaf1
SHA512 832ee4d62e735c16c447a00665eca7eac12cad02ebb0875fbbbc5a349bfc4fcebcbea69a2235f63311f688c1d5810b688d4e1fe425b1fbf69fd7c71a1bc6cc1d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe

MD5 f97e5dc74a30ee94dcd9308c9a15d629
SHA1 aa6f4d56ef656fe46759455cd31c621c449c290c
SHA256 e35c7c46ffdb9c2c6fadaa6efa1023d434207e8001a6a6b1868904df955eb3e8
SHA512 4ed2494373693007585ff62aded6e5d08b1b081b37452d031dff4ef0fd9a8c3f4b0a45b0454c0d1519057596b50b05b51c8de901ae2cbe088ee286439da1ca85

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe

MD5 14959501f275d4d39bb38ad94bc50210
SHA1 4203952ae7f7090a696ccb225a7b23d511887a6e
SHA256 7c81324faf9ef8d1dd51c2041f137a0f957f1a517f8a6b1864cac31839091252
SHA512 8cd9fc7e75a4c90806fc060c13c1cb844d0238f0a5ad2d73374aabde7a5dc2d97be8bc065eddb9254fefd59f963eb94617dd8e740cd74a013df945cc173b3ef3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1500-32-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

memory/3760-33-0x0000000004B00000-0x0000000004C0D000-memory.dmp

memory/3760-35-0x0000000004C10000-0x0000000004D1C000-memory.dmp

memory/3760-34-0x0000000000400000-0x0000000002C95000-memory.dmp

memory/3760-36-0x0000000000400000-0x0000000000510000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe

MD5 de8348a2854e7a051783fc14fb28b95e
SHA1 7cf59b54a2f5898b02c66d58899c7585e7423eac
SHA256 1c5ba61085c5579040b75e5c05357eb0f0f14ae0265b8941cd38f62a623ed57a
SHA512 233c668ca4f8df9e2d603e09fb69647465c1a00fb58c8277585fbd4983cf3c49480b892bc4288eae6d16d2e281c602d69da3fa82b03a249f45eaad16194621ad

memory/4564-55-0x0000000004A30000-0x0000000004A6C000-memory.dmp

memory/4564-56-0x0000000007250000-0x00000000077F4000-memory.dmp

memory/4564-57-0x00000000071D0000-0x000000000720A000-memory.dmp

memory/4564-93-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-109-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-119-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-117-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-115-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-113-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-107-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-105-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-103-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-101-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-99-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-97-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-95-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-91-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-89-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-87-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-85-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-83-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-81-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-79-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-77-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-73-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-71-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-69-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-67-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-65-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-63-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-111-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-75-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-61-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-59-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-58-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/4564-850-0x0000000009CC0000-0x000000000A2D8000-memory.dmp

memory/4564-851-0x000000000A350000-0x000000000A362000-memory.dmp

memory/4564-852-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/4564-853-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/4564-854-0x0000000006CC0000-0x0000000006D0C000-memory.dmp