Malware Analysis Report

2024-10-16 03:40

Sample ID 240827-zezs6ssdjq
Target 18759016437.zip
SHA256 d4a4a3611e20cd501dced85d177cfa657fa8a8a7d99d9f230fafe817c9ecb8f5
Tags
amadey healer redline 9c0adb gena most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4a4a3611e20cd501dced85d177cfa657fa8a8a7d99d9f230fafe817c9ecb8f5

Threat Level: Known bad

The file 18759016437.zip was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb gena most discovery dropper evasion infostealer persistence trojan

Healer

Amadey

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-27 20:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-27 20:38

Reported

2024-08-27 20:41

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\043e3e2914317fdc256d1ed74c16eb91ecacbf751e9e65617003ef13d57d76a7.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\043e3e2914317fdc256d1ed74c16eb91ecacbf751e9e65617003ef13d57d76a7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f40958537.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\043e3e2914317fdc256d1ed74c16eb91ecacbf751e9e65617003ef13d57d76a7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\043e3e2914317fdc256d1ed74c16eb91ecacbf751e9e65617003ef13d57d76a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe
PID 2072 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\043e3e2914317fdc256d1ed74c16eb91ecacbf751e9e65617003ef13d57d76a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe
PID 2072 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\043e3e2914317fdc256d1ed74c16eb91ecacbf751e9e65617003ef13d57d76a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe
PID 4516 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe
PID 4516 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe
PID 4516 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe
PID 1552 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe
PID 1552 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe
PID 1552 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe
PID 1016 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe
PID 1016 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe
PID 1016 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe
PID 1324 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe
PID 1324 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe
PID 1324 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe
PID 464 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe C:\Windows\Temp\1.exe
PID 464 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe C:\Windows\Temp\1.exe
PID 1324 wrote to memory of 5600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe
PID 1324 wrote to memory of 5600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe
PID 1324 wrote to memory of 5600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe
PID 1016 wrote to memory of 5348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe
PID 1016 wrote to memory of 5348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe
PID 1016 wrote to memory of 5348 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe
PID 5348 wrote to memory of 5844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5348 wrote to memory of 5844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5348 wrote to memory of 5844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1552 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe
PID 1552 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe
PID 1552 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe
PID 5844 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5844 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5844 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5844 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5844 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5844 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 5816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2776 wrote to memory of 5816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2776 wrote to memory of 5816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2776 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2776 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2776 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2776 wrote to memory of 6724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 6724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 6724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 6736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2776 wrote to memory of 6736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2776 wrote to memory of 6736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2776 wrote to memory of 6780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2776 wrote to memory of 6780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2776 wrote to memory of 6780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5944 wrote to memory of 6788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe C:\Windows\Temp\1.exe
PID 5944 wrote to memory of 6788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe C:\Windows\Temp\1.exe
PID 5944 wrote to memory of 6788 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe C:\Windows\Temp\1.exe
PID 4516 wrote to memory of 6952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f40958537.exe
PID 4516 wrote to memory of 6952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f40958537.exe
PID 4516 wrote to memory of 6952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f40958537.exe

Processes

C:\Users\Admin\AppData\Local\Temp\043e3e2914317fdc256d1ed74c16eb91ecacbf751e9e65617003ef13d57d76a7.exe

"C:\Users\Admin\AppData\Local\Temp\043e3e2914317fdc256d1ed74c16eb91ecacbf751e9e65617003ef13d57d76a7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5600 -ip 5600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5600 -s 1052

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5944 -ip 5944

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 1384

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f40958537.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f40958537.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 193.3.19.154:80 193.3.19.154 tcp
US 8.8.8.8:53 154.19.3.193.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vy828800.exe

MD5 e0de19249bf1a5d8b9a3112a4c97e57c
SHA1 dffbd97a74e5fbc40d184720a41d8c98cfb7131f
SHA256 c711f10a893e9a902a5402ffab7a5722f265b2e7b286a08a831b9252acb23aa9
SHA512 5d1cc9b5622b61dccfc30d988a2fca343dc5fc612b553f606a01eebaeb1beca9c75c55e3c4961efd07e07140f967b5dbfb36113431099ffbb322d11fb278a345

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gb031171.exe

MD5 0dbaf7b091e41117a7f23a43aa8b0e81
SHA1 124f562afe0fe4c5c90badd3f27fe3f63309b717
SHA256 1cdceebcc4b9c79486bbd8053b7da3697cf8289e319bbfc6cd8cdf5aa42c1aa0
SHA512 8e1833afe3ec918b20ae9dbf1d487641c35d1e7e36d5802d8b73779adcdaf582218319df2c3c2daec03590a67c5be7e24c313db5990dde635f65efbc248c19fa

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gO048014.exe

MD5 681d32894db1770a3679b0e676bdad26
SHA1 b026c3df247211b914ea56002ee1b573fb5df1e8
SHA256 5a3be1ee8101bd7dbaf89270c7f66190dc9d459fbbe1fc8aec3e984a53b200cd
SHA512 137854d32b4059529e5d134b4e52471bfb70263b35293df2b59271479c7340eef03a1b3c59bd5637ac697ec1221b4a13b8799d585d5953fe8b53a2caedf9e8f3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nO213324.exe

MD5 9ae61136f20115dbe57ab19a208b55fe
SHA1 f3430de516b0c45e710e3971279b53c0f901efb1
SHA256 b8be9b29e4bf1da7b8ef470a3a6fae220c602afbf8b820fd70cada51025384f4
SHA512 3865aeef3702f24f522e1bdad63ce76f5984cbb3911f81406b586b3092d9944f85bb0af587465592dffbd6be41fc5d1c5e23f6592965af40e5982fdde5d19df0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33564524.exe

MD5 34ea3b87b3abdd85d0610aab58b08a37
SHA1 54e22c80334f33d8175a7b9fdb6d34fd7bb2f2aa
SHA256 a933a805aeea5efd041dcf863af2632d74108226ebf468a40cea1e91da577e43
SHA512 ee3bd407fd68031381ea1a5a0a394d384b604c5b560059c3f40af21d1c436bd96b1641ccb2851be67ce40260b1997dde5b8f089f3ce8e3c5a7a4e0c644f406e1

memory/464-35-0x0000000004960000-0x00000000049B8000-memory.dmp

memory/464-36-0x0000000004A70000-0x0000000005014000-memory.dmp

memory/464-37-0x00000000049E0000-0x0000000004A36000-memory.dmp

memory/464-108-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-89-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-99-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-97-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-95-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-93-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-91-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-87-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-85-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-83-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-81-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-79-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-77-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-75-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-73-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-69-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-68-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-65-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-61-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-59-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-57-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-55-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-53-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-51-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-49-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-45-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-43-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-41-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-39-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-38-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-71-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-63-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-47-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/464-2166-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1080-2179-0x0000000000030000-0x000000000003A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b83632839.exe

MD5 60f1d50806569dd01ad04b43f168a917
SHA1 9b2439d93f6f3164272f70fb6160f6a0dbbad874
SHA256 db0965e4a69ce9c51c310a644dc0c6090b1475285304d7ab8a1870df1b9e4499
SHA512 02ddef7487c5131b1b9b4650dd4b8e332c8d38c8111ff2c429b07fac948be51edd9dceb32cfb5d2f2f4c6d260dcf3ab515619b3f1ac493c7bd220dfa4db64390

memory/5600-2184-0x00000000023A0000-0x00000000023BA000-memory.dmp

memory/5600-2185-0x0000000005380000-0x0000000005398000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c63837854.exe

MD5 588abfa30a62ac336d0f50c9ce50b1e2
SHA1 6525be76ccaac0a9ee90df86dd0cf339452bcdad
SHA256 dcf05badf70737b3434d728cd3533377ee90fbcb7a74236da033b13742412942
SHA512 51d5d4df343272448a04521ca354a6eaf071f16b13d72bc501892635385eabe78c121d985454bc7655027a761f6df8a10a09f9208d12344b031588207e8878ac

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d40593754.exe

MD5 f0f86c12d403b43daf01e473e24e2846
SHA1 202fd664bfcd626a6fa78b5c79fd558181de9eef
SHA256 89fc8d02b9312606f03c217aaa5d9f88a39db2402a124dcd811fabe5e146490e
SHA512 e3ef9d2984b860ef5ef62994401000a202cffe591cf6977f0500324f6a671f1f8f04eed49dea07fb5bf915677a88b999a1eeb7d908ee37fe60a09dc7ab5fddec

memory/5944-2236-0x0000000005550000-0x00000000055B6000-memory.dmp

memory/5944-2235-0x0000000002980000-0x00000000029E8000-memory.dmp

memory/5944-4383-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 f16fb63d4e551d3808e8f01f2671b57e
SHA1 781153ad6235a1152da112de1fb39a6f2d063575
SHA256 8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512 fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

memory/6788-4396-0x0000000000A10000-0x0000000000A3E000-memory.dmp

memory/6788-4397-0x0000000002B20000-0x0000000002B26000-memory.dmp

memory/6788-4399-0x0000000005990000-0x0000000005FA8000-memory.dmp

memory/6788-4400-0x0000000005480000-0x000000000558A000-memory.dmp

memory/6788-4401-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/6788-4402-0x00000000053F0000-0x000000000542C000-memory.dmp

memory/6788-4403-0x0000000005590000-0x00000000055DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f40958537.exe

MD5 25b2a7ebfea8477623ccad041e45538f
SHA1 215dba9d2af1fe6b1b4dd41575793a3406c5dab2
SHA256 251f204427ec48ffcb3f1c8a20dbc68e0f526441a56510fe8d8c56a24ea524b3
SHA512 673305d908aa090cad0801ca0ca4dab94145552ee0c81f94f8fb0d90438c156b64864de55bc28117add8bb58f0a4355b98d98518cce00e14d46778627bde5a7d

memory/6952-4408-0x0000000000610000-0x0000000000640000-memory.dmp

memory/6952-4409-0x00000000027C0000-0x00000000027C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 0fb684cc15d197c0b937e5528359d7c8
SHA1 7d963246f52f42012bdcddb31214283c84c954ed
SHA256 e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260
SHA512 c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c