Malware Analysis Report

2025-01-23 07:40

Sample ID 241104-q4ed4a1dkp
Target b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d
SHA256 b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d

Threat Level: Known bad

The file b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey

RedLine payload

Redline family

Amadey family

RedLine

Detects Healer an antivirus disabler dropper

Healer family

Modifies Windows Defender Real-time Protection settings

Healer

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:48

Reported

2024-11-04 13:51

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5100 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe
PID 5100 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe
PID 5100 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe
PID 1972 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe
PID 1972 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe
PID 1972 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe
PID 1040 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe
PID 1040 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe
PID 1040 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe
PID 4984 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe
PID 4984 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe
PID 4984 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe
PID 4984 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe
PID 4984 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe
PID 4984 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe
PID 1040 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe
PID 1040 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe
PID 1040 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe
PID 4976 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4976 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4976 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1972 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe
PID 1972 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe
PID 1972 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe
PID 452 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 452 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 452 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 452 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 452 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 452 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2560 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2560 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2560 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2560 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2560 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2560 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2560 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2560 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2560 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2560 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2560 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d.exe

"C:\Users\Admin\AppData\Local\Temp\b2fdc078bc230d8e259c39a4b2f89f120f664c414a6413e3b933ee1408e7294d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4208 -ip 4208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DS574987.exe

MD5 09c179cea059eab4d91b80c5207a257a
SHA1 8ce86f987d3a68dfcd57a1d430ec01a8c31a3e20
SHA256 8c3058938c26131ee587f0724a414ffbb2498d5ab11210d3727160829058e1c6
SHA512 3e43f040155df8c5732694788e0bd022ebf548becb91a5e0dc261c29af93c389283d3b14ef2d09795561964eca28d49c788c80436a72664195e3d101644e605f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OZ107911.exe

MD5 043fff5fefe171c1b3e2a8a0441a4b7f
SHA1 991586986f7770c2539466446ac55017cf684e7d
SHA256 2696f93b5e7e46102c9f7ddfdfbaaf8e2b91b2189fcd703411725b52058901a3
SHA512 dd2e1ea533cd4ec07f4406684c3a0d383cd1ac0f8faf75ad6f81fabcfddc282a6735404028551c511dd851ebed99de3d7f66485e9754185999ab9ce23d6c47b6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GA344183.exe

MD5 a04ba8cd21358e0cb5da934090304a75
SHA1 962365d46f05f78bd361873869c748371d97a402
SHA256 54060daefaa01e15e372c53c3a8ce2be8185ed2d6ddc61843c1b0a3b432a0d2b
SHA512 51b1e779198d58aa3f854db0e70a0a9c0670ef4d31d39c6afd7a29e2cbb9e33a283603714d63e4d7268b944ef7268b09f9774c5ecebf40b55b30a4570594566d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\189292868.exe

MD5 3d10b67208452d7a91d7bd7066067676
SHA1 e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA256 5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512 b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

memory/3644-28-0x00000000048D0000-0x00000000048EA000-memory.dmp

memory/3644-29-0x0000000004A80000-0x0000000005024000-memory.dmp

memory/3644-30-0x0000000004980000-0x0000000004998000-memory.dmp

memory/3644-54-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-58-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-56-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-46-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-44-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-34-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-32-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-31-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-52-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-50-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-48-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-42-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-40-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-38-0x0000000004980000-0x0000000004993000-memory.dmp

memory/3644-36-0x0000000004980000-0x0000000004993000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\210760503.exe

MD5 5116f7b65c8a365e966139b4e95c5d90
SHA1 2ebb80c964bf3efba22a4026a106aa0a967dc941
SHA256 66313ff2245b2fc17ccbd80cb8d4c72081ac709dd517a41b90192cbb90abbeb7
SHA512 1f4ad3a20f6dc6ed78b5c1b057a0689cd41cf396a9dfec4459872297db24633b7df6102e8c239ccaf3fea30028c619f8d2073f1d8ec1d1f0d69440f95b71144a

memory/4208-92-0x0000000000400000-0x0000000002B99000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359077904.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/4208-94-0x0000000000400000-0x0000000002B99000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485336308.exe

MD5 8a0eb7e8a70c2389f556496c617f6f52
SHA1 b654e9deb2ba40860b9b5f30cd26b8fa90b9cee6
SHA256 e3ad1522b0d886ee9ebc16ada6aa54644e87994c287180d8b20c82184a5dc47a
SHA512 8503b9c6d7c78c6a2bb027801cffe77b9047b496f5dab6908395b061e1c466985d0a55427cb3bb2ed543b98f1a8888abf343c674316200265c76684e041ae1bc

memory/4716-112-0x0000000004AE0000-0x0000000004B1C000-memory.dmp

memory/4716-113-0x0000000007180000-0x00000000071BA000-memory.dmp

memory/4716-117-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4716-119-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4716-115-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4716-114-0x0000000007180000-0x00000000071B5000-memory.dmp

memory/4716-906-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

memory/4716-907-0x000000000A330000-0x000000000A342000-memory.dmp

memory/4716-908-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/4716-909-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/4716-910-0x0000000006CB0000-0x0000000006CFC000-memory.dmp