Malware Analysis Report

2025-01-23 07:38

Sample ID 241104-q8hbjs1dpr
Target ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b
SHA256 ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b

Threat Level: Known bad

The file ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey family

Healer

Detects Healer an antivirus disabler dropper

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Redline family

RedLine

Amadey

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:55

Reported

2024-11-04 13:58

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe
PID 2512 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe
PID 2512 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe
PID 4832 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe
PID 4832 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe
PID 4832 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe
PID 4288 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe
PID 4288 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe
PID 4288 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe
PID 4484 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe
PID 4484 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe
PID 4484 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe
PID 4484 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe
PID 4484 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe
PID 4484 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe
PID 4288 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe
PID 4288 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe
PID 4288 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe
PID 4392 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4392 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4392 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4832 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe
PID 4832 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe
PID 4832 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe
PID 2000 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2000 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2000 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2000 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 556 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 556 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 556 wrote to memory of 212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 556 wrote to memory of 212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 556 wrote to memory of 212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 556 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 556 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 556 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 556 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 556 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 556 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b.exe

"C:\Users\Admin\AppData\Local\Temp\ab7f858306a08653ec95886a6bad02947a7472c493f4e56cee99b32fbbf3682b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3060 -ip 3060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1076

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cq295742.exe

MD5 088f6cf506e30c4e829edb01e1f5c271
SHA1 e6cb9f5d6c5cf8f384f2e2d0260d48e62a7f5e9a
SHA256 d510cbaf52d57c0f75ed7c985c8d6658f7456e0565eca95c2367150b1ad68965
SHA512 d6e6ddd21ea5ec0704c35f573d96f72a6c159fb02da973209d619d3af469dec6a8a281c03ce3884bb696a5010819fcbb26f0117e5d2ac356bc8eb0324c16632d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VO258863.exe

MD5 3b7e8eab730bb1668bce9328c76371ff
SHA1 ae94e2becbcdb234b9de33414b075a42ad521f09
SHA256 a690958a21d72573e16fdb480230ac1fe76399f936cd93ff448e6f0c573fdf9e
SHA512 ce60a3f807ef46d7263fc67dc68e44a0bcaa529a81b41cc7bec649c6626cfe0ac967072e91fc014d52a59d9e7051021aac88e300eece18cb183d54f9add613b2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lB644166.exe

MD5 a69cab46db2c824b9deda2ca8c10f406
SHA1 53e96ba05ae3e06ce48b50b43e82158e39791a1b
SHA256 336a974dfee704c6a113c64dfdec6753c239f922ab0b20785828a08d6c6a9e94
SHA512 b66f63526442bb28389fd402c26116fec06e9b583c9b727f4b38cc3c5d765e621669d26a4e086348479d60f4733eeed7978174bbf3dc3601c649330d4419764e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\169879222.exe

MD5 1f0cedd8c4489414b2f3baa31b3e7abb
SHA1 383794249e96c296f663ff35ae789f8ad20b99a2
SHA256 d3eac9dd6063dd1ae3a9e84eb9d52e8869252e15fe7ac0a2c10a8f1b3ddfdcc5
SHA512 6642ee42dd65f966aa36ee5f10c3ddac7059d37bb75c94d7bff68a7976b9bff0cff7920ce969ca81d27b4167b0480cbb67320e99c89d21e6ca43d431a2c1c2df

memory/1624-28-0x00000000024D0000-0x00000000024EA000-memory.dmp

memory/1624-29-0x0000000004B20000-0x00000000050C4000-memory.dmp

memory/1624-30-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

memory/1624-46-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-58-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-56-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-54-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-52-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-50-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-48-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-44-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-42-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-40-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-38-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-34-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-36-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/1624-32-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\281598029.exe

MD5 b06bb09f979a9e5be74040f617c45160
SHA1 b28380d838c5f910f9ee2228b2d6d1e1fe0358a0
SHA256 77e1f5dff641b43b3b0a7413f3e0fc4b536772e52882eed84aafdb1ba1abed92
SHA512 c3c431b8f69cee94ce88fe27dc615384bc2ea264aeb37c9786262a87f56a58944269183f34038da6cf674375e48a5f93e3acc74b14404230d6d2034a134d220c

memory/3060-64-0x0000000002470000-0x000000000248A000-memory.dmp

memory/3060-65-0x00000000025B0000-0x00000000025C8000-memory.dmp

memory/3060-73-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-75-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-93-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-91-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-89-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-87-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-83-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-81-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-80-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-77-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-71-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-69-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-85-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-67-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-66-0x00000000025B0000-0x00000000025C2000-memory.dmp

memory/3060-94-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3060-96-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326179846.exe

MD5 97193b2c3343334e0db48bb1fadf822d
SHA1 7bca3c872c39434e98dd67e086f6b1daedcba14e
SHA256 8712c7dd83f526dce4498822db04fd09515044956c2c3810d416ab91eb4cd4a4
SHA512 3ce6b2c8820b2c2a6039a49fae675c2a9ca4684dfe339a2fc1aa7ab7d55d49303afcc88d60ef33a3ff56e0b1a3d2875d8f41987299f42d8e25ac94c34a31cc0b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462992892.exe

MD5 c50b844a387bae098dcb8a5fd65f05f2
SHA1 9e631380ed129979b5a4f49d5c3b77ca3864023a
SHA256 595022bdba0e388d82d666ad6bc80a236496b710bf6e7c61d7b2ed70cd24db02
SHA512 6095f85b463aab6c3add064f614d1569932a922c59680c06008ab8202657263b6a820c18dbf12da9428a9eb3f5afd21162cae4c6e85cb8134137e4904d6a3e1c

memory/3080-114-0x0000000002460000-0x000000000249C000-memory.dmp

memory/3080-115-0x0000000005030000-0x000000000506A000-memory.dmp

memory/3080-119-0x0000000005030000-0x0000000005065000-memory.dmp

memory/3080-117-0x0000000005030000-0x0000000005065000-memory.dmp

memory/3080-116-0x0000000005030000-0x0000000005065000-memory.dmp

memory/3080-121-0x0000000005030000-0x0000000005065000-memory.dmp

memory/3080-908-0x0000000007B60000-0x0000000008178000-memory.dmp

memory/3080-909-0x00000000075E0000-0x00000000075F2000-memory.dmp

memory/3080-910-0x0000000007600000-0x000000000770A000-memory.dmp

memory/3080-911-0x0000000007720000-0x000000000775C000-memory.dmp

memory/3080-912-0x0000000002350000-0x000000000239C000-memory.dmp