Malware Analysis Report

2025-01-23 07:35

Sample ID 241104-rcca4azndz
Target be724bb7e6c721dadbd90aaa868d0d5a674b9027b0539d612b03d792d27af99a
SHA256 be724bb7e6c721dadbd90aaa868d0d5a674b9027b0539d612b03d792d27af99a
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be724bb7e6c721dadbd90aaa868d0d5a674b9027b0539d612b03d792d27af99a

Threat Level: Known bad

The file be724bb7e6c721dadbd90aaa868d0d5a674b9027b0539d612b03d792d27af99a was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Amadey

Amadey family

Modifies Windows Defender Real-time Protection settings

Healer family

Healer

Redline family

RedLine payload

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 14:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 14:02

Reported

2024-11-04 14:05

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be724bb7e6c721dadbd90aaa868d0d5a674b9027b0539d612b03d792d27af99a.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43068021.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c37965266.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\be724bb7e6c721dadbd90aaa868d0d5a674b9027b0539d612b03d792d27af99a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\be724bb7e6c721dadbd90aaa868d0d5a674b9027b0539d612b03d792d27af99a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f03270045.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43068021.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d49492268.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b06891269.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c37965266.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43068021.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b06891269.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d49492268.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\be724bb7e6c721dadbd90aaa868d0d5a674b9027b0539d612b03d792d27af99a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe
PID 3928 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\be724bb7e6c721dadbd90aaa868d0d5a674b9027b0539d612b03d792d27af99a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe
PID 3928 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\be724bb7e6c721dadbd90aaa868d0d5a674b9027b0539d612b03d792d27af99a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe
PID 1412 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe
PID 1412 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe
PID 1412 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe
PID 3940 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe
PID 3940 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe
PID 3940 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe
PID 3372 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe
PID 3372 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe
PID 3372 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe
PID 868 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43068021.exe
PID 868 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43068021.exe
PID 868 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43068021.exe
PID 1328 wrote to memory of 5740 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43068021.exe C:\Windows\Temp\1.exe
PID 1328 wrote to memory of 5740 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43068021.exe C:\Windows\Temp\1.exe
PID 868 wrote to memory of 5288 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b06891269.exe
PID 868 wrote to memory of 5288 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b06891269.exe
PID 868 wrote to memory of 5288 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b06891269.exe
PID 3372 wrote to memory of 5792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c37965266.exe
PID 3372 wrote to memory of 5792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c37965266.exe
PID 3372 wrote to memory of 5792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c37965266.exe
PID 5792 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c37965266.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5792 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c37965266.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5792 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c37965266.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3940 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d49492268.exe
PID 3940 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d49492268.exe
PID 3940 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d49492268.exe
PID 6132 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6132 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6132 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6132 wrote to memory of 5768 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6132 wrote to memory of 5768 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6132 wrote to memory of 5768 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5768 wrote to memory of 3952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5768 wrote to memory of 3952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5768 wrote to memory of 3952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5768 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5768 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5768 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5768 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5768 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5768 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5768 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5768 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5768 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5768 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5768 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5768 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5768 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5768 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5768 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1412 wrote to memory of 7016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f03270045.exe
PID 1412 wrote to memory of 7016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f03270045.exe
PID 1412 wrote to memory of 7016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f03270045.exe

Processes

C:\Users\Admin\AppData\Local\Temp\be724bb7e6c721dadbd90aaa868d0d5a674b9027b0539d612b03d792d27af99a.exe

"C:\Users\Admin\AppData\Local\Temp\be724bb7e6c721dadbd90aaa868d0d5a674b9027b0539d612b03d792d27af99a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43068021.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43068021.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b06891269.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b06891269.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5288 -ip 5288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 1256

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c37965266.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c37965266.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d49492268.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d49492268.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2316 -ip 2316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1220

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f03270045.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f03270045.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm980993.exe

MD5 f0e34ef6ee36ed438a5dc26a50980ff6
SHA1 a2c1e5ded11540852e373396451bf8ef6be38307
SHA256 8ec221d685ea21f02d3fb5c140c5ef51deee7396e31f46128bc5fa534cbc6e88
SHA512 f91fffc2215d09b531e877a52317c8fd414d6f4a8fcc172e868f9956306ce8d14247ba163a1ff10c82955221e106cd4b6d1dc71115f30c24080bad7333521360

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cg529800.exe

MD5 01534d85d72a90202083ffad9011bff2
SHA1 39befc0118ad77a4c187f4ce948df3d8bd24dd4f
SHA256 deba7559531f668c6183b4177b0ec4211c9a3496c0af4e3ecf10204baee291bb
SHA512 d4d50f41ddab81fed891e678b9698472c2fcf72e40e8f985379e21b86f523ad29707059c392fdc9d484ee83a7163edabfc457e562928d8a1053122a37a4ef94b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kb017318.exe

MD5 5745b2c159d6be0a744ed8631da429eb
SHA1 f30381c4589611011682fb6a5f623c5476aa4b50
SHA256 a7be713a062156d35d68d2ab7ed9d4b91b15295a2d00fcc6ad9018ad88008ce2
SHA512 cb1974f4a5c60a46371b559f0c1317454357d61f70a44dc17f34c347d27da42fe9fdcdce4e1cefba5176252e38d4a2bae5b0c341e1bfb6ba3a8795bb61f92dda

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aQ604297.exe

MD5 e78084d76e624a95c2de8c0f7a32058b
SHA1 3c19f9da4d8d1b1caac1f39996f10dd30e4103ed
SHA256 068686971355ce3d595b82d76aee3e061ad609d85425749130cc16a404a60a6c
SHA512 ea62f49a9fe0a7823a250497fdca94d46e41cba9a58127cb1413485957da11fde17ef075e39b1e6f24f183c3862c9d01e3a1ca71a41005da2c24a4f9050fc20c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43068021.exe

MD5 ba7d558c755af24099f1a81d2e5e755f
SHA1 33d37969db11931d91b458332b6b1e3f6131bc22
SHA256 4dcdf8e4e6babae9a378cdc5e1c1bd62b9f27e92d5453b7a81e16e028f923c1e
SHA512 a2b66b56e3dce0bd0c30575e41e666d1af754be23fa48789234d6c5332e0ba04ce78c45b72641ed5b1b77f635c74b10b0081bc86c43101a46ff2efb7d6f3aa40

memory/1328-35-0x0000000004A10000-0x0000000004A68000-memory.dmp

memory/1328-36-0x0000000004C00000-0x00000000051A4000-memory.dmp

memory/1328-37-0x0000000004B20000-0x0000000004B76000-memory.dmp

memory/1328-43-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-55-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-101-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-99-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-97-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-95-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-94-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-92-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-89-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-87-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-85-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-81-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-79-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-77-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-75-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-73-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-71-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-67-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-65-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-61-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-59-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-58-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-53-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-51-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-49-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-47-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-45-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-41-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-83-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-69-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-63-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-39-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-38-0x0000000004B20000-0x0000000004B71000-memory.dmp

memory/1328-2166-0x0000000004BE0000-0x0000000004BEA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/5740-2179-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b06891269.exe

MD5 91691a23085b9c24033e9375b917f09c
SHA1 5923329bd6180c17de2d6a55eab716be9f0262f0
SHA256 4281b083c3a9c14ac739312c3a33388519ab9c3d7fc3da23af9fdae40e2f74a7
SHA512 6f92be64c0bcb1f41bd7cfb6add5ff368b927bffc8551e793fd9a05910427e234aad3a6e52f1b86461312aff29727f3257b833b68fd4c00ae69e7192ba1e236e

memory/5288-4312-0x0000000005760000-0x00000000057F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c37965266.exe

MD5 8f6009cf16c7629101e2e3f5dd003cca
SHA1 b2476a2de651fa9cdd92a03dd9efb48c5fbcb018
SHA256 ffe0ee3d725268c610fb2c5c0756b5f9543f7b8a480c1e9385ec11ec4ea6f1e8
SHA512 25657c1d8ffb1dc46768925a030a6c4c27c9586ee85ce6674b2a1d868f99dbb8caa9de0eea1952faf229f20c9d4b6974165a2f16ed216e44077ede2873195350

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d49492268.exe

MD5 febd7135f661c487afac15cab00f2bf3
SHA1 85ce3830b5c03a958b77155a71335f89b7183cbf
SHA256 7681e11ae5cca297ca6f9c74a85fe3f8768044231cc48aa44d87aab8eba1d095
SHA512 dc9245a2bf55b3ffde4ab5bcad9c4a81ff56867f52a7129276e0efca6a016f26258891cfd1427d555829fc2931a656cb7301a56c86901007a512bf88c89937ce

memory/2316-4333-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/2316-4332-0x0000000004D70000-0x0000000004DD8000-memory.dmp

memory/2316-6480-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f03270045.exe

MD5 b71b422558d635a0595d84a108ca6758
SHA1 c5bc998b6e25b929fbd279579cedcb4fd3d7e2b3
SHA256 d3ce77dc9580c64d8c821aa7afb5e4c7ceade02393adcd0a06e12d68ca01160c
SHA512 fc94da9aada8581ed3a69efea773d5432869c96c1c375caa3bf4962d9257f635a56ae2a425d4b62a33c07806fcb1a4eae2f359c196ccf2c28e259ac655b31068

memory/7016-6486-0x00000000003B0000-0x00000000003E0000-memory.dmp

memory/7016-6487-0x0000000004BD0000-0x0000000004BD6000-memory.dmp

memory/7016-6488-0x000000000A840000-0x000000000AE58000-memory.dmp

memory/7016-6489-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/7016-6490-0x000000000A290000-0x000000000A2A2000-memory.dmp

memory/7016-6491-0x000000000A2F0000-0x000000000A32C000-memory.dmp

memory/7016-6493-0x0000000002420000-0x000000000246C000-memory.dmp