Malware Analysis Report

2025-04-13 23:55

Sample ID 241104-znkevawnfx
Target 0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb
SHA256 0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb
Tags
amadey healer redline 9c0adb gena most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb

Threat Level: Known bad

The file 0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb gena most discovery dropper evasion infostealer persistence trojan

RedLine

Amadey

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer

Amadey family

Detects Healer an antivirus disabler dropper

Redline family

Healer family

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 20:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 20:51

Reported

2024-11-04 20:54

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110935353.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\347155567.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\460170960.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\347155567.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\460170960.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110935353.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\279277365.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\539474406.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110935353.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\279277365.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\460170960.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe
PID 2552 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe
PID 2552 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe
PID 3104 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe
PID 3104 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe
PID 3104 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe
PID 1132 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe
PID 1132 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe
PID 1132 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe
PID 3304 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110935353.exe
PID 3304 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110935353.exe
PID 3304 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110935353.exe
PID 4228 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110935353.exe C:\Windows\Temp\1.exe
PID 4228 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110935353.exe C:\Windows\Temp\1.exe
PID 3304 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\279277365.exe
PID 3304 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\279277365.exe
PID 3304 wrote to memory of 5124 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\279277365.exe
PID 1132 wrote to memory of 5276 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\347155567.exe
PID 1132 wrote to memory of 5276 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\347155567.exe
PID 1132 wrote to memory of 5276 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\347155567.exe
PID 5276 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\347155567.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5276 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\347155567.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5276 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\347155567.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3104 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\460170960.exe
PID 3104 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\460170960.exe
PID 3104 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\460170960.exe
PID 2904 wrote to memory of 5796 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 5796 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 5796 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 264 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 264 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 264 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 264 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 264 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 264 wrote to memory of 5452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 5452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 5452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 6128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 264 wrote to memory of 6128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 264 wrote to memory of 6128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 264 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 264 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 264 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5404 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\460170960.exe C:\Windows\Temp\1.exe
PID 5404 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\460170960.exe C:\Windows\Temp\1.exe
PID 5404 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\460170960.exe C:\Windows\Temp\1.exe
PID 2552 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\539474406.exe
PID 2552 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\539474406.exe
PID 2552 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\539474406.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb.exe

"C:\Users\Admin\AppData\Local\Temp\0dd843a031c6eec01640ed7e340372befbecf0c075c5f1a79812a7005fdecbeb.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110935353.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110935353.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\279277365.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\279277365.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5124 -ip 5124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5124 -s 1288

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\347155567.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\347155567.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\460170960.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\460170960.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5404 -ip 5404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 1176

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\539474406.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\539474406.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ww023531.exe

MD5 e98d0d515624835d196ba3bb6caeb148
SHA1 456011b0dfc272edc6ab0a8dd4c6fdfa05236de1
SHA256 06879885c4ae8050ead0fcf1a4d7cb9df7e7e71204b3d611a84e037dcc3c8d0e
SHA512 1770f8040f0c0fe5ac5b40ccfaf0f307c3bbfdb42b4696a37ad29a3df16d739d00fe1b507715553f2533324255f312849c1ef0a3b375610294aef31a76bfa5ad

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG053393.exe

MD5 47406c4e80d69b18944b149d07aebc6d
SHA1 4ba6e22c74f901245f52cfd6cb4a0ba8384ea350
SHA256 10372bd73f648a15fb503e9c40fdeaf31058897677a1e9764d7408edf289be05
SHA512 47e6b602edaf1180efc951ba4107198270cff8c6ba455e2f781d1bbe507c6e3c639c08d513ff5894d3a12e98c347c970ce04462b8650b649b095d723c50d2972

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xw006140.exe

MD5 a2c58fc956882be7a4af3091d53c0fe4
SHA1 51cecbc498717a2804ab57f95d215e5c5a911177
SHA256 e78cbb9e7b9c045d36749fcfc0162f84d0c36d6c360d21f30758b7d6bc4a1dbc
SHA512 f7d79e7eb32c2e85927f4cc5e363e01f56eda73d73ddaeff029c5cba4a568e9641780abab0aacdd0d02713c62dc136838f79af49cdecd8fe0dfe015cc656d31c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\110935353.exe

MD5 7fb28c1bc2bdec49630491f1975279fb
SHA1 aeed082f75c59592be9f037a03229ec938424a02
SHA256 ec9cadfe9d68f89de2cf929b1a4d02859db70bb3ab440b6439051d93a38157a1
SHA512 a9e635601df4fe1dfff5a79f673a22d6af4f346b0309133c4fdfe7abd80d047b35220e9a625755efe665f6ba0f53f8d48a7a836903da530697b0087dfa959394

memory/4228-28-0x00000000025D0000-0x0000000002628000-memory.dmp

memory/4228-29-0x00000000049C0000-0x0000000004F64000-memory.dmp

memory/4228-30-0x0000000004FB0000-0x0000000005006000-memory.dmp

memory/4228-44-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-36-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-34-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-32-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-31-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-58-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-94-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-92-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-90-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-88-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-86-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-84-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-82-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-78-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-76-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-74-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-72-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-70-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-66-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-64-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-62-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-60-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-56-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-54-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-52-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-50-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-48-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-46-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-42-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-40-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-38-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-80-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-68-0x0000000004FB0000-0x0000000005001000-memory.dmp

memory/4228-2159-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1992-2175-0x0000000000D60000-0x0000000000D6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\279277365.exe

MD5 4f35b65b76115183a7581f878af0b30d
SHA1 ab321667bbd59ba8fd286e8930e73cdc1eeb3175
SHA256 ecde7f6189c4390f1157b4daad626181f042a5387e8054e0768885140a7b1171
SHA512 ce4b7cccce64b7b8a8236b651cc3619597a1b758aba9cd898e134785e0581aa8881a246773223a6e4f6c4ad4ccd877d8acabd05bc11de1c4dafa45b0db02ae3d

memory/5124-4305-0x0000000005790000-0x0000000005822000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\347155567.exe

MD5 96d369499e42daaba5827c464ef1e57d
SHA1 66dcb558c4651eb0b38bf008ddbcd68088cbf691
SHA256 a535205ecae03ee3f9c72b6be70d76ed01fee4d078cd9add7472d7a08af9ef14
SHA512 ab5f242669b8fca50e1c0d1ca1caa14a1bb275becced5e138673fb8966dd679893279201297140be2517f6a087eed2b5233bf4cb7a0c17d3a607b1da31e4be22

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\460170960.exe

MD5 39d0fc4b539fcfd3e403893f0f5f4e36
SHA1 de2fef0fc8b7d86d5fb32704107e314dbcf46969
SHA256 cdd2c318b2cab8f9d04dc1161fbd43378b453ddfe6e8d60a5f2492f724758c07
SHA512 c46e0cecc1712f5a3d0d7846ce0ac654fc10c5d61952b63fd2b359c7e0c7295bc01f5acc15a4b283a74cf11a796cdbd8f8b2520b8380f15e535b603eaf56e562

memory/5404-4326-0x0000000004E80000-0x0000000004EE8000-memory.dmp

memory/5404-4327-0x0000000005500000-0x0000000005566000-memory.dmp

memory/5404-6474-0x0000000005750000-0x0000000005782000-memory.dmp

C:\Windows\Temp\1.exe

MD5 f16fb63d4e551d3808e8f01f2671b57e
SHA1 781153ad6235a1152da112de1fb39a6f2d063575
SHA256 8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512 fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

memory/968-6487-0x0000000000900000-0x000000000092E000-memory.dmp

memory/968-6488-0x0000000002A70000-0x0000000002A76000-memory.dmp

memory/968-6489-0x00000000058D0000-0x0000000005EE8000-memory.dmp

memory/968-6490-0x00000000053C0000-0x00000000054CA000-memory.dmp

memory/968-6491-0x0000000005070000-0x0000000005082000-memory.dmp

memory/968-6492-0x00000000052F0000-0x000000000532C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\539474406.exe

MD5 23bf8277fe81d432902a96d16906735b
SHA1 998bd641c8084bf425b2185419f3d91f4cf0dec4
SHA256 743b918aa649e9dfb54739b2ac00523fa048d1495dcf1ed3baf6afe5b10b106b
SHA512 cd0db15dd275d05d7156842ee3033fdd834c623a321ee476e53dfc400f6bf9f1a3df06e4e815071da554ba2e2b075bfc16ba2087ff92e84a29b55f501e3aadf2

memory/968-6496-0x0000000005330000-0x000000000537C000-memory.dmp

memory/6136-6498-0x0000000000B60000-0x0000000000B90000-memory.dmp

memory/6136-6499-0x0000000005380000-0x0000000005386000-memory.dmp