Malware Analysis Report

2025-08-10 13:17

Sample ID 241109-egmw6sxbnb
Target ba6c6194a38861ee6627ae6edc4d43ff687a50e28bcfdaa766afb0437ab9a92b
SHA256 ba6c6194a38861ee6627ae6edc4d43ff687a50e28bcfdaa766afb0437ab9a92b
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba6c6194a38861ee6627ae6edc4d43ff687a50e28bcfdaa766afb0437ab9a92b

Threat Level: Known bad

The file ba6c6194a38861ee6627ae6edc4d43ff687a50e28bcfdaa766afb0437ab9a92b was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Healer

Healer family

Detects Healer an antivirus disabler dropper

RedLine payload

Amadey

Amadey family

Modifies Windows Defender Real-time Protection settings

RedLine

Redline family

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:54

Reported

2024-11-09 03:57

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba6c6194a38861ee6627ae6edc4d43ff687a50e28bcfdaa766afb0437ab9a92b.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331668720.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ba6c6194a38861ee6627ae6edc4d43ff687a50e28bcfdaa766afb0437ab9a92b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ba6c6194a38861ee6627ae6edc4d43ff687a50e28bcfdaa766afb0437ab9a92b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402142133.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331668720.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402142133.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331668720.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 384 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\ba6c6194a38861ee6627ae6edc4d43ff687a50e28bcfdaa766afb0437ab9a92b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe
PID 384 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\ba6c6194a38861ee6627ae6edc4d43ff687a50e28bcfdaa766afb0437ab9a92b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe
PID 384 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\ba6c6194a38861ee6627ae6edc4d43ff687a50e28bcfdaa766afb0437ab9a92b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe
PID 3508 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe
PID 3508 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe
PID 3508 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe
PID 2284 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe
PID 2284 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe
PID 2284 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe
PID 4780 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe
PID 4780 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe
PID 4780 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe
PID 4780 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe
PID 4780 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe
PID 4780 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe
PID 2284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331668720.exe
PID 2284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331668720.exe
PID 2284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331668720.exe
PID 4476 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331668720.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4476 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331668720.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4476 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331668720.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3508 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402142133.exe
PID 3508 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402142133.exe
PID 3508 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402142133.exe
PID 4492 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4492 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4492 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4492 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3872 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3872 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3872 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3872 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3872 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3872 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3872 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3872 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3872 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3872 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3872 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba6c6194a38861ee6627ae6edc4d43ff687a50e28bcfdaa766afb0437ab9a92b.exe

"C:\Users\Admin\AppData\Local\Temp\ba6c6194a38861ee6627ae6edc4d43ff687a50e28bcfdaa766afb0437ab9a92b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2768 -ip 2768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331668720.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331668720.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402142133.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402142133.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tv936539.exe

MD5 025fd77d10352e52e00e65b1645b1d3c
SHA1 ef87656d79af2404ad843e17364e2bd9e83fc77e
SHA256 d4b42b63c9e70f4e0a986bd9676cd1a9f81243b24cd75a18d942b00c97a6e8db
SHA512 e0d60f6d43f53fac619ec88fe81e43e223c6c839ecbb8bce7156ddf4409b1c8f8a314f2ef2c1843399f91550a2b3c2bcd83f7f7a893ba2324c79ffeabe27895b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws918559.exe

MD5 2aa24d3215402f86109c295f1928f48a
SHA1 4787d8e206c04d4643117309b38a4df60a5279a9
SHA256 ad594edce5ae6559f9f1b4c48cab7deb72a3abc890f719034f786715b4b00e4f
SHA512 ea217df8f8db1a8f35b0002f7dc7c310f35bfea5bec562e293886e6cdb8dba33d2ac3100331e347764738635161bfaf0f4e030e3d77d5cb59b1f43a01beca360

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bk311705.exe

MD5 d0a68f0e4e37b78392e4b11a4db406d1
SHA1 b0be00237c5fd9761dfec093a3d0b09d7a507533
SHA256 f1a3d0becd195eec288fdfc4ba26b63aa222ff59638a69a473475ec5e8d89a57
SHA512 c812fe3732a2adc5cf509d84800f628dcd795686edda6337e6f28b2bd36f8a48dd601368d3b2c873b641294bcb9c32045cec27065e26366948d28f1d406bd7b5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126957352.exe

MD5 a165b5f6b0a4bdf808b71de57bf9347d
SHA1 39a7b301e819e386c162a47e046fa384bb5ab437
SHA256 68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA512 3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

memory/2376-28-0x0000000002590000-0x00000000025AA000-memory.dmp

memory/2376-29-0x0000000004C40000-0x00000000051E4000-memory.dmp

memory/2376-30-0x0000000002770000-0x0000000002788000-memory.dmp

memory/2376-32-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-58-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-56-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-54-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-52-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-50-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-48-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-46-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-44-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-42-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-40-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-38-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-36-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-34-0x0000000002770000-0x0000000002783000-memory.dmp

memory/2376-31-0x0000000002770000-0x0000000002783000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\219982017.exe

MD5 78f0891f72be2bc39c2d7944e191de03
SHA1 bb20ab2ddf068d26540fbfdd2f3967736f60b712
SHA256 79b4ff5339472cb9f48d10ab342a1cf4530cd61018e9e75e3ec8d91fc42511a5
SHA512 67c406d21431d2b1bf373416955a0778eadd3551a71b13a782e2eff8c320388f767f642440c8cffbf5cb1b229f8e5a3741b81920f85c358ac581dda0f2cedec9

memory/2768-92-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2768-94-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\331668720.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\402142133.exe

MD5 567d1aaa3220aa94acdb57958a3b4359
SHA1 286fee103ea961f85b13943a635374e1f03815b5
SHA256 ddd8c53cedff530d39c78de21e6c33abd02061dea9e373a97e8eb144fee59bc2
SHA512 28ccb18495da060297a6c0ef557d9cb6ff7a712ec65d0e829863b198616cc352343d5e7890e31ebdec398c98675219373e33d687a3b2b52415c502c1d05ababd

memory/4828-112-0x00000000025B0000-0x00000000025EC000-memory.dmp

memory/4828-113-0x0000000005140000-0x000000000517A000-memory.dmp

memory/4828-117-0x0000000005140000-0x0000000005175000-memory.dmp

memory/4828-115-0x0000000005140000-0x0000000005175000-memory.dmp

memory/4828-114-0x0000000005140000-0x0000000005175000-memory.dmp

memory/4828-119-0x0000000005140000-0x0000000005175000-memory.dmp

memory/4828-906-0x0000000007670000-0x0000000007C88000-memory.dmp

memory/4828-907-0x0000000007D30000-0x0000000007D42000-memory.dmp

memory/4828-908-0x0000000007D50000-0x0000000007E5A000-memory.dmp

memory/4828-909-0x0000000007E70000-0x0000000007EAC000-memory.dmp

memory/4828-910-0x00000000024A0000-0x00000000024EC000-memory.dmp