Malware Analysis Report

2025-08-06 00:59

Sample ID 241109-frvkfaybnr
Target c50028510e2fb63adc4d1a00e4267b1e1564b75a201723c74f5946db2ed46c30
SHA256 c50028510e2fb63adc4d1a00e4267b1e1564b75a201723c74f5946db2ed46c30
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c50028510e2fb63adc4d1a00e4267b1e1564b75a201723c74f5946db2ed46c30

Threat Level: Known bad

The file c50028510e2fb63adc4d1a00e4267b1e1564b75a201723c74f5946db2ed46c30 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Amadey

Healer

RedLine payload

Redline family

Healer family

Detects Healer an antivirus disabler dropper

RedLine

Modifies Windows Defender Real-time Protection settings

Amadey family

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:06

Reported

2024-11-09 05:09

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c50028510e2fb63adc4d1a00e4267b1e1564b75a201723c74f5946db2ed46c30.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46842151.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c93252537.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c50028510e2fb63adc4d1a00e4267b1e1564b75a201723c74f5946db2ed46c30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d61223341.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c50028510e2fb63adc4d1a00e4267b1e1564b75a201723c74f5946db2ed46c30.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46842151.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c93252537.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b72314277.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f11781714.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46842151.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b72314277.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d61223341.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\c50028510e2fb63adc4d1a00e4267b1e1564b75a201723c74f5946db2ed46c30.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe
PID 2784 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\c50028510e2fb63adc4d1a00e4267b1e1564b75a201723c74f5946db2ed46c30.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe
PID 2784 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\c50028510e2fb63adc4d1a00e4267b1e1564b75a201723c74f5946db2ed46c30.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe
PID 3928 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe
PID 3928 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe
PID 3928 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe
PID 2924 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe
PID 2924 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe
PID 2924 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe
PID 32 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe
PID 32 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe
PID 32 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe
PID 2080 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46842151.exe
PID 2080 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46842151.exe
PID 2080 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46842151.exe
PID 3024 wrote to memory of 5544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46842151.exe C:\Windows\Temp\1.exe
PID 3024 wrote to memory of 5544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46842151.exe C:\Windows\Temp\1.exe
PID 2080 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b72314277.exe
PID 2080 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b72314277.exe
PID 2080 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b72314277.exe
PID 32 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c93252537.exe
PID 32 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c93252537.exe
PID 32 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c93252537.exe
PID 2764 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c93252537.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2764 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c93252537.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2764 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c93252537.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2924 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d61223341.exe
PID 2924 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d61223341.exe
PID 2924 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d61223341.exe
PID 1208 wrote to memory of 5816 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1208 wrote to memory of 5816 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1208 wrote to memory of 5816 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1208 wrote to memory of 6168 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 6168 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 6168 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6168 wrote to memory of 6280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6168 wrote to memory of 6280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6168 wrote to memory of 6280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6168 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6168 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6168 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6168 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6168 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6168 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6168 wrote to memory of 5368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6168 wrote to memory of 5368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6168 wrote to memory of 5368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6168 wrote to memory of 5520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6168 wrote to memory of 5520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6168 wrote to memory of 5520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6168 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6168 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6168 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3928 wrote to memory of 6312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f11781714.exe
PID 3928 wrote to memory of 6312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f11781714.exe
PID 3928 wrote to memory of 6312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f11781714.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c50028510e2fb63adc4d1a00e4267b1e1564b75a201723c74f5946db2ed46c30.exe

"C:\Users\Admin\AppData\Local\Temp\c50028510e2fb63adc4d1a00e4267b1e1564b75a201723c74f5946db2ed46c30.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46842151.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46842151.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b72314277.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b72314277.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 548 -ip 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1184

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c93252537.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c93252537.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d61223341.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d61223341.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 220 -ip 220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 1252

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f11781714.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f11781714.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZK934851.exe

MD5 c1c7165d9b90eac3086f98bd2b46ffdb
SHA1 49dab346870614f85309fa682fbf8e67b8174bf5
SHA256 b76313f8bc4fab8afb512c2defb47f2eeee4694dbef936c19631fe69c8097e66
SHA512 19a18840da4817a112d662e163d3860995c2fd8709491be76ec0269b25a97952b2155d5301f0ba141f1011ebfc8d8797e824a60b3b0dfd83e00411173da1ecec

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OC828371.exe

MD5 3fac53e2684e498f2b317f9ad62fba23
SHA1 01c32699c36cf6c31e5676aac01b392f826c453a
SHA256 4452e6c8fc899e2c3ed91362b18d66a492d4a4ee3a19986672fcd4a48121983d
SHA512 61080cc016551979ee7f0075d6a0e17babd1d878c154b42515cda8c19d4bd72296de7aded8c87196af499e7f22d8154c30da6d83d269dae09e2a1a98c6302318

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IE393171.exe

MD5 4c1e492185d08653347bb3e6db31b00a
SHA1 13abb8dcfa36f3b1a9a2da411fbe97120bc0b367
SHA256 12efbcb1e3e33b25966eed644f3482a54bf4711d26c78029cf113729525f9239
SHA512 0d5c16c55283ea37563651437bee9bdd9d43fabf6ab1605215c2880b41f98ac3bfd11a48a7e76c31a1186131563a5883ab8d9be373e7312eab3ebee4546608c0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nD818366.exe

MD5 f94737366b3cbe6f45014aa60939b0f0
SHA1 2403e3668cd0ce009101d372101bf2c37f2b32df
SHA256 d7ad8020337e67f2aeb044ba7e187bd76c29093d4bf52a4de2aaf604cda4a49e
SHA512 8b37d0cff77d3316a52820bcfc70b0dde046168bd8cdc82f5855706791355f892f0168294ec81ef8ddf7041c1fb223ab4821a283d29c084f4784bf7fbb6ef421

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46842151.exe

MD5 e3405f155eda63b502b2b7355952cce0
SHA1 5137c881e5ca6b369a17b0ace172f920feeb9e3b
SHA256 a16720e9725b6c3d81f73d24c7024611851d09e3f9de0b638f9167a435f5c45c
SHA512 7cd3786735f5f7ab42eaba6dbf00887741bde88906157b9a35c93b8a5ca9f1dee266457ef2958cc303d56b1713201714c5b0bf09af6d6963e6e9ffb5ad9baa39

memory/3024-35-0x00000000023B0000-0x0000000002408000-memory.dmp

memory/3024-36-0x0000000004BA0000-0x0000000005144000-memory.dmp

memory/3024-37-0x0000000004A20000-0x0000000004A76000-memory.dmp

memory/3024-41-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-47-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-101-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-99-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-97-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-95-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-93-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-91-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-89-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-85-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-83-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-81-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-79-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-77-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-75-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-73-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-69-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-67-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-63-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-61-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-59-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-55-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-53-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-51-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-49-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-45-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-43-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-87-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-71-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-65-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-57-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-39-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-38-0x0000000004A20000-0x0000000004A71000-memory.dmp

memory/3024-2166-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/5544-2179-0x0000000000B00000-0x0000000000B0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b72314277.exe

MD5 bb19583519f3eb31c0b2369cf35145e7
SHA1 2f8b5a2c0a493648cf41691a22f830506efa65ff
SHA256 5acac09a32c434218bc7c262d1a0f30f8ea0451401b6ef88794b5b42f2e0eabf
SHA512 3d7f5a26fe1fffd73185fb88f08e00474fbd613830062b0fa64c93d9c9c5ee8d638b71eede427dd884b4ad4d153975094eacbd5d82dc3358de3077c0ee9fce2c

memory/548-4312-0x0000000005750000-0x00000000057E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c93252537.exe

MD5 fedffcb03dd240a6092a84e43a3b330b
SHA1 7ff95dae42be69beb98271966c6c2c47d3c313a4
SHA256 ad79e9c65c92fcc99713869a81fe123817de0a6af9379a7d760b919d90a0fcc2
SHA512 ab9222f21b59b23d7148fe64b3d2bc9ad48d4e956e6db2357351fb0a6b89ecedfc2fe4576dc416771d05a091ff000af3f24a93ae9918ef49a40c814f50fb4d22

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d61223341.exe

MD5 0a1e7bec50af5a9975a573da576c20ab
SHA1 b508a4c3dbcade168b51e79d2e32123cae44dcb5
SHA256 33d6b222dbb92180841476a75a3c0fd5762e33d008eb8d8b5bf9853f5b541a4f
SHA512 caef425124ed9b0f0eabc57e9cc3c9ac7e18f5bf638ac52c826b7249521aadf2d3e9b804d521ebdde48bd6c033868cbd7a697b9612f6f9b928d2819755190831

memory/220-4332-0x0000000004ED0000-0x0000000004F38000-memory.dmp

memory/220-4333-0x0000000005530000-0x0000000005596000-memory.dmp

memory/220-6480-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f11781714.exe

MD5 9c038d925221c2fda18ec24089337bf8
SHA1 4a834627d8a9634e7bbfbcb80a3ef2d40b9fcb9d
SHA256 8ce943e5d2e1d5609e1293655ae05efec411d0f7670e9026c51cd063612fe874
SHA512 91f9bf22a765772ab81ef998c4fb7f00b81f2e3f392ee1fdf3ece6e043d8615639307d08e82d3ecdf454660507806b4d1bbdca9265d5ee505800210f2cd07cbe

memory/6312-6486-0x0000000000B90000-0x0000000000BC0000-memory.dmp

memory/6312-6487-0x0000000001440000-0x0000000001446000-memory.dmp

memory/6312-6489-0x000000000B000000-0x000000000B618000-memory.dmp

memory/6312-6490-0x000000000AB40000-0x000000000AC4A000-memory.dmp

memory/6312-6491-0x000000000AA70000-0x000000000AA82000-memory.dmp

memory/6312-6492-0x000000000AAD0000-0x000000000AB0C000-memory.dmp

memory/6312-6493-0x0000000004F00000-0x0000000004F4C000-memory.dmp