Malware Analysis Report

2025-08-05 10:15

Sample ID 241109-fv3efsycjb
Target fe539836351bf76cb3965351af7bf5bde1894a13e1a9693b1c4bdac2019f83da
SHA256 fe539836351bf76cb3965351af7bf5bde1894a13e1a9693b1c4bdac2019f83da
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe539836351bf76cb3965351af7bf5bde1894a13e1a9693b1c4bdac2019f83da

Threat Level: Known bad

The file fe539836351bf76cb3965351af7bf5bde1894a13e1a9693b1c4bdac2019f83da was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

Redline family

Amadey family

Healer

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Amadey

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:12

Reported

2024-11-09 05:15

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe539836351bf76cb3965351af7bf5bde1894a13e1a9693b1c4bdac2019f83da.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a16572360.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c74347967.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fe539836351bf76cb3965351af7bf5bde1894a13e1a9693b1c4bdac2019f83da.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c74347967.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d46545336.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b77470572.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f46875279.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a16572360.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fe539836351bf76cb3965351af7bf5bde1894a13e1a9693b1c4bdac2019f83da.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a16572360.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b77470572.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d46545336.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4868 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\fe539836351bf76cb3965351af7bf5bde1894a13e1a9693b1c4bdac2019f83da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe
PID 4868 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\fe539836351bf76cb3965351af7bf5bde1894a13e1a9693b1c4bdac2019f83da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe
PID 4868 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\fe539836351bf76cb3965351af7bf5bde1894a13e1a9693b1c4bdac2019f83da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe
PID 3536 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe
PID 3536 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe
PID 3536 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe
PID 2948 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe
PID 2948 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe
PID 2948 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe
PID 348 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe
PID 348 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe
PID 348 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe
PID 1444 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a16572360.exe
PID 1444 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a16572360.exe
PID 1444 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a16572360.exe
PID 2756 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a16572360.exe C:\Windows\Temp\1.exe
PID 2756 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a16572360.exe C:\Windows\Temp\1.exe
PID 1444 wrote to memory of 5444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b77470572.exe
PID 1444 wrote to memory of 5444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b77470572.exe
PID 1444 wrote to memory of 5444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b77470572.exe
PID 348 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c74347967.exe
PID 348 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c74347967.exe
PID 348 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c74347967.exe
PID 3960 wrote to memory of 6896 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c74347967.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3960 wrote to memory of 6896 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c74347967.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3960 wrote to memory of 6896 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c74347967.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2948 wrote to memory of 7092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d46545336.exe
PID 2948 wrote to memory of 7092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d46545336.exe
PID 2948 wrote to memory of 7092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d46545336.exe
PID 6896 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6896 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6896 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6896 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6896 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6896 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 6364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 6364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 6364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1088 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1088 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1088 wrote to memory of 7164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1088 wrote to memory of 7164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1088 wrote to memory of 7164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1088 wrote to memory of 5568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 5568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 5568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 5468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1088 wrote to memory of 5468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1088 wrote to memory of 5468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1088 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1088 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1088 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3536 wrote to memory of 6232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f46875279.exe
PID 3536 wrote to memory of 6232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f46875279.exe
PID 3536 wrote to memory of 6232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f46875279.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fe539836351bf76cb3965351af7bf5bde1894a13e1a9693b1c4bdac2019f83da.exe

"C:\Users\Admin\AppData\Local\Temp\fe539836351bf76cb3965351af7bf5bde1894a13e1a9693b1c4bdac2019f83da.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a16572360.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a16572360.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b77470572.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b77470572.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5444 -ip 5444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 1256

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c74347967.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c74347967.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d46545336.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d46545336.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7092 -ip 7092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 1256

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f46875279.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f46875279.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\US246065.exe

MD5 2c64e733092525475114bb890b3d7029
SHA1 c219e20d9c1ac1d0cdacd7782c19d319227fd5cb
SHA256 4b8244b442c60a6d4053b5fa83268b6f97539fb4c48dc49373db352fb372b67d
SHA512 2abb8bb96de1111c1a7d2ba040b3a7a19004f7d630e48b1b1c1ad1046eaf99554905f191a099c0528c254eadc79d60c767110bf308afffcd1033e1d8897d01fe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn824348.exe

MD5 62778c766be86446eca5a6bbdbe84763
SHA1 9a8a40f4c151c2179312d7720d96a7c01b917c30
SHA256 23356b6ba2634f348a5f0fdbb6895d9ac5c564cb3357c5b1cff2be3d8ad8749d
SHA512 919940beae3d72ce8a166fa8273f5e5da15b7987623e1a5fc161b826f25facec7e5de647908338f93be2f4bc741c446b9685445c3e28bc2e6d2414f3a0a65680

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gr720836.exe

MD5 fbdd928a81bd2a3f2669e0db25314e3c
SHA1 fbd9941a39d2da8812309cd5c9cf2ade989ad67b
SHA256 8a718586b6d019e7df9d1f7427ce4a989d1087d6a6fed45f56d92cb46232b5b0
SHA512 365b822abc806c6e9a223ff914f65c854945d314ae6e2c2a999b5394db048e52cba0d975e74d7f84f84a5c677389c909acb67dce9c1f0b077d7ec9c87d1ef714

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vI832824.exe

MD5 4ac541723f46017a1a7531f2b2cee5fe
SHA1 8456114403d8691ed4c170dc347420226bc971fe
SHA256 e81263b5401ff5eb95fadbe2ae31b871d692d18da0b670e2308088fb9c516f9d
SHA512 f09af8837927757288c52ddbdf52d946adbcff9ad9971468d1c817c147b7c8fc88f32417f2aee0d2f4424ff369f944f3358501e813b7981c7d4dc4bdfc3ed316

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a16572360.exe

MD5 b4f4cfe62ae59dec8fdea5830f9c30f3
SHA1 1208baf5683b30acb7a196accfb77f98c64d013a
SHA256 45e479474b81f90dbf946197aeafd3c028a382499f0d784616dc17cb5e6fc69a
SHA512 3d08cf2fd16583f093e6d8f46d0525155253de4430754a11d7313a97fd25c68e16c9c5cc44d2cfbb67a3f11e13836aa3e423320b530f1bf4c67d40009fc50960

memory/2756-35-0x0000000004900000-0x0000000004958000-memory.dmp

memory/2756-36-0x00000000049A0000-0x0000000004F44000-memory.dmp

memory/2756-37-0x0000000004FA0000-0x0000000004FF6000-memory.dmp

memory/2756-81-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-101-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-99-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-97-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-95-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-93-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-91-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-89-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-87-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-85-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-83-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-79-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-77-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-75-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-73-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-71-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-67-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-65-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-63-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-61-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-59-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-57-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-55-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-53-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-51-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-47-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-45-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-43-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-69-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-49-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-41-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-39-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-38-0x0000000004FA0000-0x0000000004FF1000-memory.dmp

memory/2756-2166-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3352-2182-0x0000000000F50000-0x0000000000F5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b77470572.exe

MD5 fadce3644f493d7f86da5163c1ce213e
SHA1 24517587902e94353d786d2fcb9d3a5af48b06d9
SHA256 b5d86293230c3f7c2258f41d947555c8a0c0b30769cf8861bb50e72821a7fc38
SHA512 c0ffd78b60693b5fdbab9b964dc0b622625d5148d06536103a6127b265fba9bdd7c3855092963bd823baae48e1837a951dac23d87111f160998e1e9d0a6c0af5

memory/5444-4312-0x0000000005820000-0x00000000058B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c74347967.exe

MD5 e0d666c6bcab5261b88cb98c068c052f
SHA1 770c31a593e38f155b5f44d24114f157aeed3c81
SHA256 a276e0d96466fa17bea29857c75a38c1c18b7d844c69a08acb0aba5826b99b15
SHA512 41b28ba20259fa73f8ee851e97c55e60dd9a27a00df57502a3b6833f5c206d900fd13a8b873d915237b204033c8d0e68ebb6343fa8c57fff9ab75b65818ae1dd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d46545336.exe

MD5 6921bfca7d483f5595783d19d1e33bf3
SHA1 c738f363563ca73041f4c3ee6db161e84c1c892a
SHA256 7922a41470be82f2db39e32b534d0a96d8e7c8d3b0a6fc4bef7d0d576ff9db10
SHA512 17734eeb6b4890af915fb79dcffa1149763218792085153bf944399c8b55b4605d1834b185c4b4e00e9a68c747ef79555166ca89c109e3432d48bfec5cacb2ad

memory/7092-4332-0x0000000004EA0000-0x0000000004F08000-memory.dmp

memory/7092-4333-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/7092-6480-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f46875279.exe

MD5 d05cbe676251c4d13a1b6a1ab7def257
SHA1 00388dd8bc460be8128c5f5a0483a81752192bb8
SHA256 0e337ee5703225ba6adcc93c4de90ebeedd049eb617299ca321c135ae9b0fbf4
SHA512 300994e57fc39bca9a0ab0bea1f3e7605068010ec16366d3fba872b3583b9d97923749a3f124e506f774a6de71507b170f47533554f89b1c1617a537039b6ba6

memory/6232-6486-0x00000000001D0000-0x0000000000200000-memory.dmp

memory/6232-6487-0x0000000002380000-0x0000000002386000-memory.dmp

memory/6232-6488-0x0000000005230000-0x0000000005848000-memory.dmp

memory/6232-6489-0x0000000004D60000-0x0000000004E6A000-memory.dmp

memory/6232-6491-0x0000000004C90000-0x0000000004CA2000-memory.dmp

memory/6232-6492-0x0000000004CF0000-0x0000000004D2C000-memory.dmp

memory/6232-6493-0x0000000004E70000-0x0000000004EBC000-memory.dmp