Malware Analysis Report

2025-08-05 10:16

Sample ID 241109-fwckes1mej
Target 788dd953540f2fae264119b2b65fede9b4b87c26d71dd137bff4215b2bfd492c
SHA256 788dd953540f2fae264119b2b65fede9b4b87c26d71dd137bff4215b2bfd492c
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

788dd953540f2fae264119b2b65fede9b4b87c26d71dd137bff4215b2bfd492c

Threat Level: Known bad

The file 788dd953540f2fae264119b2b65fede9b4b87c26d71dd137bff4215b2bfd492c was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey family

RedLine

RedLine payload

Healer

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

Healer family

Amadey

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:12

Reported

2024-11-09 05:15

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\788dd953540f2fae264119b2b65fede9b4b87c26d71dd137bff4215b2bfd492c.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359409309.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\788dd953540f2fae264119b2b65fede9b4b87c26d71dd137bff4215b2bfd492c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\426197002.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\788dd953540f2fae264119b2b65fede9b4b87c26d71dd137bff4215b2bfd492c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359409309.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\426197002.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359409309.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\788dd953540f2fae264119b2b65fede9b4b87c26d71dd137bff4215b2bfd492c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe
PID 4996 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\788dd953540f2fae264119b2b65fede9b4b87c26d71dd137bff4215b2bfd492c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe
PID 4996 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\788dd953540f2fae264119b2b65fede9b4b87c26d71dd137bff4215b2bfd492c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe
PID 908 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe
PID 908 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe
PID 908 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe
PID 2164 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe
PID 2164 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe
PID 2164 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe
PID 2000 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe
PID 2000 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe
PID 2000 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe
PID 2000 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe
PID 2000 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe
PID 2000 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe
PID 2164 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359409309.exe
PID 2164 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359409309.exe
PID 2164 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359409309.exe
PID 1732 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359409309.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1732 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359409309.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1732 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359409309.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 908 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\426197002.exe
PID 908 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\426197002.exe
PID 908 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\426197002.exe
PID 4900 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4900 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4900 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4900 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3744 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3744 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3744 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3744 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3744 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3744 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3744 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3744 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3744 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3744 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3744 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\788dd953540f2fae264119b2b65fede9b4b87c26d71dd137bff4215b2bfd492c.exe

"C:\Users\Admin\AppData\Local\Temp\788dd953540f2fae264119b2b65fede9b4b87c26d71dd137bff4215b2bfd492c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4172 -ip 4172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359409309.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359409309.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\426197002.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\426197002.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jX959883.exe

MD5 af7f4ebbede54191aef2f9d0d4b1c89c
SHA1 551ddc5cd3b9921cb89b0e9d5517eafecba2abc6
SHA256 4a5338b8e09e7490db3e841fa409e510b034edb0b1a114a35194073942391c25
SHA512 4c5c7b25700b0b5fba6423a0bb41f033f8d33ba696dfabea3709d92b3034155cd39a2c36334ec3af00ff22611028a7da5bab4385e93155b3a56f5cb40065c7ad

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JW550705.exe

MD5 fd0f9443af5d72eb0b4311e951da91ee
SHA1 ac1e27c2ba9f1bbdf1bedc9a3773d1ab55ae1325
SHA256 d189bd81da28c65b1037cc2bf2c2b2f94d3ce3054cc7ccf83a6001676d9cd6d9
SHA512 da6a120fa8fb306b55d2e6dc70da2c45f8417f4794b555a6be8fdbd17dbb694e78f526fb40e07edf9355bcd27c36d9f7b895dbf494ec2f5205a24f2f392f08d9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MI841824.exe

MD5 de61ed09c3ddc02458b69858ad3db2f1
SHA1 435be622f22fc26bacc7c839b142344ad176f444
SHA256 2e9e806497e4765c571dfdd6733e26104d8b09ad28ec26450515ceef32e7f84c
SHA512 af8e91333693acae1557d98683b728b5420c19d8e1e31f1cf3da1279781d20d30201e4dafd81a2aee09e122e00b46ffbed996ff8dee7f5708f6b03c130f5923d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119222277.exe

MD5 47bea7d3f2e53c08abd63b1b22612366
SHA1 a4204926dec3de4e0da2ae0dc891e68f8ed7d48f
SHA256 12a1b93373d67890913d7701255437e5c54db8f050cc7a1e29189658f1a1603a
SHA512 b7de43644dec4c569bd261721a2c897efabbb1af0d5feec1e861a03ba70afea25c86e856c660f614610d7d694e7ed4566fa7b59f4812c9b1d5cc49437c69597a

memory/1052-28-0x00000000048C0000-0x00000000048DA000-memory.dmp

memory/1052-29-0x0000000004A70000-0x0000000005014000-memory.dmp

memory/1052-30-0x0000000004980000-0x0000000004998000-memory.dmp

memory/1052-58-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-56-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-54-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-52-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-50-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-49-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-46-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-44-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-42-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-40-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-38-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-36-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-34-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-32-0x0000000004980000-0x0000000004993000-memory.dmp

memory/1052-31-0x0000000004980000-0x0000000004993000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\295458308.exe

MD5 ce7e2f95447579f183ec87efae5dab27
SHA1 2846e723aaedcd94b1687a91e7a650c4efa1d263
SHA256 04f60db9913ea918a5cb370318eb77fef8b2225b58ced151322803601e73c6a0
SHA512 901a3a0427c83d8e59d3d6cd61d08ae26d69248fe1ce04095ab4f9670d52f5a60130e9eca40a7f63c1ce7c860308657233a48659f23b6f4c2389d0b3a1769648

memory/4172-64-0x0000000002480000-0x000000000249A000-memory.dmp

memory/4172-65-0x0000000004A00000-0x0000000004A18000-memory.dmp

memory/4172-66-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-73-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-93-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-91-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-89-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-87-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-85-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-83-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-81-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-79-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-77-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-75-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-71-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-69-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-67-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/4172-94-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4172-96-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359409309.exe

MD5 63b91cbfcf365346395637f58392e4be
SHA1 8d72e23a964fb6fb05a0237914c125635d1a007c
SHA256 f6ea2cf05d06e7cd7af43ec61a0f748b12b42e9670db34fb284051a25e2376a9
SHA512 f464a6ade85df1f35ccb8369d967242ef8a7a744eacce0ed6889f249e4e7aa0fc0bbb4729b2d9f56d21a6230faf124ae8c84b89f2879e6ad0e99b9b32ab86c44

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\426197002.exe

MD5 036b700ae4c9072d30fbe1ed241a8188
SHA1 03d9de051a230df784b3a0caef3c7b8b3365cb28
SHA256 fc8c38f19ca37381be48ed56b330afcf2e9b12f0f8f727cb89a9457bbc309e3a
SHA512 84328b47f825fd89ebd55ffd224689dd8fbec3b14637b971be7b2c27709b131ec8fee72afff9f52efb221d3e15347d8e04d50df50faf6fbaa8f69bdc21ac9289

memory/2100-114-0x00000000024E0000-0x000000000251C000-memory.dmp

memory/2100-115-0x0000000004A50000-0x0000000004A8A000-memory.dmp

memory/2100-117-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2100-116-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2100-121-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2100-119-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2100-908-0x0000000007B60000-0x0000000008178000-memory.dmp

memory/2100-909-0x00000000075E0000-0x00000000075F2000-memory.dmp

memory/2100-910-0x0000000007600000-0x000000000770A000-memory.dmp

memory/2100-911-0x0000000007720000-0x000000000775C000-memory.dmp

memory/2100-912-0x0000000004540000-0x000000000458C000-memory.dmp