Malware Analysis Report

2025-08-05 10:16

Sample ID 241109-fwmqds1men
Target 891e6a8caed0a81b1bfdb8b945c43b34d03e165190e246d49855f4e02ba86309
SHA256 891e6a8caed0a81b1bfdb8b945c43b34d03e165190e246d49855f4e02ba86309
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

891e6a8caed0a81b1bfdb8b945c43b34d03e165190e246d49855f4e02ba86309

Threat Level: Known bad

The file 891e6a8caed0a81b1bfdb8b945c43b34d03e165190e246d49855f4e02ba86309 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Redline family

RedLine payload

Amadey

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Amadey family

Detects Healer an antivirus disabler dropper

Healer family

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:13

Reported

2024-11-09 05:16

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\891e6a8caed0a81b1bfdb8b945c43b34d03e165190e246d49855f4e02ba86309.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306788896.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\891e6a8caed0a81b1bfdb8b945c43b34d03e165190e246d49855f4e02ba86309.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\891e6a8caed0a81b1bfdb8b945c43b34d03e165190e246d49855f4e02ba86309.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306788896.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\428716443.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\428716443.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306788896.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\891e6a8caed0a81b1bfdb8b945c43b34d03e165190e246d49855f4e02ba86309.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe
PID 4700 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\891e6a8caed0a81b1bfdb8b945c43b34d03e165190e246d49855f4e02ba86309.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe
PID 4700 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\891e6a8caed0a81b1bfdb8b945c43b34d03e165190e246d49855f4e02ba86309.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe
PID 4536 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe
PID 4536 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe
PID 4536 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe
PID 2148 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe
PID 2148 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe
PID 2148 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe
PID 3060 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe
PID 3060 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe
PID 3060 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe
PID 3060 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe
PID 3060 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe
PID 3060 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe
PID 2148 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306788896.exe
PID 2148 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306788896.exe
PID 2148 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306788896.exe
PID 4252 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306788896.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4252 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306788896.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4252 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306788896.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4536 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\428716443.exe
PID 4536 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\428716443.exe
PID 4536 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\428716443.exe
PID 4928 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4928 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4928 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 1568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2080 wrote to memory of 1568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2080 wrote to memory of 1568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2080 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2080 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2080 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2080 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2080 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2080 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2080 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2080 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2080 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\891e6a8caed0a81b1bfdb8b945c43b34d03e165190e246d49855f4e02ba86309.exe

"C:\Users\Admin\AppData\Local\Temp\891e6a8caed0a81b1bfdb8b945c43b34d03e165190e246d49855f4e02ba86309.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4288 -ip 4288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306788896.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306788896.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\428716443.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\428716443.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra951495.exe

MD5 125602bdae134852612d576f1bd13ffd
SHA1 f128cbac54ab1eb4b37f852337910a19aca5e3a2
SHA256 2c4f2ec46aabd6b05d488d933033ce6d72259a76d96725f9027ffa74f44adc6c
SHA512 adbee57043da95cedfb1e3e703796c23dbcb5266ee037759eb54cb55780d1e0aa88b4f79c72c2bc2b6e8f5385206ab58fbe3e3885ead9171e410c26b6c42369b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ979473.exe

MD5 6a9a467ac5141a30f216429e81912b25
SHA1 08a4f19393d0eb9ad42a743692430b83b7319771
SHA256 de050de282624481009d1fafcf55a9e88c6083793180a2e7773ef080918d406a
SHA512 d894b6721cc69b8012d1f0b587bb6c333ef948123eb75ce971a3ebbd80c7e26bcb6c437a491655b976729fcae516e61c414d7a21027c2806d945f950274ced5d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ll918004.exe

MD5 edfe5f64f35d7af4f3451213dde05cd3
SHA1 2928c4e2cacc3a6e709bb4edc8d09798bca04a81
SHA256 b3e393ee2154b88c451f0fbb63107ebbe7737c51496629a222329a49e4eba1ec
SHA512 6d006aed28f43e3d811c66b73aa8372421054a595049c0062639326f307c9d337326ad6b9b8e4b4a123ebfa6989cba611e67c1afa8c9b5db57a4f0dbaafb224e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129186351.exe

MD5 3d10b67208452d7a91d7bd7066067676
SHA1 e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA256 5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512 b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

memory/4572-28-0x00000000021E0000-0x00000000021FA000-memory.dmp

memory/4572-29-0x0000000004C70000-0x0000000005214000-memory.dmp

memory/4572-30-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

memory/4572-56-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-58-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-54-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-50-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-46-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-44-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-40-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-38-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-36-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-34-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-32-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-52-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-48-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4572-42-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253184295.exe

MD5 5196b35c6d69f5fe822aa40436430ff0
SHA1 1cc254a6d58c06e25fc03308eac95d5dfb16257f
SHA256 356486aebdcc77b86abc51e922231d4f622b9a3dad76254c783392358e3d7dba
SHA512 47d4281863a44f29840d5c1e1871d3ea55e8bccdcacf83eb19ec0c94f042d2b1dbf96674ca2d24ef33d8b806fd488398b6181185b88784d6a62cc9138c6c4e6a

memory/4288-93-0x0000000000400000-0x0000000002B9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\306788896.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\428716443.exe

MD5 a885887fcf9c043c58ea55c0dcd1376b
SHA1 61f340fea7eb6423b75c3b040c0917667d504124
SHA256 658fc79a117646d4f8b9656836fd46e70619c4005b4542d958c4a21fa1d5fbf1
SHA512 75b80864af76ed4ff20392a4c4b32379c1fd4e545d8537dca933943941b289e5ef060b4bd396e51dbab599cbfd8f929cea8781956800c9be1eef3f798fd15da8

memory/3036-112-0x0000000004A80000-0x0000000004ABC000-memory.dmp

memory/3036-113-0x0000000004C60000-0x0000000004C9A000-memory.dmp

memory/3036-119-0x0000000004C60000-0x0000000004C95000-memory.dmp

memory/3036-117-0x0000000004C60000-0x0000000004C95000-memory.dmp

memory/3036-115-0x0000000004C60000-0x0000000004C95000-memory.dmp

memory/3036-114-0x0000000004C60000-0x0000000004C95000-memory.dmp

memory/3036-906-0x0000000009C90000-0x000000000A2A8000-memory.dmp

memory/3036-907-0x000000000A340000-0x000000000A352000-memory.dmp

memory/3036-908-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/3036-909-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/3036-910-0x0000000004940000-0x000000000498C000-memory.dmp