Malware Analysis Report

2024-12-06 02:45

Sample ID 241110-a63xgavnes
Target 60e8f2ed5269458e54cca4d5ee9465ad9353469fecac25bbae7d70b123086692
SHA256 60e8f2ed5269458e54cca4d5ee9465ad9353469fecac25bbae7d70b123086692
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60e8f2ed5269458e54cca4d5ee9465ad9353469fecac25bbae7d70b123086692

Threat Level: Known bad

The file 60e8f2ed5269458e54cca4d5ee9465ad9353469fecac25bbae7d70b123086692 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Redline family

Amadey family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Amadey

RedLine

Healer family

Healer

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:50

Reported

2024-11-10 00:52

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60e8f2ed5269458e54cca4d5ee9465ad9353469fecac25bbae7d70b123086692.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96034427.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c12085790.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\60e8f2ed5269458e54cca4d5ee9465ad9353469fecac25bbae7d70b123086692.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f79271581.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\60e8f2ed5269458e54cca4d5ee9465ad9353469fecac25bbae7d70b123086692.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c12085790.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96034427.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b84953999.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d95555049.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96034427.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b84953999.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d95555049.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\60e8f2ed5269458e54cca4d5ee9465ad9353469fecac25bbae7d70b123086692.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe
PID 4076 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\60e8f2ed5269458e54cca4d5ee9465ad9353469fecac25bbae7d70b123086692.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe
PID 4076 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\60e8f2ed5269458e54cca4d5ee9465ad9353469fecac25bbae7d70b123086692.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe
PID 4776 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe
PID 4776 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe
PID 4776 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe
PID 932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe
PID 932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe
PID 932 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe
PID 4688 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe
PID 4688 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe
PID 4688 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe
PID 760 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96034427.exe
PID 760 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96034427.exe
PID 760 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96034427.exe
PID 4012 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96034427.exe C:\Windows\Temp\1.exe
PID 4012 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96034427.exe C:\Windows\Temp\1.exe
PID 760 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b84953999.exe
PID 760 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b84953999.exe
PID 760 wrote to memory of 5404 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b84953999.exe
PID 4688 wrote to memory of 6496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c12085790.exe
PID 4688 wrote to memory of 6496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c12085790.exe
PID 4688 wrote to memory of 6496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c12085790.exe
PID 6496 wrote to memory of 5316 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c12085790.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 6496 wrote to memory of 5316 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c12085790.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 6496 wrote to memory of 5316 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c12085790.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 932 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d95555049.exe
PID 932 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d95555049.exe
PID 932 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d95555049.exe
PID 5316 wrote to memory of 7072 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5316 wrote to memory of 7072 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5316 wrote to memory of 7072 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 5316 wrote to memory of 6084 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5316 wrote to memory of 6084 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5316 wrote to memory of 6084 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6084 wrote to memory of 5856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6084 wrote to memory of 5856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6084 wrote to memory of 5856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6084 wrote to memory of 6240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6084 wrote to memory of 6240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6084 wrote to memory of 6240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6084 wrote to memory of 5172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6084 wrote to memory of 5172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6084 wrote to memory of 5172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6084 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6084 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6084 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6084 wrote to memory of 5888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6084 wrote to memory of 5888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6084 wrote to memory of 5888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6084 wrote to memory of 5344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6084 wrote to memory of 5344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6084 wrote to memory of 5344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4776 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f79271581.exe
PID 4776 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f79271581.exe
PID 4776 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f79271581.exe

Processes

C:\Users\Admin\AppData\Local\Temp\60e8f2ed5269458e54cca4d5ee9465ad9353469fecac25bbae7d70b123086692.exe

"C:\Users\Admin\AppData\Local\Temp\60e8f2ed5269458e54cca4d5ee9465ad9353469fecac25bbae7d70b123086692.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96034427.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96034427.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b84953999.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b84953999.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5404 -ip 5404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 1256

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c12085790.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c12085790.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d95555049.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d95555049.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1264

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f79271581.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f79271581.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OS746175.exe

MD5 ee731c385d81ba903e32b33edc7758bc
SHA1 8a94b2da75dd470e4c95fce81b9822c9c61ebbdd
SHA256 0206943f52cb8ac75db9663e292f51a260f7bd9f04a8156058a02def6a68af90
SHA512 129576d61bffc7632b54ce5f55bf0df5373282ba937d6041648059e47bd5dcc3524d3afbb46c88bff570a9f795a4052ef0da4e982342aadd3a4a7f81e981b1f3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lf961800.exe

MD5 1aa274f4e7a3e68ec350533f86d0fcc6
SHA1 915ffb9a446e77036c1b9458fe08bac5da584a4f
SHA256 97949d43120b643652cb4658685859cc7c0a33e7223241867ca863e94c389e6c
SHA512 8646d1b97b4967244cd9fa5b1aabc8009c476df5ef8e7638252a777deba46182c7faaf179d03c195d31e65ba81fc31397669fcd60c78359060c63f25dd9fcfee

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eb717949.exe

MD5 402cd17fcbfdc8d39ae4a76a042ec1eb
SHA1 e3bcf1b61478da1d6de6b319284addda6cf0a0c1
SHA256 ba1c574424a24f5ace589750eb16ce782f478cfa5943b4b39d237051c6d92af4
SHA512 5e5d703fc7b650a50523c644c46f33bba42e3125e201806a43bb917a10032054e742d16f49b7caf249466733b37716abb5bf1397340486e7f64d855488257336

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uN535269.exe

MD5 9a5298fa97d7c25a71d134b08f9cd143
SHA1 1e17495bb88ab896b4549dceae3ecf35947db52e
SHA256 e28be749b4ff58b98c1111081532023ec491bb497ea6a1c3a4a710d04adefa59
SHA512 c6c0d1429c3627c5d76613dd6a2b9198b300cfa9dd96e60c174401df9142cd8c7511cdf2f664be2453f361e8842e5c1d78772d25a93abe4df26c69ede37e7322

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96034427.exe

MD5 e808c36c84cc933de7326599f5a07b96
SHA1 4f07e7e4b2011acbd09889c742ec38a394c8df42
SHA256 ef47b3e1ee0f9464714a896323717ee60009a2c7fd4ea58e1611e837441a05a4
SHA512 a624129d9daef5a83b77fd499c3440e72e8c615632e13dd3dedbebbc4cde5d11685d3dcf450a7fa3840e6261c94fd706460b3d1b27b62be1643675939f840b70

memory/4012-35-0x00000000024C0000-0x0000000002518000-memory.dmp

memory/4012-36-0x0000000004AB0000-0x0000000005054000-memory.dmp

memory/4012-37-0x0000000004A00000-0x0000000004A56000-memory.dmp

memory/4012-69-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-71-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-101-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-99-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-97-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-95-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-91-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-89-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-87-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-85-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-83-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-81-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-79-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-77-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-75-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-73-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-67-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-65-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-63-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-61-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-59-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-57-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-55-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-51-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-49-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-47-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-45-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-43-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-41-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-39-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-93-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-53-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-38-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/4012-2166-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b84953999.exe

MD5 6eb0ba393ab79886fefcfbea1995d9d1
SHA1 a8b2c00c5460c9232a79380dcffd3a031b5d3606
SHA256 a00d3b0331d550158f138d9b7229464777ff885e53fd8a80d0e2e937803b30d8
SHA512 42a4f5c2087d7c561c0149eae4c70095f179fa82dd15f1887736b5613f486c2a2902b925216eed7f8e1e5d01dfd6b0b85d278e6b3748e8ed519af474b82bb7fe

memory/5352-2180-0x0000000000D40000-0x0000000000D4A000-memory.dmp

memory/5404-4312-0x0000000005820000-0x00000000058B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c12085790.exe

MD5 5499abeac29090c823b34ad058bbc7e6
SHA1 030125b36be5c8179fd8cba06f3e3fd360a54e7b
SHA256 cd25fa823d737fe80fb7f9fd593b057bb4db6a7c70a916aa1d04cc64f4bf2908
SHA512 7cf2921c63c39416860b71a583202ae40c7c2fd951a58f92feb6f02180f8a49bb48d7ea316801fcee76609b4c7ae3b893e5b0ceb0aa26a6f7a041ae6946e222e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d95555049.exe

MD5 3399e389ae17d078d8760018c09eb4f5
SHA1 001c3b412661bf3c535ba87bc539d5b26ab3735c
SHA256 8876da2114a09042e8dd3c876348041124d68650e7da0cd42a2e9512fcb22ef9
SHA512 266155a2487ce15c7438037cfefba6325fa36f68b4c17f05a1881c1d174a6efc94b9ba16e9e85a7d750c3ce05616c4cc28e21c451bb474d73d4fc0ad0ed8165b

memory/228-4332-0x00000000028D0000-0x0000000002938000-memory.dmp

memory/228-4333-0x0000000004E80000-0x0000000004EE6000-memory.dmp

memory/228-6480-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f79271581.exe

MD5 2deedb17f58bfd3aa3ff540c462e8055
SHA1 6e22fa3715badaf5c78aa35f771ba4b2134e708f
SHA256 7393b3ce0174ee0d0fc53e0761d5ccf57b978d11f6f4c8d033c0d8a92d974454
SHA512 a1a6b7ab33fe7ba56dd67b770c3e518a34e68a62942048cb06100c385c0f915b94751e55a8acb93ffd47cde7099aea5c3210b8b6d02442953de296bf7a589c40

memory/5328-6486-0x0000000000CA0000-0x0000000000CD0000-memory.dmp

memory/5328-6487-0x00000000054C0000-0x00000000054C6000-memory.dmp

memory/5328-6488-0x000000000AFB0000-0x000000000B5C8000-memory.dmp

memory/5328-6489-0x000000000AB10000-0x000000000AC1A000-memory.dmp

memory/5328-6490-0x000000000AA40000-0x000000000AA52000-memory.dmp

memory/5328-6492-0x000000000AAA0000-0x000000000AADC000-memory.dmp

memory/5328-6493-0x0000000002D20000-0x0000000002D6C000-memory.dmp