Malware Analysis Report

2024-12-06 02:53

Sample ID 241110-a74v6aymel
Target 5684dac622839da30c5db11e651be6c3d341a6228c5a3fe75f7ab2d139d7397e
SHA256 5684dac622839da30c5db11e651be6c3d341a6228c5a3fe75f7ab2d139d7397e
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5684dac622839da30c5db11e651be6c3d341a6228c5a3fe75f7ab2d139d7397e

Threat Level: Known bad

The file 5684dac622839da30c5db11e651be6c3d341a6228c5a3fe75f7ab2d139d7397e was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Redline family

RedLine

Amadey

Healer family

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

Modifies Windows Defender Real-time Protection settings

Amadey family

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:52

Reported

2024-11-10 00:54

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5684dac622839da30c5db11e651be6c3d341a6228c5a3fe75f7ab2d139d7397e.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317962570.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5684dac622839da30c5db11e651be6c3d341a6228c5a3fe75f7ab2d139d7397e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5684dac622839da30c5db11e651be6c3d341a6228c5a3fe75f7ab2d139d7397e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\465027632.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317962570.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\465027632.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317962570.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1536 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\5684dac622839da30c5db11e651be6c3d341a6228c5a3fe75f7ab2d139d7397e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe
PID 1536 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\5684dac622839da30c5db11e651be6c3d341a6228c5a3fe75f7ab2d139d7397e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe
PID 1536 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\5684dac622839da30c5db11e651be6c3d341a6228c5a3fe75f7ab2d139d7397e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe
PID 1692 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe
PID 1692 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe
PID 1692 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe
PID 3516 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe
PID 3516 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe
PID 3516 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe
PID 3256 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe
PID 3256 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe
PID 3256 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe
PID 3256 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe
PID 3256 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe
PID 3256 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe
PID 3516 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317962570.exe
PID 3516 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317962570.exe
PID 3516 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317962570.exe
PID 4736 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317962570.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4736 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317962570.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4736 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317962570.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1692 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\465027632.exe
PID 1692 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\465027632.exe
PID 1692 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\465027632.exe
PID 4752 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4752 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4752 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4752 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4792 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4792 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4792 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4792 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4792 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4792 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 1176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4792 wrote to memory of 1176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4792 wrote to memory of 1176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4792 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4792 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4792 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5684dac622839da30c5db11e651be6c3d341a6228c5a3fe75f7ab2d139d7397e.exe

"C:\Users\Admin\AppData\Local\Temp\5684dac622839da30c5db11e651be6c3d341a6228c5a3fe75f7ab2d139d7397e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2876 -ip 2876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1076

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317962570.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317962570.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\465027632.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\465027632.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH153779.exe

MD5 3abe6a0c3d51c958c86722ce04795aaf
SHA1 9846b0b73bbee084b0aa29c5a72eefe0322362a1
SHA256 4c1da31c58c8d61392583d14b69c71a86496a4bd0ff2330554a21c388e72a5f6
SHA512 603744770ebc640df46c3fa34660b5a295e15cf7e7fced623fe949420be9c5776c62952feaae87140eb42473ca80ec7deb16af5f13be00d61738ac99e21b2fa1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn924958.exe

MD5 f54dd9ad448d9a0a616277627ba45791
SHA1 27ffec0c598f5daff6cc4b455eecdd26e780a20b
SHA256 465bcf284dd9a0a4545a3241091281ddec2be3b2035ff834c6055d131f1b7b76
SHA512 1ed5300d7b1236cd06b5abf53b45319f4cf5eb86deaec3678b59326d06286f17fd822e051625595b5256d00a19dcf3fa23005ad18697767dfd085e19936186a3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sS610543.exe

MD5 7963e80c526894afb91224d7bb1b81e8
SHA1 048e7f3f8d1e7b67261986ba0c7570f2e0d4f01d
SHA256 2a94731ce924c2446be2db681b7dbfe3491c2994dbb4bc5b0be20b272beb3cc9
SHA512 653249f43391843689476650b4fd54ca10e67d6b00cc3e9b1dc494eb8fedf5afc44fb729d959c099bdb5c155640ef4d07efdf12763e4c38a6e18e9ef03ecac2c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\124955028.exe

MD5 e1349f1b588268a2f68f12a2bb35a5bd
SHA1 e9b04872138856e2669cb4d4c6b8883f0c90e3bf
SHA256 87a316d663376f4b092a6f76ff4a8a76c538d84cd9655d3e35b117ad0f1c9b2f
SHA512 d8c0b58a8094b42234d8a9a13c82d5ad8c1d0a0a555a1f762200cfbde6511d881408bd902db8a89923ade06adb9fe8fd8189ea824a2903b3b2523f556e29f81b

memory/648-28-0x0000000002020000-0x000000000203A000-memory.dmp

memory/648-29-0x0000000004AE0000-0x0000000005084000-memory.dmp

memory/648-30-0x0000000002370000-0x0000000002388000-memory.dmp

memory/648-36-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-58-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-56-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-54-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-52-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-50-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-48-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-46-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-44-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-40-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-39-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-34-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-32-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-31-0x0000000002370000-0x0000000002383000-memory.dmp

memory/648-42-0x0000000002370000-0x0000000002383000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\280783165.exe

MD5 4f0dcdcd02e2ac1544dc27fea69901ad
SHA1 697942ac8ca46016c12693f22eb59b9c03f26b51
SHA256 2a381419ee30e3c70763daea6bb184bfb8ebbfa363b7598e00a48d211e6a51f9
SHA512 5aefa3f4dcf5d5300cdf4898fc322f0b8ec57f9d13697d7225aafdbe36a81ab994c6090fe1b0fa8213b4dcb8fd04570258044eb6ee52b62233412347f9355c70

memory/2876-64-0x00000000022F0000-0x000000000230A000-memory.dmp

memory/2876-65-0x00000000026A0000-0x00000000026B8000-memory.dmp

memory/2876-66-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-77-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-93-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-92-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-89-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-87-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-86-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-83-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-81-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-79-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-75-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-73-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-71-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-69-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-67-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/2876-94-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2876-96-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317962570.exe

MD5 0cdeb4c5a61d792aba72e0fb08cf5c54
SHA1 a3a88c86baa77b5230f7f849ae30ae6420d92925
SHA256 beea20e8c42f946b114595ed257993749dfc93fdd0e51196ea1134cdb000f660
SHA512 12bf776ed2560aa20717fc770d9bf4bd5de06781867d04f46e5e01701ab9ed11dae940480b39981c9b1bfcd94ed43abba3df9440623e31f34a0994d88ebf0bf1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\465027632.exe

MD5 7ccf287705a7426a374aea3aff30eee9
SHA1 a5f97e99ab97a3056172d23a9dbbf630f3d957c3
SHA256 79dc33c7aefd82b3ab9bb630b88039803d49110d08ae6916dc0d4728842d07c3
SHA512 eb90df1d789c25f3a1547e4d4adbc71a7c77ce257cb3e4467d7fb759623017cfa49ab8020e05c5531b89d25c701c380e9450dbfe003dec36d7cf6698d372fa99

memory/4900-115-0x0000000004A50000-0x0000000004A8A000-memory.dmp

memory/4900-114-0x0000000002460000-0x000000000249C000-memory.dmp

memory/4900-119-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4900-121-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4900-117-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4900-116-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4900-908-0x0000000007B80000-0x0000000008198000-memory.dmp

memory/4900-909-0x00000000075E0000-0x00000000075F2000-memory.dmp

memory/4900-910-0x0000000007600000-0x000000000770A000-memory.dmp

memory/4900-911-0x0000000007720000-0x000000000775C000-memory.dmp

memory/4900-912-0x00000000023D0000-0x000000000241C000-memory.dmp