Malware Analysis Report

2024-12-06 02:45

Sample ID 241110-a7gevswcmh
Target 828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78
SHA256 828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78

Threat Level: Known bad

The file 828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Redline family

Healer family

RedLine payload

Amadey

Amadey family

Healer

Modifies Windows Defender Real-time Protection settings

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:51

Reported

2024-11-10 00:53

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\100947705.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323657937.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323657937.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\100947705.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\479717570.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\202522867.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\506894556.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\100947705.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\202522867.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\479717570.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe
PID 1724 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe
PID 1724 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe
PID 1720 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe
PID 1720 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe
PID 1720 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe
PID 4356 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe
PID 4356 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe
PID 4356 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe
PID 3344 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\100947705.exe
PID 3344 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\100947705.exe
PID 3344 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\100947705.exe
PID 3596 wrote to memory of 6388 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\100947705.exe C:\Windows\Temp\1.exe
PID 3596 wrote to memory of 6388 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\100947705.exe C:\Windows\Temp\1.exe
PID 3344 wrote to memory of 6320 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\202522867.exe
PID 3344 wrote to memory of 6320 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\202522867.exe
PID 3344 wrote to memory of 6320 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\202522867.exe
PID 4356 wrote to memory of 5604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323657937.exe
PID 4356 wrote to memory of 5604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323657937.exe
PID 4356 wrote to memory of 5604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323657937.exe
PID 5604 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323657937.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5604 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323657937.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5604 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323657937.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1720 wrote to memory of 6820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\479717570.exe
PID 1720 wrote to memory of 6820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\479717570.exe
PID 1720 wrote to memory of 6820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\479717570.exe
PID 1940 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1940 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1940 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1940 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 6956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 6956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 6956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 6660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4984 wrote to memory of 6660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4984 wrote to memory of 6660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4984 wrote to memory of 6512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4984 wrote to memory of 6512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4984 wrote to memory of 6512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4984 wrote to memory of 6212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 6212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 6212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 6748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4984 wrote to memory of 6748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4984 wrote to memory of 6748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4984 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4984 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4984 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1724 wrote to memory of 6320 N/A C:\Users\Admin\AppData\Local\Temp\828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\506894556.exe
PID 1724 wrote to memory of 6320 N/A C:\Users\Admin\AppData\Local\Temp\828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\506894556.exe
PID 1724 wrote to memory of 6320 N/A C:\Users\Admin\AppData\Local\Temp\828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\506894556.exe

Processes

C:\Users\Admin\AppData\Local\Temp\828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78.exe

"C:\Users\Admin\AppData\Local\Temp\828baedda0ddf157251012595781feff2e8bbb63a1a2746a443fda8a01005f78.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\100947705.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\100947705.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\202522867.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\202522867.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6320 -ip 6320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6320 -s 1256

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323657937.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323657937.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\479717570.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\479717570.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6820 -ip 6820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 1252

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\506894556.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\506894556.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HM502062.exe

MD5 05bf8c59ab4860332b11c96362c56c37
SHA1 8bbe1c63038a53fa19aef9d115938613910e9437
SHA256 0860d81d6718037b41dca7757e0fbb054929c6f9d5b48a18218f0f00475d4a06
SHA512 3a5f29abbe8f6ace6fcbd6736d6523cdb364031c20129d54b4da4d1c006d00934dd85ad59738d55a49f7c083810361c3617792b0281fc4199dc8bca7ca4bff6d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\km052303.exe

MD5 201013d24347ab751e166b39b1dd439f
SHA1 f2056a7c7be7e5a517ddfbc6046db380a83ef93a
SHA256 5703effbc2814bb40cfe9ec0719fba032ec4adedaf8df76fee3e8bdfd2bdd4ff
SHA512 8f3c1acfb545c1513b00a4fb654f83bd7a8a8c9ac22fda267698947259816f67e56c3cbd884fc3beba367c8e0ef0ee1aaa3e8d34a83af4c8cf1f5c4e65d14274

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jE888585.exe

MD5 a814b89779fe0cf2a42a72e2140750f4
SHA1 c08e32862ec809a8f67d2311eeec643a880cc9ae
SHA256 cb3063641c5752af45892ac4ee0938682af79bcc6881fedfc0a943330fa483a2
SHA512 14f23b3426af581560ae2f8263f157cc66002775bb41ee2ef00a1044852d2b88332f3554d9593d508da1b0588714d9318761a106a051ac6da086f4a919cbfe87

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\100947705.exe

MD5 649253f6766a00e064796b6d5b2351c0
SHA1 5ac848e4f4a4f975c41f1a0852ab6237a57f1fcd
SHA256 7dd549c55ffd17060da93f451db9cc19f13f5cc5048fe2d9828c57ceb6f6b44d
SHA512 0a04a21c267c24247c0b4b27c813cacd587ba2f18e6d4d53791be2b2b4d27f852f6d97fda0ffb5ebccfe78289211435a508397174bb7a179eb8432173efd0595

memory/3596-28-0x0000000004930000-0x0000000004988000-memory.dmp

memory/3596-29-0x00000000049D0000-0x0000000004F74000-memory.dmp

memory/3596-30-0x0000000004FC0000-0x0000000005016000-memory.dmp

memory/3596-66-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-54-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-34-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-32-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-31-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-90-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-94-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-92-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-88-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-86-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-85-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-82-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-80-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-78-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-76-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-74-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-72-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-70-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-68-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-64-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-62-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-60-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-58-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-56-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-52-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-50-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-48-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-46-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-44-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-42-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-40-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-38-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-36-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/3596-2159-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/6388-2172-0x0000000000E90000-0x0000000000E9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\202522867.exe

MD5 4b6123d8f02b2f8972e840300fb820ba
SHA1 8f4d04d4b838f81a0c00480ca83595322d521b59
SHA256 032938f7241ecafd778a89a235e3715cf42dbbd80105d273d46a16ed0291450e
SHA512 168de6bd5d307d593f06d118f4f93cd01dfec5e86172238ac243e0eb5e17051e43b48d4a6571021b48e8fb69c4f1ba3f6209c58f7c1d09ad027153557fb7443c

memory/6320-4305-0x0000000005740000-0x00000000057D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323657937.exe

MD5 c6b61a905b083f958a0d036a6feb2b13
SHA1 2d179ff5c5797c0bf0b2b002c088f47773eb0802
SHA256 f7111ba6a60d3c5f77eb5eb91d431a491d654361ee8abf11e7e73dacf24bc917
SHA512 714181aec607adbd761108ae4fdaa247f86926262baafdf605d8358d0d0a0d14c4c9159150cf3a5afcce2a405a3d4c6b09c2e274c02a9c5f656955a9e7046e83

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\479717570.exe

MD5 8110cb9630b2deaea4c01df3ec8c0b01
SHA1 7c26142a8b144d2fbd60a3bbbd6dea71c4439737
SHA256 c847af3be728b30f0d6e6038c3ca3aed4df9addfccb129c8897f592cc5abdd6f
SHA512 00d56d0c83fd24ebdafec02df374be3c46d218ef5c8458e0ca8c05de86f48c8dc328b5ba9c741ec6280fac5ed550c25fbdd7eb4860432110b27205e6cd9f664b

memory/6820-4326-0x0000000005530000-0x0000000005596000-memory.dmp

memory/6820-4325-0x0000000002880000-0x00000000028E8000-memory.dmp

memory/6820-6473-0x0000000005750000-0x0000000005782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\506894556.exe

MD5 b958654ac9f62c343353eb22a4c52644
SHA1 6f0365597b64db91c04912bd3291c9171e45fdc1
SHA256 1f6c1fa4327c0358996868b416d502b01e44dd416d30a89b1338e9d08494a2bf
SHA512 367df1c71ea5a6329e7b5df38c1e5c470a72e1d896ae2aa9ccd5a8873a2db6a9cd472ba1c069d6cd550bd8ffc91b47897a480f547075c450c2adfc438373ca4c

memory/6320-6480-0x0000000000B50000-0x0000000000B80000-memory.dmp

memory/6320-6481-0x0000000002EE0000-0x0000000002EE6000-memory.dmp

memory/6320-6482-0x0000000005B00000-0x0000000006118000-memory.dmp

memory/6320-6483-0x00000000055F0000-0x00000000056FA000-memory.dmp

memory/6320-6484-0x00000000054E0000-0x00000000054F2000-memory.dmp

memory/6320-6485-0x0000000005500000-0x000000000553C000-memory.dmp

memory/6320-6486-0x0000000005580000-0x00000000055CC000-memory.dmp