Malware Analysis Report

2024-11-15 09:57

Sample ID 241110-b6qskswlez
Target 2bec3d4787ab1802fc0552ae6e621d15e7fd5b8e1f7a059ccf75a319bdf1dd55
SHA256 2bec3d4787ab1802fc0552ae6e621d15e7fd5b8e1f7a059ccf75a319bdf1dd55
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2bec3d4787ab1802fc0552ae6e621d15e7fd5b8e1f7a059ccf75a319bdf1dd55

Threat Level: Known bad

The file 2bec3d4787ab1802fc0552ae6e621d15e7fd5b8e1f7a059ccf75a319bdf1dd55 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer

Amadey family

RedLine

Redline family

Healer family

Detects Healer an antivirus disabler dropper

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:45

Reported

2024-11-10 01:48

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bec3d4787ab1802fc0552ae6e621d15e7fd5b8e1f7a059ccf75a319bdf1dd55.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\324777407.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2bec3d4787ab1802fc0552ae6e621d15e7fd5b8e1f7a059ccf75a319bdf1dd55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\324777407.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2bec3d4787ab1802fc0552ae6e621d15e7fd5b8e1f7a059ccf75a319bdf1dd55.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\410840927.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\410840927.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\324777407.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\2bec3d4787ab1802fc0552ae6e621d15e7fd5b8e1f7a059ccf75a319bdf1dd55.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe
PID 2444 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\2bec3d4787ab1802fc0552ae6e621d15e7fd5b8e1f7a059ccf75a319bdf1dd55.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe
PID 2444 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\2bec3d4787ab1802fc0552ae6e621d15e7fd5b8e1f7a059ccf75a319bdf1dd55.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe
PID 1168 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe
PID 1168 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe
PID 1168 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe
PID 2172 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe
PID 2172 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe
PID 2172 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe
PID 1736 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe
PID 1736 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe
PID 1736 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe
PID 1736 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe
PID 1736 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe
PID 1736 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe
PID 2172 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\324777407.exe
PID 2172 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\324777407.exe
PID 2172 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\324777407.exe
PID 4652 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\324777407.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4652 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\324777407.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4652 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\324777407.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1168 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\410840927.exe
PID 1168 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\410840927.exe
PID 1168 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\410840927.exe
PID 4508 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4508 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4508 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4508 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4888 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4888 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4888 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4888 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4888 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4888 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4888 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4888 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4888 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4888 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4888 wrote to memory of 3492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2bec3d4787ab1802fc0552ae6e621d15e7fd5b8e1f7a059ccf75a319bdf1dd55.exe

"C:\Users\Admin\AppData\Local\Temp\2bec3d4787ab1802fc0552ae6e621d15e7fd5b8e1f7a059ccf75a319bdf1dd55.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 956 -ip 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\324777407.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\324777407.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\410840927.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\410840927.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra236363.exe

MD5 a3c31c9281ebae7bd1110d5a7db2a5c2
SHA1 c1734304d2e8159bf3ade554aadd4dfa57841722
SHA256 69ed1b3c30964153cae0010e60df783a8b65c5b8bb15534f76e5c414a94fdb64
SHA512 7030607aed34e663a788a1e1b058c7b671cf2203ce80a348972c19052b6ea566aa2bcf94506a78655a425e58b2ee570dd381e0fe1cc204ba6e0211a2cb513b5d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX401329.exe

MD5 5eee765cdead965d28720a39eb9d7bc8
SHA1 b316d844552c2230149bf23f37eae476dc6afe33
SHA256 4297ff3876ffdc7e7512d1a1d042eab02c869e0c20e693ef8d38f9599618097e
SHA512 444635a17db7cf21e50f56299ff8431886bc90309fd93302ced573ef11908d9d52811461adf42fd779c249b626aadbf61d829878c68c4c13c749100148b2b750

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sh573667.exe

MD5 0e90b8f695388e5b84dad3a0243b45b9
SHA1 a092ce0535d453d1fc281c75f182ac93e01e82e4
SHA256 073f392f07d328a432f3a8351ed06cb2839e1cc413c9feda6772f28180d48ee1
SHA512 5fe4dc5ff0b62bcef66cdb0da0928ebc6f7f73a865b9ef384fd4664f105f3f05fadd544dafa8bb9f94192f5bd6203be06a183842d2ad1658cfd81b9723e2e0cf

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\176046477.exe

MD5 2b71f4b18ac8214a2bff547b6ce2f64f
SHA1 b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256 f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA512 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

memory/5028-28-0x00000000048C0000-0x00000000048DA000-memory.dmp

memory/5028-29-0x0000000004A30000-0x0000000004FD4000-memory.dmp

memory/5028-30-0x0000000004980000-0x0000000004998000-memory.dmp

memory/5028-58-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-56-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-54-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-52-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-50-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-48-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-46-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-44-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-42-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-40-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-38-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-36-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-34-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-32-0x0000000004980000-0x0000000004993000-memory.dmp

memory/5028-31-0x0000000004980000-0x0000000004993000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\294694911.exe

MD5 75191fd6d014edbcb2f392c08bcbc097
SHA1 0da583f886027a1c65679b4eaf1a738829e6cf8e
SHA256 7d7d64904bb25155ed42d73f4bdd6c910af78e24299127a5299511151d39f959
SHA512 eed822d7da030c7153763f2ba65d55798a64d364867cad570930776b6ac73f5d3620830d87ea05e7134a13026340bf9623f89eaa02bc865cb795bd7fa957aa78

memory/956-92-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\324777407.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/956-94-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\410840927.exe

MD5 fd1761e6ca8cf733d2b5fb8688e4c853
SHA1 2fffa2323de90ad6c80ec3ea0e51c3b941c5b7e6
SHA256 f4f2ce91a13174ee05da985fdf2f012ee2615ddda1f7366da79b90eae58fce8d
SHA512 9bf0a9bb998106ba1f8d1ae6a1edd6a0e548372d772bde0cc18bac01cb4ef3ce146c78f8a1a8cc1dc2b06c43446910b64e4bb7e04b28d8c71f975bcbd7f1baa7

memory/1500-112-0x0000000004B10000-0x0000000004B4C000-memory.dmp

memory/1500-113-0x0000000004C50000-0x0000000004C8A000-memory.dmp

memory/1500-117-0x0000000004C50000-0x0000000004C85000-memory.dmp

memory/1500-115-0x0000000004C50000-0x0000000004C85000-memory.dmp

memory/1500-114-0x0000000004C50000-0x0000000004C85000-memory.dmp

memory/1500-120-0x0000000004C50000-0x0000000004C85000-memory.dmp

memory/1500-906-0x0000000009D20000-0x000000000A338000-memory.dmp

memory/1500-907-0x000000000A340000-0x000000000A352000-memory.dmp

memory/1500-908-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/1500-909-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/1500-910-0x0000000004BC0000-0x0000000004C0C000-memory.dmp