Malware Analysis Report

2024-12-06 02:40

Sample ID 241110-bcferayndn
Target 10eee4d77a66c273f68c518cf66dd9abda83ff7736c95f2fb7632dcd89ae1a20
SHA256 10eee4d77a66c273f68c518cf66dd9abda83ff7736c95f2fb7632dcd89ae1a20
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10eee4d77a66c273f68c518cf66dd9abda83ff7736c95f2fb7632dcd89ae1a20

Threat Level: Known bad

The file 10eee4d77a66c273f68c518cf66dd9abda83ff7736c95f2fb7632dcd89ae1a20 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey

Redline family

Healer family

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Amadey family

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:59

Reported

2024-11-10 01:02

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10eee4d77a66c273f68c518cf66dd9abda83ff7736c95f2fb7632dcd89ae1a20.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399815318.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\10eee4d77a66c273f68c518cf66dd9abda83ff7736c95f2fb7632dcd89ae1a20.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399815318.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\494678553.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10eee4d77a66c273f68c518cf66dd9abda83ff7736c95f2fb7632dcd89ae1a20.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\494678553.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399815318.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\10eee4d77a66c273f68c518cf66dd9abda83ff7736c95f2fb7632dcd89ae1a20.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe
PID 2140 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\10eee4d77a66c273f68c518cf66dd9abda83ff7736c95f2fb7632dcd89ae1a20.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe
PID 2140 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\10eee4d77a66c273f68c518cf66dd9abda83ff7736c95f2fb7632dcd89ae1a20.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe
PID 4348 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe
PID 4348 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe
PID 4348 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe
PID 2796 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe
PID 2796 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe
PID 2796 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe
PID 1960 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe
PID 1960 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe
PID 1960 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe
PID 1960 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe
PID 1960 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe
PID 1960 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe
PID 2796 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399815318.exe
PID 2796 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399815318.exe
PID 2796 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399815318.exe
PID 4352 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399815318.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4352 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399815318.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4352 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399815318.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4348 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\494678553.exe
PID 4348 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\494678553.exe
PID 4348 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\494678553.exe
PID 4692 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4692 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4692 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4692 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1768 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1768 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1768 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1768 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1768 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1768 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1768 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1768 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1768 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1768 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1768 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\10eee4d77a66c273f68c518cf66dd9abda83ff7736c95f2fb7632dcd89ae1a20.exe

"C:\Users\Admin\AppData\Local\Temp\10eee4d77a66c273f68c518cf66dd9abda83ff7736c95f2fb7632dcd89ae1a20.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2928 -ip 2928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399815318.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399815318.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\494678553.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\494678553.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jv605705.exe

MD5 95ee3e871939a972ae2ef5eb69e40b93
SHA1 5b897f51fbb8cc722be6563025affe05d7889139
SHA256 d31c5b2ea91cfdc419d6e15a02b57fac99d1ae70cb4be9794f64de9f582026e9
SHA512 b3598ba02e51adee554080b368729ecc61f08f0a8bf5ab7efa541b93ead1c31b0a4b1a64a8927db02443cdda729808462edc841fa0a166e16ad7d04cad9a42a2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DD264613.exe

MD5 b34467638242c2a63dd1779a1036d8fc
SHA1 bb221519ffc4cbd3ed1caddf35944b8ca3df3927
SHA256 2bd91b7c8cbe251f172547c0f10ad85ad0a47b319accc6e95248745996205f3d
SHA512 e3b39a3ebff4e47d1edbf583898f3f2c2e3c6c0e5b6eaa425e82402f25d6bfed33a956b353e402b9491613f1a5be985d3e36f197d45a697a38f28c56aefb88ca

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kc005411.exe

MD5 08f56336bd469f7dc9ec2e3e13b97b58
SHA1 2d3a8305ae5296d9468d874c33a66d0d889eae66
SHA256 c1d5a11a53a0e33f2b3de8b78e487f495ceae8a503d0f75743d4af1fcbd8d41f
SHA512 2b446f032d58d63027cf215c4581169d3a770bf14e73a2eedd49f8cf18cae3ce63d512aaac2ed3c3e325a2e1de2bf5b3b87f2c772bd7ef488d2806d77ab36c51

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\101406196.exe

MD5 33bcf8132ad684bcf58e0d5afca9cfcf
SHA1 6eed274b476e448256673f1f3ad0c317ba1f2876
SHA256 72fe8897634dbbdedee8ea68e9e6055b633e6fd99708d63e7664d2a270378642
SHA512 cf7a55d27cc91500d53f1ead4d79d3c2e444447045bcdeaf4f191f75cd5a859d67646b76f0c7417492cb1bd851df45f6c3d995e37b86911a78c79afa66d123fb

memory/2520-28-0x00000000022B0000-0x00000000022CA000-memory.dmp

memory/2520-29-0x0000000004A10000-0x0000000004FB4000-memory.dmp

memory/2520-30-0x0000000004980000-0x0000000004998000-memory.dmp

memory/2520-31-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-40-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-56-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-54-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-52-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-50-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-48-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-46-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-45-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-43-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-38-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-36-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-34-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-58-0x0000000004980000-0x0000000004993000-memory.dmp

memory/2520-32-0x0000000004980000-0x0000000004993000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\218046744.exe

MD5 80afacb74b873ae8855702a36e98aa4f
SHA1 143eb436815259b35e98a3fefdb58e4008180352
SHA256 8f14c9e0719b2906fe92f6637d6e62e2c47a7773739d7d2f8080d6660529d80c
SHA512 6e9f75ef6598da57445359c91ce436e3a7fb6401c0217b2d7bc86936ff42d791709c405c818c7a44d34d7eafc7b92d3421350fe7d47aed02eb16d24e21b04f68

memory/2928-64-0x0000000002660000-0x000000000267A000-memory.dmp

memory/2928-65-0x0000000002960000-0x0000000002978000-memory.dmp

memory/2928-66-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-73-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-93-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-91-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-89-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-87-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-83-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-82-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-79-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-77-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-75-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-71-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-69-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-67-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-85-0x0000000002960000-0x0000000002972000-memory.dmp

memory/2928-94-0x0000000000400000-0x0000000000803000-memory.dmp

memory/2928-96-0x0000000000400000-0x0000000000803000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\399815318.exe

MD5 f7bc9048b891a52b18d09cb86f1410f5
SHA1 bc38458f263dcb4b4a4adc2fe6ab18560fb4efb4
SHA256 6d19d24af5ff90de042ff6b669b09cfb140c0cdf2b107c6dc4177466919ec10b
SHA512 f8f71292bf6c814f2d2053095629a1b1b8fdcc0c7427952ebaf617151829dd15007aea9c7658c9240d7530c0ac2b1ad15d0f8964f32caac29e54574c563c9ab4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\494678553.exe

MD5 d7f26d00a4049c05c0184c260ad4d805
SHA1 a238e108b579b5333c53c66555ff9af773585478
SHA256 838bfee6a3e10147c0ec1be129abb52b0b2e0b3b7092bb4b7c7dd0354104fc8e
SHA512 826180887cc06f750e1c52e44a315b63dfdd84b4265a6f06199227bc511abbd4f7a6720c6f5200bab5c323b0a053d30406f5c19001ce5108a309c3afa1ac54b9

memory/2432-114-0x0000000004D60000-0x0000000004D9C000-memory.dmp

memory/2432-115-0x0000000005410000-0x000000000544A000-memory.dmp

memory/2432-121-0x0000000005410000-0x0000000005445000-memory.dmp

memory/2432-119-0x0000000005410000-0x0000000005445000-memory.dmp

memory/2432-117-0x0000000005410000-0x0000000005445000-memory.dmp

memory/2432-116-0x0000000005410000-0x0000000005445000-memory.dmp

memory/2432-908-0x0000000007910000-0x0000000007F28000-memory.dmp

memory/2432-909-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/2432-910-0x0000000007FC0000-0x00000000080CA000-memory.dmp

memory/2432-911-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/2432-912-0x0000000002860000-0x00000000028AC000-memory.dmp