Malware Analysis Report

2024-12-06 02:40

Sample ID 241110-bcpy7aynej
Target 0339fc09bdf988bb047ee2347f623d6b.bin
SHA256 edb5934c4212adcd1ad077f9d90fc9ae79f8b94bc1866170af21037fd2d53330
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

edb5934c4212adcd1ad077f9d90fc9ae79f8b94bc1866170af21037fd2d53330

Threat Level: Known bad

The file 0339fc09bdf988bb047ee2347f623d6b.bin was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Amadey family

Detects Healer an antivirus disabler dropper

Amadey

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine

RedLine payload

Healer family

Healer

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:00

Reported

2024-11-10 01:02

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\904261e7b5b202e8594644130cf31089c365ad1a79ee02af0de9920a82f14dc2.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\904261e7b5b202e8594644130cf31089c365ad1a79ee02af0de9920a82f14dc2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\904261e7b5b202e8594644130cf31089c365ad1a79ee02af0de9920a82f14dc2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f64682884.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\904261e7b5b202e8594644130cf31089c365ad1a79ee02af0de9920a82f14dc2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe
PID 2884 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\904261e7b5b202e8594644130cf31089c365ad1a79ee02af0de9920a82f14dc2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe
PID 2884 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\904261e7b5b202e8594644130cf31089c365ad1a79ee02af0de9920a82f14dc2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe
PID 3068 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe
PID 3068 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe
PID 3068 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe
PID 1312 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe
PID 1312 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe
PID 1312 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe
PID 4460 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe
PID 4460 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe
PID 4460 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe
PID 320 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe
PID 320 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe
PID 320 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe
PID 3528 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe C:\Windows\Temp\1.exe
PID 3528 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe C:\Windows\Temp\1.exe
PID 320 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe
PID 320 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe
PID 320 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe
PID 4460 wrote to memory of 6636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe
PID 4460 wrote to memory of 6636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe
PID 4460 wrote to memory of 6636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe
PID 6636 wrote to memory of 6732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 6636 wrote to memory of 6732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 6636 wrote to memory of 6732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1312 wrote to memory of 6768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe
PID 1312 wrote to memory of 6768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe
PID 1312 wrote to memory of 6768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe
PID 6732 wrote to memory of 6816 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6732 wrote to memory of 6816 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6732 wrote to memory of 6816 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6732 wrote to memory of 6840 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6732 wrote to memory of 6840 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6732 wrote to memory of 6840 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6840 wrote to memory of 6908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6840 wrote to memory of 6908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6840 wrote to memory of 6908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6840 wrote to memory of 6920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6840 wrote to memory of 6920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6840 wrote to memory of 6920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6840 wrote to memory of 6520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6840 wrote to memory of 6520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6840 wrote to memory of 6520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6840 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6840 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6840 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6840 wrote to memory of 6708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6840 wrote to memory of 6708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6840 wrote to memory of 6708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6840 wrote to memory of 6696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6840 wrote to memory of 6696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6840 wrote to memory of 6696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3068 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f64682884.exe
PID 3068 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f64682884.exe
PID 3068 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f64682884.exe

Processes

C:\Users\Admin\AppData\Local\Temp\904261e7b5b202e8594644130cf31089c365ad1a79ee02af0de9920a82f14dc2.exe

"C:\Users\Admin\AppData\Local\Temp\904261e7b5b202e8594644130cf31089c365ad1a79ee02af0de9920a82f14dc2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4844 -ip 4844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1260

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6768 -ip 6768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1256

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f64682884.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f64682884.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM534994.exe

MD5 fab9189b698312de434e71e724a7d442
SHA1 813c4f920efd390e210eaa3a6c7f13c768fd3f79
SHA256 0d00f37e9fc9f3065951afcf3d741abd4c31bb0f29347c994fc5c0b401ae6146
SHA512 836155a7e61373c6ba879ee73388e85cf0e4d48630144e8156fc6f2de6f8eefcc89fd1114d6559c349f679f826eb60e5a7092bfbd0f856b88d8a0bf3ad390c3a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rK785166.exe

MD5 9c35856ad7d39d05509eefab065d0419
SHA1 6ee0220247561c97c3a3b2ec967271a0b4391b55
SHA256 2b83750153378133f0791c8fba8a4d431177dca1add49446c36689c8099f8a42
SHA512 1c55e8f75a0c93e5c33b0bf51d9519cfd747c098d4266d7ef145d460867fbff997401b020b05cff38221234bc946348ba512e23a58232e7cdbdb62377ef9e564

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vz500697.exe

MD5 aa4fd3bbb9e5135bd7eed08102cd3d96
SHA1 870cb28b37ca9138b17e8b7d74af117c1bf8d86e
SHA256 617d66ab73259950f4576ac8fd13a6915c3a2a5164b5585b74c42f1c6eb19153
SHA512 ae3142b8c2875230b860529ca81202599554399487d8ae9b306e45d05a6be75bc790e35dd532d48cc633555c477c4868045c6e6dc510462c3b4a4faf7d54f32c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jH053548.exe

MD5 d60c8f45f54879332cc8fe13aeb3fc26
SHA1 0c0f1fa847a4fa9fdf63936a6220b521941bab57
SHA256 ad1f1810c72e3e1f8c210d3934092d0ed560e279b9c162a431b81baed7e2a922
SHA512 70d72b1583626143527afa0ed32c10cca8ef4e10817459992bdd189b323c8ca6734e235325dcf21d926b45d0835f6a10a36a29185ccc73fad3bdc6de27cfe9b5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00560390.exe

MD5 2e3812945bdaf2736d245a66bb89f9d7
SHA1 9101380072eeff2a53eac2b9d7a6c3688b70eb3e
SHA256 f9e3ef889ddc9ca32ae38dd85ad5693b40b91dde810ad479504894c7c01e8cb0
SHA512 c1c6c2e0c70819c40886960a9f40bda505a0f589c1363283f5b09258fe6fe03744c7063c35155d2e7079acb3154b0afefbb320b4cf71148e08c74c0065e54b32

memory/3528-35-0x0000000002370000-0x00000000023C8000-memory.dmp

memory/3528-36-0x0000000004B60000-0x0000000005104000-memory.dmp

memory/3528-37-0x00000000049F0000-0x0000000004A46000-memory.dmp

memory/3528-87-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-65-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-45-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-101-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-99-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-97-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-95-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-93-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-91-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-89-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-85-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-83-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-81-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-79-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-77-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-75-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-73-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-71-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-69-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-67-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-63-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-61-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-59-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-57-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-55-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-53-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-51-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-49-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-47-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-43-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-41-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-39-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-38-0x00000000049F0000-0x0000000004A41000-memory.dmp

memory/3528-2166-0x0000000004B30000-0x0000000004B3A000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2320-2179-0x00000000000B0000-0x00000000000BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b79318081.exe

MD5 4dfc323f301368ae5cd575552bd6385f
SHA1 378775d72f9af1892cab72d0065a96aeb96bbd6e
SHA256 c2044c35272e0ff2b25232a6f03c64b8f8a3c3b76289b59460c53a25789b0076
SHA512 dc54fb5cdf8e49156838ba7f608d98d35a17829b9e5cb24236c91533ba08f4cfb950fcbe0017bad52c3ec16b3de0062355754a72d3f50ed3295a2497964ea4d5

memory/4844-4312-0x0000000005750000-0x00000000057E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c33475999.exe

MD5 5aa3d3603947235fffb00d67f08a576e
SHA1 e08e70b5f3ab0f13735ae0f06faa0116b9929440
SHA256 da12f7083d26b3c7141171e5c1dea1bcbb784df7a1907bae8db99a1d8ca52026
SHA512 7462879df9a7dea1275fe1852d2b2f4e7e734bfb8f3dcb9e5924b31313f80bdaf0b2cdc40a0aba8bf046930d922dbb104ef7cac22f2cc14dd4cd9444df3c88be

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d62605527.exe

MD5 b24ac7b3f7e5ebece52ab1c1bd05f886
SHA1 116ef6d1a9e8cab94bf9dd434ed8300ac9ea19dc
SHA256 8440f59132de140506f302c65a74e897abe0eadee42581a4bc5d6cdd831c8874
SHA512 7d8b1a02af93f602ae159e3adaf5666873b29d18c8b72767c6daaa3663211c281535e2fa4dff9ae5fed3f243afb7867f2e52261d44146578354213a2a8bbfeb7

memory/6768-4332-0x0000000004D40000-0x0000000004DA8000-memory.dmp

memory/6768-4333-0x0000000005510000-0x0000000005576000-memory.dmp

memory/6768-6480-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f64682884.exe

MD5 d8e7ab86428e56568df8a4526a0dd1a6
SHA1 149eba06f2ab103a4fff4bb6a6f02b54c1bce992
SHA256 7d263f5280e94528cbb05197b413914d4384983dedb4feb4d5ccca43264d2f6c
SHA512 047043f39f22c4af5e7aca240ff482b38c8844b06d0683a176b033270c71fbfea9034df5d119d1e8dcc3adca27c963bde92a99a64aaef405b637d103e4de1001

memory/4288-6486-0x0000000000540000-0x0000000000570000-memory.dmp

memory/4288-6487-0x0000000002660000-0x0000000002666000-memory.dmp

memory/4288-6488-0x0000000005670000-0x0000000005C88000-memory.dmp

memory/4288-6489-0x0000000005160000-0x000000000526A000-memory.dmp

memory/4288-6490-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/4288-6491-0x0000000005090000-0x00000000050CC000-memory.dmp

memory/4288-6492-0x00000000050D0000-0x000000000511C000-memory.dmp