Malware Analysis Report

2024-11-15 09:56

Sample ID 241110-btpdzswfkq
Target 6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36
SHA256 6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36

Threat Level: Known bad

The file 6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Amadey

RedLine payload

Amadey family

Healer family

RedLine

Redline family

Healer

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:26

Reported

2024-11-10 01:28

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462111286.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462111286.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 424 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe
PID 424 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe
PID 424 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe
PID 2584 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe
PID 2584 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe
PID 2584 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe
PID 1160 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe
PID 1160 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe
PID 1160 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe
PID 2792 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe
PID 2792 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe
PID 2792 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe
PID 2792 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe
PID 2792 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe
PID 2792 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe
PID 1160 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exe
PID 1160 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exe
PID 1160 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exe
PID 2996 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2996 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2996 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2584 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462111286.exe
PID 2584 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462111286.exe
PID 2584 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462111286.exe
PID 2892 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2892 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2892 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2892 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2072 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2072 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2072 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2072 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2072 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2072 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2072 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2072 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2072 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2072 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2072 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe

"C:\Users\Admin\AppData\Local\Temp\6f6ea2c005f82b0f783bd0db0fc379432172aabe583a98e64ea9d35e21155e36.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1092

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462111286.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462111286.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk045592.exe

MD5 bd48b1e113432425fbc0eb84d866014e
SHA1 4d700a55290862f23238080d4482c6e4f10b8a98
SHA256 f31ea5995c5f8e3ffefcd5bcd834e6c1e0e3be32404b83ed22df902230506043
SHA512 55ff30494e5c5c6825d1f6f0fe6f5ac264267eb2cf0d60d996a767b14c986587a57a81c351a2da360748475c0bcb4f751a1be280e685e6b7163c1e58ab557980

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cl891900.exe

MD5 5b09271a839b86e04abf095a8533a9ae
SHA1 60cfd9668f64cbac3fa6f2c7ac43bf3dc29b3150
SHA256 13c72d884a1e1dc443600cd2b6c3b5b9af75c8e201f006162c2a44b248819ff7
SHA512 d7b2e1f553c5e04952853955424607fff41f571c7da0347730df96f3dfe2bca159a07e054f87b9d8549dfb6859b97aec6c207931763a22c86be4edb3eee96465

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ke579172.exe

MD5 ca55ee6fe29e940b66b8c46f1e28a82b
SHA1 c78b75a6a17142bd8b6bb1f49b2e2c1e6a5ed25c
SHA256 f69b72f847227732b729b40d7071a2335871c4b5f6a5fa0f53c1c06c8be5aa53
SHA512 0195c76ae6cd5ff4d4c60a26beecef0a168e63fe68977b0aece92e073da92edd165908bbf4a711d3d556935ab804b89fb9678891a26ff31acafbce7f28d7bb18

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\111472413.exe

MD5 a165b5f6b0a4bdf808b71de57bf9347d
SHA1 39a7b301e819e386c162a47e046fa384bb5ab437
SHA256 68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA512 3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

memory/2672-28-0x0000000002260000-0x000000000227A000-memory.dmp

memory/2672-29-0x0000000004990000-0x0000000004F34000-memory.dmp

memory/2672-30-0x0000000004F40000-0x0000000004F58000-memory.dmp

memory/2672-31-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-58-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-56-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-54-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-52-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-50-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-48-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-46-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-44-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-42-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-40-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-38-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-36-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-35-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/2672-32-0x0000000004F40000-0x0000000004F53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\204539758.exe

MD5 b45ef005794899de94c498fec749bf74
SHA1 9ea1a9f169fb291054a4af2839f2d2cf7bb16cf1
SHA256 6778e81b751fe4009ef457d117367b7b0a54bf68697e4c1730c25d09d980e24e
SHA512 802f85af062052434f7f37e742571132e939a53604a64a8f1a2734c07cfd3c64d0fcf7c428680e5a0878b346ab0378d1444b3709e1c807130bf02f62f6877738

memory/4892-64-0x0000000002440000-0x000000000245A000-memory.dmp

memory/4892-65-0x00000000025A0000-0x00000000025B8000-memory.dmp

memory/4892-66-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-83-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-93-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-91-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-89-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-87-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-85-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-81-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-79-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-77-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-75-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-73-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-71-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-69-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-67-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/4892-94-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4892-96-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\346143622.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462111286.exe

MD5 9b17c3ea73ab760f261cd16b84076374
SHA1 bf218c36d697a05db83b4608e82a89b5cb1f2fb3
SHA256 044d694dffe1461a219886aeabefe005f8cdcd4d507dddf58cb2126c5198df53
SHA512 b029dfebccbf83b97514fe1e6f873c1511865cfde64851fcb6f64bdf0c1456ef42aa08a456a842a7efa406310e0592b50a8cdf9853ecde8cdedd81896e966178

memory/3156-114-0x00000000026E0000-0x000000000271C000-memory.dmp

memory/3156-115-0x0000000004BD0000-0x0000000004C0A000-memory.dmp

memory/3156-121-0x0000000004BD0000-0x0000000004C05000-memory.dmp

memory/3156-119-0x0000000004BD0000-0x0000000004C05000-memory.dmp

memory/3156-117-0x0000000004BD0000-0x0000000004C05000-memory.dmp

memory/3156-116-0x0000000004BD0000-0x0000000004C05000-memory.dmp

memory/3156-908-0x00000000076F0000-0x0000000007D08000-memory.dmp

memory/3156-909-0x0000000007D40000-0x0000000007D52000-memory.dmp

memory/3156-910-0x0000000007D60000-0x0000000007E6A000-memory.dmp

memory/3156-911-0x0000000007E80000-0x0000000007EBC000-memory.dmp

memory/3156-912-0x00000000024C0000-0x000000000250C000-memory.dmp