Malware Analysis Report

2024-11-15 09:56

Sample ID 241110-bwbwnsyrgr
Target db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e
SHA256 db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e

Threat Level: Known bad

The file db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey family

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

RedLine

Amadey

Healer family

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:29

Reported

2024-11-10 01:31

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\463804643.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\463804643.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1124 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe
PID 1124 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe
PID 1124 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe
PID 1700 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe
PID 1700 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe
PID 1700 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe
PID 4984 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe
PID 4984 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe
PID 4984 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe
PID 816 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe
PID 816 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe
PID 816 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe
PID 816 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe
PID 816 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe
PID 816 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe
PID 4984 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exe
PID 4984 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exe
PID 4984 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exe
PID 4140 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4140 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4140 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1700 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\463804643.exe
PID 1700 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\463804643.exe
PID 1700 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\463804643.exe
PID 3804 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3804 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3804 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3804 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2176 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2176 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe

"C:\Users\Admin\AppData\Local\Temp\db253ba569f2268c29fa8f944d606268c9c8527f6fb6bcf3bd786da42c994c2e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2352 -ip 2352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1032

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\463804643.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\463804643.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tl271594.exe

MD5 79ae3b701db90f96e872a170ec19b6ec
SHA1 d27d579a915b1e934e00bf324400dc21ebff0804
SHA256 eb35a0dde84b121aadf3aa952bde178ac57342fc9c9563e666d4665ef6f7fba0
SHA512 d9df7b52a940fc3ee7cc10fb0f63fd150541cff1b83ec8c0ad0da17c868f08ae091a14ecc3ab627314e555ce4920f9da2df1b8a771d751cc58e6d7cadadbd6a1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YA349765.exe

MD5 27989837bb4ba4f868d7f5469a4e46ad
SHA1 94c90da9ef73e8f6b94ba6ca1c28bf99067c00e2
SHA256 22956deba058821ee55e76dcc51259931aa2ba305538eb47b004a2c730e0e7c3
SHA512 359e1c0c4ca9e6c6ecf733fe514a7adeaa6717f02635b179a3700af8fcf1c82db24d51ccb375f9e0552d3f4f7b642610f7cf7b977aad6d6c5a7fce8e6e3e3f56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Eg824009.exe

MD5 efc352558ad7d290c1c3c519d150c5b7
SHA1 17eebacc70c5a6bc0f7c9d65106081f3af602da0
SHA256 1fe5acf6948ecaa3640370fcdcf88af99cdd16e2667f92c3319efb6bb0f55db4
SHA512 e6e4ba78aebec7fda056a1b599790464b77e241eb6c01d802809da2b1c807884fda912ae16a11de5964e9a7194c006cc67cc312d0da7701e3bee76262bef9ef2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\164254601.exe

MD5 77d4a51dd3f4798690fba9109abd5e05
SHA1 cdc864671c88e0e60be7544a44b42878f557571b
SHA256 aefb330bdc47080ef15945e94fc26f6c0f33ab075a81a6a4ab49ada8b20cb34e
SHA512 520eca6490612d9d1789c30d3fe26c00ab77b10ea941f3f43f38c5845889568f6423c43b9092cc8888373bb7b34ae760c119e2e3f092fc07e75bead343bfb32c

memory/3652-28-0x00000000023F0000-0x000000000240A000-memory.dmp

memory/3652-29-0x0000000004AA0000-0x0000000005044000-memory.dmp

memory/3652-30-0x0000000005090000-0x00000000050A8000-memory.dmp

memory/3652-50-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-58-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-56-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-54-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-52-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-48-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-46-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-42-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-40-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-38-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-36-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-34-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-32-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-31-0x0000000005090000-0x00000000050A3000-memory.dmp

memory/3652-44-0x0000000005090000-0x00000000050A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\232809639.exe

MD5 1a3d19d354efd3a3a02e0fe6ed0a588a
SHA1 ae7e88cec15a6967d4d2fa056e1f37a973a717cf
SHA256 70efb5a809389527e2ccae9a9d3cfa05619aceced4138dad70b7673ee7dd0386
SHA512 8d3b124a5ab38e736df043ae6640edbb5d474e2fee1bdc78d46f533c919dc1f27da4bdb5088f4420a2c42991c86453b2aad9f62090bc8dc716d3907a83e4f4b2

memory/2352-64-0x00000000024A0000-0x00000000024BA000-memory.dmp

memory/2352-65-0x00000000024C0000-0x00000000024D8000-memory.dmp

memory/2352-71-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-66-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-93-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-91-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-89-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-87-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-85-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-83-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-81-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-79-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-77-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-75-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-73-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-69-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-67-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/2352-95-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\397120157.exe

MD5 eac5b3301594e554f8ad328404bbd551
SHA1 35cf34263ccacb9f7ea05bc453909ad206d9ffac
SHA256 e768d37f8313b9622da97fa061702024b4a0eac513d8dd010303f5639efe413f
SHA512 89d13632d1a2afbf7ac6475001975c421a208a863cd3688f9c8cc9a63cf478b80bde8594db053333a1ebe987fb97b6fcde56030d6eb51467ba991bfddc86c915

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\463804643.exe

MD5 bcf890a4c86c225051a8d6a457a770da
SHA1 fd468bf62ac7508973537378ca377b1035cdbff4
SHA256 6a710d223435246c72e74ea4c084d395d1848b91f7ec456876e09cbade895792
SHA512 ba63f7ec86c82c2ee9beb795a944e5ddef66c77300510779899ec56b3bc5995e378f5ffef07abe1bfd74ff19c55503c0d363bf14eefca3361f9820ee3a30293d

memory/4208-114-0x0000000002480000-0x00000000024BC000-memory.dmp

memory/4208-115-0x0000000002670000-0x00000000026AA000-memory.dmp

memory/4208-121-0x0000000002670000-0x00000000026A5000-memory.dmp

memory/4208-119-0x0000000002670000-0x00000000026A5000-memory.dmp

memory/4208-117-0x0000000002670000-0x00000000026A5000-memory.dmp

memory/4208-116-0x0000000002670000-0x00000000026A5000-memory.dmp

memory/4208-908-0x00000000075F0000-0x0000000007C08000-memory.dmp

memory/4208-909-0x0000000007C10000-0x0000000007C22000-memory.dmp

memory/4208-910-0x0000000007C30000-0x0000000007D3A000-memory.dmp

memory/4208-911-0x0000000007D40000-0x0000000007D7C000-memory.dmp

memory/4208-912-0x0000000002390000-0x00000000023DC000-memory.dmp