Malware Analysis Report

2024-12-06 02:55

Sample ID 241110-cc32gsxcka
Target 161bb51c52ea901a07435e74bd4fb593b2422674ad3d8149e2dcfd88bb198e98
SHA256 161bb51c52ea901a07435e74bd4fb593b2422674ad3d8149e2dcfd88bb198e98
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

161bb51c52ea901a07435e74bd4fb593b2422674ad3d8149e2dcfd88bb198e98

Threat Level: Known bad

The file 161bb51c52ea901a07435e74bd4fb593b2422674ad3d8149e2dcfd88bb198e98 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Healer family

Amadey family

Healer

Amadey

RedLine payload

RedLine

Redline family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:56

Reported

2024-11-10 01:59

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\161bb51c52ea901a07435e74bd4fb593b2422674ad3d8149e2dcfd88bb198e98.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\392642752.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\161bb51c52ea901a07435e74bd4fb593b2422674ad3d8149e2dcfd88bb198e98.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\392642752.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\161bb51c52ea901a07435e74bd4fb593b2422674ad3d8149e2dcfd88bb198e98.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\439711276.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\439711276.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\392642752.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\161bb51c52ea901a07435e74bd4fb593b2422674ad3d8149e2dcfd88bb198e98.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe
PID 2152 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\161bb51c52ea901a07435e74bd4fb593b2422674ad3d8149e2dcfd88bb198e98.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe
PID 2152 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\161bb51c52ea901a07435e74bd4fb593b2422674ad3d8149e2dcfd88bb198e98.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe
PID 208 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe
PID 208 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe
PID 208 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe
PID 4676 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe
PID 4676 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe
PID 4676 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe
PID 832 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe
PID 832 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe
PID 832 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe
PID 832 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe
PID 832 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe
PID 832 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe
PID 4676 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\392642752.exe
PID 4676 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\392642752.exe
PID 4676 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\392642752.exe
PID 3244 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\392642752.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3244 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\392642752.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3244 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\392642752.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 208 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\439711276.exe
PID 208 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\439711276.exe
PID 208 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\439711276.exe
PID 1268 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\161bb51c52ea901a07435e74bd4fb593b2422674ad3d8149e2dcfd88bb198e98.exe

"C:\Users\Admin\AppData\Local\Temp\161bb51c52ea901a07435e74bd4fb593b2422674ad3d8149e2dcfd88bb198e98.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3544 -ip 3544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\392642752.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\392642752.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\439711276.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\439711276.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iM954475.exe

MD5 b4190c69597c67179ccac05fefa0c4e6
SHA1 7317e5521290c5573eba1978b559be69351ae856
SHA256 7f91e6c06c19bc2e5a4a61173ec5fff5ac35e2a71a197c381224800b3d291af0
SHA512 183320af8dbef799cba95a58a0b72fa01bd8df7bb024665c9714f41042457e1bc2a640d046ad7b98bffb6ff7e142609cc097c1c6852f330a1585c7e643989ef9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jv151069.exe

MD5 cedbfba9465bad91ae003bee5cede42b
SHA1 cacc7ec4d4313220f6b3874af87127a9e0542ccc
SHA256 7a6afab7b5174462197b1d34f97dd669b9b86b59600ebb484cf69453ff54305c
SHA512 4d1ddb81e1a9e9959fb9b644106824e75a4c08ad5d3549cb4b899ef9f18619d18e186023e1834761fd0c9ccb6e70e93159e7a422c65ae113e68ce65e041f0c84

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cq040463.exe

MD5 2da8e2f1d3078cc7db6e8f5d34fc5f66
SHA1 faf9bf6d8cfa6b20650de4f100230e32d6fe2710
SHA256 4069dfd95fd6980e9e7b21722bf0b6cbf4f6c2fa798a2f4d060008d8ff47f8f1
SHA512 054fff68de660bb7a4b0c369b208657b06785d1d0f3fb01baa82da603e8953702593905fe4c7837e627fd89839eaa5c6027496f3bca89d8c037eb7ab83a5cdd9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\112806942.exe

MD5 5a0e2b1e5cecc971c519274a27bae40c
SHA1 e793f317be21ba2041d9c69118901ef062210316
SHA256 4e6ba7e2b669398c9f540d9b2837eae88f3246a1c5feea7ddfe75b1a0cfea591
SHA512 4a24c9bf9d2a21b8c646263ef11f0ef799d3d01eb467f38bf8c884c1a835def34fca2be8f354c749257540b79df117e8adebeff629a89945c2a14f2762027520

memory/3036-28-0x00000000024A0000-0x00000000024BA000-memory.dmp

memory/3036-29-0x0000000004AD0000-0x0000000005074000-memory.dmp

memory/3036-30-0x0000000005080000-0x0000000005098000-memory.dmp

memory/3036-54-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-58-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-56-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-52-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-50-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-48-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-46-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-44-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-42-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-40-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-31-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-38-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-36-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-34-0x0000000005080000-0x0000000005093000-memory.dmp

memory/3036-33-0x0000000005080000-0x0000000005093000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274612249.exe

MD5 b56ffb4f6563e3f38dd4b41da163be9d
SHA1 e9c4033ebfd737200f3efa7c8a93a9adbd59c0c7
SHA256 47859f7a70c3ef9fec9fe6d651cad974631541a7ad1a86c0e12c25fcceda14e2
SHA512 2de99418929e5ed8d60c24c3b95080c0125679a7c15bb73afd46b6d34a738dd7f28a4ff52bde6d609a92bf29a544da50f0633adbb90a6e08b5d13aebd3a76978

memory/3544-64-0x00000000025D0000-0x00000000025EA000-memory.dmp

memory/3544-65-0x0000000005360000-0x0000000005378000-memory.dmp

memory/3544-66-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-83-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-93-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-89-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-88-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-86-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-81-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-79-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-77-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-75-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-73-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-71-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-69-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-67-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-91-0x0000000005360000-0x0000000005372000-memory.dmp

memory/3544-95-0x0000000000400000-0x0000000000803000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\392642752.exe

MD5 839c5992f20ea3240c5eb9e5c2c5e3b8
SHA1 6e4f0d32e63c8749b2244f6a23f269141dfbdd5b
SHA256 ac4671564da96f7ce43773b55e91bfd835241f66a8ae866631ee2056ce16f326
SHA512 985c199e7c190d9ac021c0400491a4c9fe3653d67a7a387c9f90ff9ecf317eb5f59d03c8d94f0a74616c745fcdd893a372172d928018caa7d27f32187e9b88a2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\439711276.exe

MD5 39d564add7a35f5f7886e96da927a776
SHA1 18b9baee926ddfc648b72e024fbd6c3a6113853a
SHA256 7899d4690bc83204ff9ae477b95abf684133755f6c5dce5f4009024ed2582b55
SHA512 a92bfd5f80f80d569d28d5778488988c9b5313c98cf39e008bc4f77f9d6d6112253029a3c95a4737a3adc00a20352cd089cb21e0d0fbe5e5873bad0cfff5dd3a

memory/1896-114-0x0000000004DA0000-0x0000000004DDC000-memory.dmp

memory/1896-115-0x0000000005410000-0x000000000544A000-memory.dmp

memory/1896-116-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1896-121-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1896-119-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1896-117-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1896-908-0x0000000007F30000-0x0000000008548000-memory.dmp

memory/1896-909-0x0000000007980000-0x0000000007992000-memory.dmp

memory/1896-910-0x00000000079A0000-0x0000000007AAA000-memory.dmp

memory/1896-911-0x0000000007AC0000-0x0000000007AFC000-memory.dmp

memory/1896-912-0x0000000002600000-0x000000000264C000-memory.dmp