Malware Analysis Report

2024-12-06 03:01

Sample ID 241110-cdbnmazmdk
Target b804e4bef14abeb9defa64c70cd18c036bdc980b13643fb6302661f632d8c941
SHA256 b804e4bef14abeb9defa64c70cd18c036bdc980b13643fb6302661f632d8c941
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b804e4bef14abeb9defa64c70cd18c036bdc980b13643fb6302661f632d8c941

Threat Level: Known bad

The file b804e4bef14abeb9defa64c70cd18c036bdc980b13643fb6302661f632d8c941 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey family

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine

Redline family

Healer

Amadey

RedLine payload

Detects Healer an antivirus disabler dropper

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:57

Reported

2024-11-10 01:59

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b804e4bef14abeb9defa64c70cd18c036bdc980b13643fb6302661f632d8c941.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350074372.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b804e4bef14abeb9defa64c70cd18c036bdc980b13643fb6302661f632d8c941.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b804e4bef14abeb9defa64c70cd18c036bdc980b13643fb6302661f632d8c941.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458378014.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350074372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458378014.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350074372.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 852 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\b804e4bef14abeb9defa64c70cd18c036bdc980b13643fb6302661f632d8c941.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe
PID 852 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\b804e4bef14abeb9defa64c70cd18c036bdc980b13643fb6302661f632d8c941.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe
PID 852 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\b804e4bef14abeb9defa64c70cd18c036bdc980b13643fb6302661f632d8c941.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe
PID 4768 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe
PID 4768 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe
PID 4768 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe
PID 208 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe
PID 208 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe
PID 208 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe
PID 2676 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe
PID 2676 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe
PID 2676 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe
PID 2676 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe
PID 2676 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe
PID 2676 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe
PID 208 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350074372.exe
PID 208 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350074372.exe
PID 208 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350074372.exe
PID 2908 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350074372.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2908 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350074372.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2908 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350074372.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4768 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458378014.exe
PID 4768 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458378014.exe
PID 4768 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458378014.exe
PID 396 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 396 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 396 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 396 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4336 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4336 wrote to memory of 4384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4336 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4336 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4336 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4336 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4336 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4336 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4336 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4336 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4336 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b804e4bef14abeb9defa64c70cd18c036bdc980b13643fb6302661f632d8c941.exe

"C:\Users\Admin\AppData\Local\Temp\b804e4bef14abeb9defa64c70cd18c036bdc980b13643fb6302661f632d8c941.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4328 -ip 4328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1060

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350074372.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350074372.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458378014.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458378014.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En566685.exe

MD5 2326875f8b81345814c119aaa44b26f9
SHA1 f655f645e4dc563db54318d0a5393a6f0d889c31
SHA256 4c6c20b0cd0d3eb7090df31c77280d406503b9a84c9193ce1baa6ee5d4860fd3
SHA512 0b8732c10d96ba732cb2b29ec9cc6649cd48afaccf1ccd47dd8602ff16b25507aa6f2834367116221f76e4fa1f5c33ce25a6c7993354dbc98292bb6731f07231

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VB907934.exe

MD5 c15f3c673ad98776dcc747f037cd42ea
SHA1 6dcbfdc611460ce3c338e1a08277383a2c1421d1
SHA256 b014f5a686af4caaee06ed91f72a994d357983015fe15c312eb6645c6e822547
SHA512 b97d26860af305d408d668c308d2b788c952e3cc84ef95a28220686f5f07dd18ba9653d3126d2e7f46357b609512019dcde5f22325166ec9bbb1d057e415497d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tx154902.exe

MD5 e43bd6875a7176d34def020fc7a078b4
SHA1 777a96b946eaf3a752eb823d1822eb3a92b07b5b
SHA256 4fccd1ebf4f6fc6913acd69bb543c337120b7c4d50ed106ba12fa33e425794b9
SHA512 9bf4e11d1067a2e7f3e02beb365cb7842b3c2d0f66341a5646612201f85df9759bcfa5d361d83d9834e79c851db400172b0ce7d60a278dddcb1fb0b34a24f0fe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\196742060.exe

MD5 1ad4110f9ae32557814b346775fe1e79
SHA1 b17b14f3035501a4b9b06c3da0568ec924439cb3
SHA256 6a50b4cb48201d2e8c2a750c1a833b865aa114a6237a4c325a5ccca5ab1be837
SHA512 bcf87166759a353b6655dac14551857fc4e17bb0dfd83ce3a9b2d1be867fa36b890baee416b116a70fa034c90b0990bca7c9942951a388b8de407eb18d45639e

memory/3884-28-0x0000000002360000-0x000000000237A000-memory.dmp

memory/3884-29-0x0000000004A70000-0x0000000005014000-memory.dmp

memory/3884-30-0x0000000002440000-0x0000000002458000-memory.dmp

memory/3884-58-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-56-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-54-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-52-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-50-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-48-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-46-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-44-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-42-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-40-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-39-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-36-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-34-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-32-0x0000000002440000-0x0000000002453000-memory.dmp

memory/3884-31-0x0000000002440000-0x0000000002453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\292442093.exe

MD5 b29e95cccca2b34829a4428ffc3da5c1
SHA1 52bbec6a5d18329e1fcc40b18f979fa477055cfb
SHA256 844cc129df2a242ef9fe77633d84f80d7574675290c8d4a4931a84531555a69f
SHA512 d4d645d36301a654e21822cebc94e3a1b750b35d3b663569eb3400fe266316ba8af6f97f4c9bc2bd30c843c100f23c479b045901755e0800789cab1a449eec00

memory/4328-64-0x00000000027F0000-0x000000000280A000-memory.dmp

memory/4328-65-0x0000000005360000-0x0000000005378000-memory.dmp

memory/4328-75-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-66-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-83-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-93-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-92-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-90-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-87-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-86-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-81-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-79-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-77-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-73-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-71-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-69-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-67-0x0000000005360000-0x0000000005372000-memory.dmp

memory/4328-94-0x0000000000400000-0x0000000000803000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350074372.exe

MD5 beedd6e9bef9518e8d8aa5f104994950
SHA1 dd0fe488ce807f0f79b7b9e212f97d04a86e722a
SHA256 16ca9a4c74429063cb7ef75f01cdae4ae23ac4a1c36d215622959f7f9b5d9518
SHA512 33c25c4f04b71e0e378142b7d8886e8c5ef3ca2374472e1c30ae9733ef03e9fbb6c875afcb826363fbeb44250521746a07864d95cc8e0024cc187d5557d42d9b

memory/4328-96-0x0000000000400000-0x0000000000803000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\458378014.exe

MD5 fb8deb1cd7d239c98e3e488126b24a33
SHA1 d891850ead14fb20b2639a39169c5f89b353ce17
SHA256 d9f7aec94fb46af2921728a91ae12b055048dcc27480cafe4471d04188d24020
SHA512 7d3f9ff10d19246bf71efe6920634d1412757d893aad366243804e4feff712a1627d52f43d992a6dc322edb0c1dbe9d0a5d302a6e7b8faaa226cd95569574d9b

memory/400-114-0x0000000004D70000-0x0000000004DAC000-memory.dmp

memory/400-115-0x00000000053E0000-0x000000000541A000-memory.dmp

memory/400-121-0x00000000053E0000-0x0000000005415000-memory.dmp

memory/400-119-0x00000000053E0000-0x0000000005415000-memory.dmp

memory/400-117-0x00000000053E0000-0x0000000005415000-memory.dmp

memory/400-116-0x00000000053E0000-0x0000000005415000-memory.dmp

memory/400-908-0x0000000007F00000-0x0000000008518000-memory.dmp

memory/400-909-0x0000000007980000-0x0000000007992000-memory.dmp

memory/400-910-0x00000000079A0000-0x0000000007AAA000-memory.dmp

memory/400-911-0x0000000007AC0000-0x0000000007AFC000-memory.dmp

memory/400-912-0x0000000002760000-0x00000000027AC000-memory.dmp