Malware Analysis Report

2024-12-06 02:56

Sample ID 241110-cgbssszmhl
Target 7f869cc556e31fe343714bac6e7216efef03ea59f647cea6b9445a27c628f611N
SHA256 7f869cc556e31fe343714bac6e7216efef03ea59f647cea6b9445a27c628f611
Tags
amadey healer redline 9c0adb gena most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f869cc556e31fe343714bac6e7216efef03ea59f647cea6b9445a27c628f611

Threat Level: Known bad

The file 7f869cc556e31fe343714bac6e7216efef03ea59f647cea6b9445a27c628f611N was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb gena most discovery dropper evasion infostealer persistence trojan

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

Redline family

Healer family

Amadey

Amadey family

Detects Healer an antivirus disabler dropper

Healer

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:02

Reported

2024-11-10 02:04

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f869cc556e31fe343714bac6e7216efef03ea59f647cea6b9445a27c628f611N.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d98547455.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a57390674.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78305502.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7f869cc556e31fe343714bac6e7216efef03ea59f647cea6b9445a27c628f611N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f869cc556e31fe343714bac6e7216efef03ea59f647cea6b9445a27c628f611N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a57390674.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78305502.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d98547455.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f92626627.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a57390674.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d98547455.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7f869cc556e31fe343714bac6e7216efef03ea59f647cea6b9445a27c628f611N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe
PID 1984 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7f869cc556e31fe343714bac6e7216efef03ea59f647cea6b9445a27c628f611N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe
PID 1984 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7f869cc556e31fe343714bac6e7216efef03ea59f647cea6b9445a27c628f611N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe
PID 4672 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe
PID 4672 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe
PID 4672 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe
PID 3504 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe
PID 3504 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe
PID 3504 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe
PID 2964 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe
PID 2964 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe
PID 2964 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe
PID 3612 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a57390674.exe
PID 3612 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a57390674.exe
PID 3612 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a57390674.exe
PID 3100 wrote to memory of 5312 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a57390674.exe C:\Windows\Temp\1.exe
PID 3100 wrote to memory of 5312 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a57390674.exe C:\Windows\Temp\1.exe
PID 3612 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe
PID 3612 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe
PID 3612 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe
PID 2964 wrote to memory of 5148 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78305502.exe
PID 2964 wrote to memory of 5148 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78305502.exe
PID 2964 wrote to memory of 5148 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78305502.exe
PID 5148 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78305502.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5148 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78305502.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5148 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78305502.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3504 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d98547455.exe
PID 3504 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d98547455.exe
PID 3504 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d98547455.exe
PID 4636 wrote to memory of 5908 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4636 wrote to memory of 5908 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4636 wrote to memory of 5908 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4636 wrote to memory of 5780 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 5780 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 5780 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5780 wrote to memory of 6112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5780 wrote to memory of 6112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5780 wrote to memory of 6112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5780 wrote to memory of 5216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5780 wrote to memory of 5216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5780 wrote to memory of 5216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5780 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5780 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5780 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5780 wrote to memory of 5128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5780 wrote to memory of 5128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5780 wrote to memory of 5128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5780 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5780 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5780 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5780 wrote to memory of 5136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5780 wrote to memory of 5136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5780 wrote to memory of 5136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1636 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d98547455.exe C:\Windows\Temp\1.exe
PID 1636 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d98547455.exe C:\Windows\Temp\1.exe
PID 1636 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d98547455.exe C:\Windows\Temp\1.exe
PID 4672 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f92626627.exe
PID 4672 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f92626627.exe
PID 4672 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f92626627.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f869cc556e31fe343714bac6e7216efef03ea59f647cea6b9445a27c628f611N.exe

"C:\Users\Admin\AppData\Local\Temp\7f869cc556e31fe343714bac6e7216efef03ea59f647cea6b9445a27c628f611N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a57390674.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a57390674.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5632 -ip 5632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78305502.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78305502.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d98547455.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d98547455.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1636 -ip 1636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1540

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f92626627.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f92626627.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jE111520.exe

MD5 0118c50586aa4c0428a0a4b8c00245c1
SHA1 66fdfad4d428762d1ea3cf9c07cfebbbe1118343
SHA256 977572e1d25f106aa51ac3a2d8a887085c097e2353ed570acae66258cf336d03
SHA512 8c03bccd6ce87e37d28cade801595b58b14693a2e5e6e0c2ab1201e0f92b5de357b3f6f5a474643333d43965f2cc95c4c38cbd787c307c2a366e996b2087070c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gq127937.exe

MD5 140a24aa631b2d625ed2328049a87128
SHA1 81feefba1d3c70197b7dfc893bbbbb9f8f8f1719
SHA256 f100867298b48160f7ddbfeab695b03765ae0ac59e10617a22545b62c755332b
SHA512 bb9ee171fd5d95da2b178c4add48621b80e9753627fd03082dd81ec6855c52a5a04d82a178a4594d7a1cd87a6f96501396846e955a279ed5b69d9b55972c2a84

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo597092.exe

MD5 1a03d92d58c57058e976dac405709da2
SHA1 b2be78a134043a6c411d2b9f79ae1079b96e52cb
SHA256 967fe15e75e38f58f61d7a7382df7b1a945dc22216cb5db3e93f10e6118d9c8f
SHA512 9af6a1d64395373a54c9dfd7d021f21ac0804e4cb390031a95cffad08f7ea0dcafbab70133864c958b4032c04e3353a8d96f6b4040222d3e5d1e9b2ee50de332

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mk232306.exe

MD5 984db1d4c8ed10a93b1d67561c42628f
SHA1 2b8b151accbb9e54f6dfc1c200fe389e40ee0a5f
SHA256 502f9b31dee2fd5da588a192a8ce41608f71467de4bee80a320c35e887271988
SHA512 d248be1cc261a34e364d534945fb2720bc88910a7c0e437bc6d11a56f1d63f3e46f5e163e97aeabb70c1734fb4c6f4bec8dc78d57026a1cb9ad1bdef7674d9aa

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a57390674.exe

MD5 82c52bd36dd6aef49d794603643c74e1
SHA1 c45c0cfdf3626b88271cdcc950fed0e25d398e29
SHA256 961bdf0aab6286eceefd222657d9ca841acb6099cb69100fe527ec827bc3e063
SHA512 ee4dd9975f6e441e79b307308e8aba2fcf52f0f375d40046355134640f70b5660108cf898857e2bf89fd07a6530e24c776b5095efa24523ae96c362ff0a770a4

memory/3100-35-0x0000000004A20000-0x0000000004A78000-memory.dmp

memory/3100-36-0x0000000004AE0000-0x0000000005084000-memory.dmp

memory/3100-37-0x00000000050E0000-0x0000000005136000-memory.dmp

memory/3100-39-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-89-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-65-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-55-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-51-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-38-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-101-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-99-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-97-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-95-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-93-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-91-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-87-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-85-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-83-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-81-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-79-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-77-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-76-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-73-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-71-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-69-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-67-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-63-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-61-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-59-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-57-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-53-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-49-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-47-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-45-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-44-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-41-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3100-2166-0x0000000005430000-0x000000000543A000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/5312-2179-0x0000000000F20000-0x0000000000F2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b49313789.exe

MD5 acb8375619853853280ef5e1e12dad44
SHA1 9ad756806c43077bc96f518798a9770e71c913da
SHA256 1dd0ab84e9be3d496452bf6f0da010712eaf0ba1ac6f90bf82b09d5f113d4183
SHA512 fe7d689d7e5c4169984cafeae4b7b37cfa2d15ce7bc85c2dd78a9103558cb402545a215736bf0762ea1b180123e996fa56be9314258d27c3a3f92f6f22e8930f

memory/5632-2184-0x00000000026E0000-0x00000000026FA000-memory.dmp

memory/5632-2185-0x00000000027C0000-0x00000000027D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c78305502.exe

MD5 030b677b34f25a90d0469b9e3f1e418e
SHA1 b132c78fcfa0ca0a508c6d1e4d0236721390be24
SHA256 2a22fad18e05acec3d3c49a8c323cb61979ba7a0e118c9561750edeb059a08f9
SHA512 c1eb108df2aef7922e702914ce8289fe2f57e50c93b470a79e90683eace62a2ca60e0c20de3d2f0a07a5cc4c7315c23718c939f39fff9dfaaad8de07a71b320e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d98547455.exe

MD5 302f8952a3d37f83138646147477de2f
SHA1 cce32410dee1cd2e4668d1af789beee9ae3f21a6
SHA256 6febb56d0f6745682530d1d625fc1fa7dce7b68d0b9ef2bf6c088eadbfe45456
SHA512 786d5a5db7e58fc00876de970650cd499f2f59e0a1c4be2f5beef5319f41aec15e13f9facdcff8d4125e6fc9d54520491b1de06c30807cf34b7bc35970d78207

memory/1636-2234-0x00000000027E0000-0x0000000002848000-memory.dmp

memory/1636-2235-0x0000000005550000-0x00000000055B6000-memory.dmp

memory/1636-4382-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 f16fb63d4e551d3808e8f01f2671b57e
SHA1 781153ad6235a1152da112de1fb39a6f2d063575
SHA256 8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512 fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

memory/652-4395-0x0000000000C90000-0x0000000000CBE000-memory.dmp

memory/652-4396-0x0000000002D90000-0x0000000002D96000-memory.dmp

memory/652-4397-0x0000000005C60000-0x0000000006278000-memory.dmp

memory/652-4398-0x0000000005750000-0x000000000585A000-memory.dmp

memory/652-4399-0x0000000005610000-0x0000000005622000-memory.dmp

memory/652-4400-0x0000000005640000-0x000000000567C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f92626627.exe

MD5 af55b5f20ba0f4e3483ff023b9765a83
SHA1 d4ed6b176197a105860c7a37cca416e902cb2501
SHA256 67686d4ffbecae665fd8606a39b0bf32b09b039622c3f12c95ae59c324cdab9c
SHA512 6f4eb14df47bcf82ddb803b48bfd701c417d47b504bbd05e481c994308c0c905f8a6555d10cdc1d647112f47d02587db4a83064357ce0ec3bd2ebdf7216067db

memory/652-4405-0x00000000056C0000-0x000000000570C000-memory.dmp

memory/3136-4406-0x0000000000410000-0x0000000000440000-memory.dmp

memory/3136-4407-0x00000000025A0000-0x00000000025A6000-memory.dmp