Malware Analysis Report

2024-12-06 02:56

Sample ID 241110-cj9slsznej
Target c90a4448aa6ba41b5dff530982a99913167e2733d26c96e4c86e78ddf430cfde
SHA256 c90a4448aa6ba41b5dff530982a99913167e2733d26c96e4c86e78ddf430cfde
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c90a4448aa6ba41b5dff530982a99913167e2733d26c96e4c86e78ddf430cfde

Threat Level: Known bad

The file c90a4448aa6ba41b5dff530982a99913167e2733d26c96e4c86e78ddf430cfde was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Redline family

Amadey family

Healer

Healer family

Amadey

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

RedLine

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:07

Reported

2024-11-10 02:10

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c90a4448aa6ba41b5dff530982a99913167e2733d26c96e4c86e78ddf430cfde.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\325533682.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c90a4448aa6ba41b5dff530982a99913167e2733d26c96e4c86e78ddf430cfde.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485547283.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c90a4448aa6ba41b5dff530982a99913167e2733d26c96e4c86e78ddf430cfde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\325533682.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485547283.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\325533682.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4168 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\c90a4448aa6ba41b5dff530982a99913167e2733d26c96e4c86e78ddf430cfde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe
PID 4168 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\c90a4448aa6ba41b5dff530982a99913167e2733d26c96e4c86e78ddf430cfde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe
PID 4168 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\c90a4448aa6ba41b5dff530982a99913167e2733d26c96e4c86e78ddf430cfde.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe
PID 4720 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe
PID 4720 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe
PID 4720 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe
PID 4240 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe
PID 4240 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe
PID 4240 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe
PID 3868 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe
PID 3868 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe
PID 3868 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe
PID 3868 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe
PID 3868 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe
PID 3868 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe
PID 4240 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\325533682.exe
PID 4240 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\325533682.exe
PID 4240 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\325533682.exe
PID 4268 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\325533682.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4268 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\325533682.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4268 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\325533682.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4720 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485547283.exe
PID 4720 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485547283.exe
PID 4720 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485547283.exe
PID 3168 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3168 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3168 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3168 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 3360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 3360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 3360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1028 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1028 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1028 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1028 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1028 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1028 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1028 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1028 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1028 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1028 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1028 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c90a4448aa6ba41b5dff530982a99913167e2733d26c96e4c86e78ddf430cfde.exe

"C:\Users\Admin\AppData\Local\Temp\c90a4448aa6ba41b5dff530982a99913167e2733d26c96e4c86e78ddf430cfde.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\325533682.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\325533682.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485547283.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485547283.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PH010121.exe

MD5 e544be849b2aa5bcad760b7cc8ff1495
SHA1 b1eb252df4bdc10cd6fd44875008e694014ac877
SHA256 330b2ceea3d5d39a9539ee98877b4d57d57280511522ac1f2e4bb6ece43ac199
SHA512 1de7339eac926620ee426ceda6fee9461e539264337f583239c071606f57e36affd796c5d227c78b410cbfb42f2d5e1d359e086783303f1a9efc58f5c82e1adf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cC807446.exe

MD5 063a858ed09deab28e3c951695a4f136
SHA1 492a33c54dec1861a94175322ee3d587e06d0598
SHA256 6990acb933cea75d93ca1a75664526a0bdc78c0609ca280fa7e216205816dd99
SHA512 bdbcdefc4771c09d177d9d62a7eb125f080da77946f01bf17da436e7d2e89f5109ab9c88ee225e30a114b76f62c885eb576c2e9af764699629dba21b100e6171

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS251086.exe

MD5 a625d108eaedd571c2bcaa7c436a299c
SHA1 357b6dc31781fb6f875c8b7c816362b6b43f4518
SHA256 2affd01167421df4876bdb3bd35109b5c0ea45a3a707d285a9cde362f30371b5
SHA512 e2646ca42b13753c3f0640c6df7a99cb9dbe183774286ea1357f8caf45f2bda507af05b9caeee3e50d91c9adf5af154f59bb9bd9fbab4b0d7ccd9f8d4c7d08e6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\181482417.exe

MD5 2b71f4b18ac8214a2bff547b6ce2f64f
SHA1 b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256 f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA512 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

memory/4584-28-0x0000000002180000-0x000000000219A000-memory.dmp

memory/4584-29-0x0000000004960000-0x0000000004F04000-memory.dmp

memory/4584-30-0x0000000004F50000-0x0000000004F68000-memory.dmp

memory/4584-42-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-44-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-56-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-54-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-52-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-50-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-48-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-58-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-46-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-40-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-38-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-36-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-34-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-32-0x0000000004F50000-0x0000000004F63000-memory.dmp

memory/4584-31-0x0000000004F50000-0x0000000004F63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282322747.exe

MD5 eccef80a7156067c3522d665b7af20b4
SHA1 f7016057d510cfa94e0fa6e3cf1f3f30e8d3ceee
SHA256 0c10395dad710c5bd713852cd01effc8e80f14a3d115f86f1ffed328e423d022
SHA512 a03f02ba2bd07ff4b6bc4e0f365cc25baff252cd508919c1d149fd4a88b7a5dee3fe612cbd671a6844f0826b0899cb1a015ebed4611f1b85d7561c41a655ad3a

memory/1600-93-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\325533682.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\485547283.exe

MD5 9d156bf69b4f3eae5dccc853f76c4b27
SHA1 bc1b16f12053b77ce435e6a79499a324428f3d06
SHA256 8d14b3dbea71c5b7ce460844f384606c2a17c8daa49572caddb411adc5818c51
SHA512 fb1a1a6a77db114b85815e2d0f9dcee703f14e27c966189f034ed1a17aa885ba15bbb757b360c29ff50ff4fd3d235587f18ba9aa8e0eb747c771872aec36b4ac

memory/1956-112-0x0000000004C10000-0x0000000004C4C000-memory.dmp

memory/1956-113-0x00000000078C0000-0x00000000078FA000-memory.dmp

memory/1956-119-0x00000000078C0000-0x00000000078F5000-memory.dmp

memory/1956-117-0x00000000078C0000-0x00000000078F5000-memory.dmp

memory/1956-115-0x00000000078C0000-0x00000000078F5000-memory.dmp

memory/1956-114-0x00000000078C0000-0x00000000078F5000-memory.dmp

memory/1956-906-0x0000000009DC0000-0x000000000A3D8000-memory.dmp

memory/1956-907-0x000000000A430000-0x000000000A442000-memory.dmp

memory/1956-908-0x000000000A450000-0x000000000A55A000-memory.dmp

memory/1956-909-0x000000000A570000-0x000000000A5AC000-memory.dmp

memory/1956-910-0x0000000004B10000-0x0000000004B5C000-memory.dmp