Malware Analysis Report

2025-04-03 14:21

Sample ID 241110-dfqq1axnbz
Target 978c1e85d3001a8605e6bac0e4e550aec2b4592358ceeee565e8585e3e5ba3ac
SHA256 978c1e85d3001a8605e6bac0e4e550aec2b4592358ceeee565e8585e3e5ba3ac
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

978c1e85d3001a8605e6bac0e4e550aec2b4592358ceeee565e8585e3e5ba3ac

Threat Level: Known bad

The file 978c1e85d3001a8605e6bac0e4e550aec2b4592358ceeee565e8585e3e5ba3ac was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey

Amadey family

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer family

Redline family

Healer

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:57

Reported

2024-11-10 02:59

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\978c1e85d3001a8605e6bac0e4e550aec2b4592358ceeee565e8585e3e5ba3ac.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333967250.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\978c1e85d3001a8605e6bac0e4e550aec2b4592358ceeee565e8585e3e5ba3ac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333967250.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462132319.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\978c1e85d3001a8605e6bac0e4e550aec2b4592358ceeee565e8585e3e5ba3ac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462132319.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333967250.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\978c1e85d3001a8605e6bac0e4e550aec2b4592358ceeee565e8585e3e5ba3ac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe
PID 1560 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\978c1e85d3001a8605e6bac0e4e550aec2b4592358ceeee565e8585e3e5ba3ac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe
PID 1560 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\978c1e85d3001a8605e6bac0e4e550aec2b4592358ceeee565e8585e3e5ba3ac.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe
PID 4828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe
PID 4828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe
PID 4828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe
PID 2724 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe
PID 2724 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe
PID 2724 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe
PID 736 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe
PID 736 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe
PID 736 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe
PID 736 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe
PID 736 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe
PID 736 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe
PID 2724 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333967250.exe
PID 2724 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333967250.exe
PID 2724 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333967250.exe
PID 4288 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333967250.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4288 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333967250.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4288 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333967250.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4828 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462132319.exe
PID 4828 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462132319.exe
PID 4828 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462132319.exe
PID 4300 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4300 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4300 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4300 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2960 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2960 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2960 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2960 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2960 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2960 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2960 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2960 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2960 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2960 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2960 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\978c1e85d3001a8605e6bac0e4e550aec2b4592358ceeee565e8585e3e5ba3ac.exe

"C:\Users\Admin\AppData\Local\Temp\978c1e85d3001a8605e6bac0e4e550aec2b4592358ceeee565e8585e3e5ba3ac.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3568 -ip 3568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333967250.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333967250.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462132319.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462132319.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hp746190.exe

MD5 67e87347fcfc7799c40573c80aaa47b3
SHA1 fd250611a57afb9fe0d10827cd336b45f930ad99
SHA256 8cdd65dec294e1d2837e97965a44618e31f68cd7b7daeec2e24f75ddb6689cf6
SHA512 39de575f2d1bddd8b447324f09dd8cd1f9fc112711f8444f3cf1ec88acfdac1c0a470aa386840d74713c24e7740c9e4691606ced008a9223f6eb25ad5b3b5dd1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JF100139.exe

MD5 3effae70ceb7249f87cf19c3e2a4573d
SHA1 f5e1af585852f1480211706e09ebf6fb78a7a9c8
SHA256 ac441a20ab2027edd019d0b666a79da5b23224dfd1fd3fcc6e6e98eb2494869c
SHA512 4e2f357eaf2a3ab2fb0446d9bd799b0246dcada79f75f276d5f102047967a4d2908767f3cb3a5c0b1e55f70aa211c0f4d716255593a5290ef9ad74146c4303f5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx490407.exe

MD5 23ea85556343fae16073412c7664596c
SHA1 7fa151c9c6312aab2b84694c78f1f8cb3ab63c69
SHA256 220ce8e7579132d0aa8a99024440ad7b0a0d28bec353963698b6f498daf357e2
SHA512 0c722a2cf66f64466fff797e605de3f050dcd3e045c4e9b0fa0dec05c229f1af2ff86a0becf53aaba10fce96397b9c87f6e3872da2722d063b93ae78a4064c37

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\145189600.exe

MD5 2b71f4b18ac8214a2bff547b6ce2f64f
SHA1 b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256 f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA512 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

memory/4832-28-0x0000000002070000-0x000000000208A000-memory.dmp

memory/4832-29-0x0000000004950000-0x0000000004EF4000-memory.dmp

memory/4832-30-0x0000000004F40000-0x0000000004F58000-memory.dmp

memory/4832-38-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-56-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-54-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-52-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-51-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-48-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-58-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-47-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-44-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-42-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-40-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-34-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-32-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-31-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4832-36-0x0000000004F40000-0x0000000004F53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\224059785.exe

MD5 bdb02bb69f7dc2d20c118fbe19fa2765
SHA1 16df4dcba316eceaa875b727e13549c084f996ce
SHA256 d98796f87b4c488dd6f6ff8c16690b87c1a8bb39f1432b74e0abf4a226592c75
SHA512 379052ac13ebda71f56c4d31d0a981fe750237b628ab4f3246ec8919de56d261d159ecba34e7ea27d0c9d4d0684400775f1d734329d69b191cb659335ddd3c56

memory/3568-92-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\333967250.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/3568-94-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\462132319.exe

MD5 44724c09a3960ace11bab1c01674146a
SHA1 a8d65ca0abab8120f7206890831cc81447e3caca
SHA256 2e31d56cb1b23b2086b3e1aeb7e8f14273c658ac68565b85d52fbe8e8c15c6d1
SHA512 248f24f87b806cce87c67bfd74ebcea499ec1e0851c86bd6dc1b06c013e1f5608ca78d6318354477dae58b5c762055d1b97864c5e81e3fc58428fdbe4db0d267

memory/4528-112-0x0000000004C40000-0x0000000004C7C000-memory.dmp

memory/4528-113-0x00000000072D0000-0x000000000730A000-memory.dmp

memory/4528-119-0x00000000072D0000-0x0000000007305000-memory.dmp

memory/4528-117-0x00000000072D0000-0x0000000007305000-memory.dmp

memory/4528-115-0x00000000072D0000-0x0000000007305000-memory.dmp

memory/4528-114-0x00000000072D0000-0x0000000007305000-memory.dmp

memory/4528-906-0x0000000009DB0000-0x000000000A3C8000-memory.dmp

memory/4528-907-0x000000000A470000-0x000000000A482000-memory.dmp

memory/4528-908-0x000000000A490000-0x000000000A59A000-memory.dmp

memory/4528-909-0x000000000A5B0000-0x000000000A5EC000-memory.dmp

memory/4528-910-0x0000000004DA0000-0x0000000004DEC000-memory.dmp