Malware Analysis Report

2025-08-06 01:52

Sample ID 241111-hkprqavdrp
Target 10dac7fe57ac8ad9bfdf5655b3b23bfdc37b33a484c4534ed0af427ed1eb694c
SHA256 10dac7fe57ac8ad9bfdf5655b3b23bfdc37b33a484c4534ed0af427ed1eb694c
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10dac7fe57ac8ad9bfdf5655b3b23bfdc37b33a484c4534ed0af427ed1eb694c

Threat Level: Known bad

The file 10dac7fe57ac8ad9bfdf5655b3b23bfdc37b33a484c4534ed0af427ed1eb694c was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

RedLine payload

Redline family

Modifies Windows Defender Real-time Protection settings

Healer family

Amadey family

Healer

RedLine

Amadey

Detects Healer an antivirus disabler dropper

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:47

Reported

2024-11-11 06:50

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10dac7fe57ac8ad9bfdf5655b3b23bfdc37b33a484c4534ed0af427ed1eb694c.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350580972.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\10dac7fe57ac8ad9bfdf5655b3b23bfdc37b33a484c4534ed0af427ed1eb694c.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10dac7fe57ac8ad9bfdf5655b3b23bfdc37b33a484c4534ed0af427ed1eb694c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350580972.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408128415.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408128415.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350580972.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3136 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\10dac7fe57ac8ad9bfdf5655b3b23bfdc37b33a484c4534ed0af427ed1eb694c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe
PID 3136 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\10dac7fe57ac8ad9bfdf5655b3b23bfdc37b33a484c4534ed0af427ed1eb694c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe
PID 3136 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\10dac7fe57ac8ad9bfdf5655b3b23bfdc37b33a484c4534ed0af427ed1eb694c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe
PID 4060 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe
PID 4060 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe
PID 4060 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe
PID 4260 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe
PID 4260 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe
PID 4260 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe
PID 3896 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe
PID 3896 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe
PID 3896 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe
PID 3896 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe
PID 3896 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe
PID 3896 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe
PID 4260 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350580972.exe
PID 4260 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350580972.exe
PID 4260 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350580972.exe
PID 2776 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350580972.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2776 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350580972.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2776 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350580972.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4060 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408128415.exe
PID 4060 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408128415.exe
PID 4060 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408128415.exe
PID 4504 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4504 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4504 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4504 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2672 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2672 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2672 wrote to memory of 3316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2672 wrote to memory of 3316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2672 wrote to memory of 3316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2672 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2672 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2672 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2672 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2672 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2672 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\10dac7fe57ac8ad9bfdf5655b3b23bfdc37b33a484c4534ed0af427ed1eb694c.exe

"C:\Users\Admin\AppData\Local\Temp\10dac7fe57ac8ad9bfdf5655b3b23bfdc37b33a484c4534ed0af427ed1eb694c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350580972.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350580972.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408128415.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408128415.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU611382.exe

MD5 59d1181720e0e9965146f9e5df462108
SHA1 534840fd89a2907f99e94abca69e0416abace5d5
SHA256 c90f26157ed1941c88021231e060ed0b72d91b615eac9cfd5ffd0374c6702257
SHA512 bd0f28c2f135106a706e1158e4fb18bfc216131c63b7f357cbd7f1193ad7bdee3be16c818d299d58eeaff0560639fe6c3dd6230ad273aa1c218191e98cdb9d06

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gb364083.exe

MD5 a60f832bf3d0443917ea1a368895b7bc
SHA1 f4ac687dad7a35d28804e71bf9aa4bc1d2af0cf6
SHA256 ba0ee5f1d290e6c0941397e25c53c0f4a170349a192451f2881ac1827881b33c
SHA512 e5e8e46d2a566926b9699941762584575be8011f11e87701358c686bb25a1606b2fd3ada03f55d0f5aa7d9bdba6d73a962c61cf53fce8d8f450d9d523dd336ec

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ys238415.exe

MD5 cc05a6f5f93ace9169e7d924c6b48ad8
SHA1 d491703c1cfe1c1a533256215128de0c5bb4ff66
SHA256 49aec91677f5a640e72ea5535fa97cca2841722eba0c05d8ec7d5eb6579093ab
SHA512 10de92ef21ccc261bc175cf063d6125c82f4e9579c9384bcea0a0b50fbd79fca31c1ff0ccff1a5ada3b43e72e4d0402c564ff85c9726b22128ad373a89bbb169

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125528890.exe

MD5 a165b5f6b0a4bdf808b71de57bf9347d
SHA1 39a7b301e819e386c162a47e046fa384bb5ab437
SHA256 68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA512 3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

memory/1172-28-0x0000000002180000-0x000000000219A000-memory.dmp

memory/1172-29-0x0000000004B20000-0x00000000050C4000-memory.dmp

memory/1172-30-0x0000000002320000-0x0000000002338000-memory.dmp

memory/1172-31-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-58-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-54-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-52-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-50-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-48-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-46-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-44-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-42-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-40-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-38-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-36-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-34-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-32-0x0000000002320000-0x0000000002333000-memory.dmp

memory/1172-57-0x0000000002320000-0x0000000002333000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\212157644.exe

MD5 2c05755d85151c282a93eae23ec9968f
SHA1 5e06c98abddb97abfbef43fd7a87710644d3b215
SHA256 a236b142cb0c80cfff5c446be139cc15166f27d82d13151ade14a77e30381626
SHA512 4bf93da62d734af608df603df840d5c82386ad75cceeb16fd10089dd12cc18672f0091a51d371e313e6ea5a5fc6d2b1cc8f6294b690c6ade23f68e4d8c5166fe

memory/4044-92-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4044-94-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350580972.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408128415.exe

MD5 491c95b7501e5a46b83ae4fefeb1ddba
SHA1 43666d831baa487f717006b4aea71732adec97a5
SHA256 b752539d56b203ff29035a2ebcb1d94b82fbcc5a606a0158a8afee5ad89de2e4
SHA512 846749aa6cce5206e605e48b0e548aba9fb479aeb2738b0873dc01f17c1a7f2beced1286a409bbbac4116a7b5bf5258a6bbca9b062a24f99e0cffa484e795435

memory/3992-112-0x0000000002560000-0x000000000259C000-memory.dmp

memory/3992-113-0x0000000004A40000-0x0000000004A7A000-memory.dmp

memory/3992-119-0x0000000004A40000-0x0000000004A75000-memory.dmp

memory/3992-117-0x0000000004A40000-0x0000000004A75000-memory.dmp

memory/3992-115-0x0000000004A40000-0x0000000004A75000-memory.dmp

memory/3992-114-0x0000000004A40000-0x0000000004A75000-memory.dmp

memory/3992-906-0x0000000007560000-0x0000000007B78000-memory.dmp

memory/3992-907-0x0000000007BF0000-0x0000000007C02000-memory.dmp

memory/3992-908-0x0000000007C10000-0x0000000007D1A000-memory.dmp

memory/3992-909-0x0000000007D30000-0x0000000007D6C000-memory.dmp

memory/3992-910-0x00000000024D0000-0x000000000251C000-memory.dmp