Malware Analysis Report

2024-12-07 03:56

Sample ID 241113-p2schaseln
Target 69758ac2e6a786879dc40c3b2ffb3a9f192a5452083a17674bb0c9d26b38be04.exe
SHA256 69758ac2e6a786879dc40c3b2ffb3a9f192a5452083a17674bb0c9d26b38be04
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69758ac2e6a786879dc40c3b2ffb3a9f192a5452083a17674bb0c9d26b38be04

Threat Level: Known bad

The file 69758ac2e6a786879dc40c3b2ffb3a9f192a5452083a17674bb0c9d26b38be04.exe was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey

Amadey family

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

RedLine

Modifies Windows Defender Real-time Protection settings

Healer family

Healer

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 12:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 12:49

Reported

2024-11-13 12:51

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69758ac2e6a786879dc40c3b2ffb3a9f192a5452083a17674bb0c9d26b38be04.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389032196.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\69758ac2e6a786879dc40c3b2ffb3a9f192a5452083a17674bb0c9d26b38be04.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389032196.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\457795192.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\69758ac2e6a786879dc40c3b2ffb3a9f192a5452083a17674bb0c9d26b38be04.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\457795192.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389032196.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4868 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\69758ac2e6a786879dc40c3b2ffb3a9f192a5452083a17674bb0c9d26b38be04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe
PID 4868 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\69758ac2e6a786879dc40c3b2ffb3a9f192a5452083a17674bb0c9d26b38be04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe
PID 4868 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\69758ac2e6a786879dc40c3b2ffb3a9f192a5452083a17674bb0c9d26b38be04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe
PID 4676 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe
PID 4676 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe
PID 4676 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe
PID 4288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe
PID 4288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe
PID 4288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe
PID 2732 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe
PID 2732 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe
PID 2732 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe
PID 2732 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe
PID 2732 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe
PID 2732 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe
PID 4288 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389032196.exe
PID 4288 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389032196.exe
PID 4288 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389032196.exe
PID 4716 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389032196.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4716 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389032196.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4716 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389032196.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4676 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\457795192.exe
PID 4676 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\457795192.exe
PID 4676 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\457795192.exe
PID 2836 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4152 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4152 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4152 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4152 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4152 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4152 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4152 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4152 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4152 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4152 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4152 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69758ac2e6a786879dc40c3b2ffb3a9f192a5452083a17674bb0c9d26b38be04.exe

"C:\Users\Admin\AppData\Local\Temp\69758ac2e6a786879dc40c3b2ffb3a9f192a5452083a17674bb0c9d26b38be04.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1420 -ip 1420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389032196.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389032196.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\457795192.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\457795192.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lE463987.exe

MD5 9134e97c10376dbaecb017cba9dcebd8
SHA1 13b1e520fa80c6c5d670aa54e703feb3868f94aa
SHA256 9f642b8b0ad10524e66fc7bcd9e2a9ba07baf759512f4ff2b424203653960a6d
SHA512 a9ba88684ec64275f0dab8b2662ad676109422a1d79af0b8ddd6dd80dceb15bea87651c1ef2c5114323034c67c48acebc9850d4c0f6ff09380ef564e3a7ade5f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yq921698.exe

MD5 c2d156b3fad01ce1e45fb5a9b0ce065e
SHA1 312fafd6d3ffee2130352198de1d0d29c8d862f3
SHA256 1b485e5957a33a8a5c4c161773868984a02e70154b675f658b4f103bac40a700
SHA512 0718723f3004f21da010c05427844f75066a7256a77eb65d9b76387e34f143adb833622700c4918f610328adb293adc93e8ba609727c7ee7594e981c38d586c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wc946437.exe

MD5 28a11052997c41b8a18e5f684cff1a5c
SHA1 128d666bb0771cbc456ac9f942479cb32fe4a489
SHA256 883919f59167190292ed446b525547c1807d136ef06c6b5f6e176bfea550a8e3
SHA512 eda2aef896f2bde6367aacd563c40e4feb97c8c19a968ca2f7adc66b305ff9d9636ada4960c4494fdc376e90b9be2eebb19579aab49936043cea919afe4f7c0f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\118395989.exe

MD5 2b71f4b18ac8214a2bff547b6ce2f64f
SHA1 b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256 f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA512 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

memory/2624-28-0x0000000002240000-0x000000000225A000-memory.dmp

memory/2624-29-0x0000000004AA0000-0x0000000005044000-memory.dmp

memory/2624-30-0x00000000022F0000-0x0000000002308000-memory.dmp

memory/2624-38-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-58-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-56-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-54-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-53-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-50-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-48-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-46-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-44-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-42-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-40-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-36-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-32-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-31-0x00000000022F0000-0x0000000002303000-memory.dmp

memory/2624-34-0x00000000022F0000-0x0000000002303000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\271344771.exe

MD5 6a04a9a72c33a118a6b9a3a5d4876f8c
SHA1 88f52b1107ed4c88a160316dfd04b155ba86bc40
SHA256 df087f174cf6ebebd1d35e2d4f5de08e366603509d5bccf6f2e4c88f99003ec4
SHA512 70793dd01e32d0517c8d95c8884f74ef45e479bfde65b72140b4a2f6ccc2e8e6d2239fd7b5d803499c69341c0a494678b2f1c293630866840beb11aba15b6ef2

memory/1420-92-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\389032196.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/1420-94-0x0000000000400000-0x0000000002B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\457795192.exe

MD5 e043d37680bc40db6ea0ec3afe90222e
SHA1 dd5ab7c337df82cfa095b8fead11c46d407a26e1
SHA256 1d5c2ceaa9b746dfd2007f8fdca055e0d0eddec8cc2a4737137845f237579cee
SHA512 1c8b5084b9d27bb0255157cd34f882537dd5662ac45a59beadac709791482f0d1adb1504ef0ddc3de3d30801b8c73adc98f68fc362357543300e01f35fe8f737

memory/4628-112-0x0000000004C80000-0x0000000004CBC000-memory.dmp

memory/4628-114-0x0000000007730000-0x0000000007765000-memory.dmp

memory/4628-113-0x0000000007730000-0x000000000776A000-memory.dmp

memory/4628-119-0x0000000007730000-0x0000000007765000-memory.dmp

memory/4628-117-0x0000000007730000-0x0000000007765000-memory.dmp

memory/4628-115-0x0000000007730000-0x0000000007765000-memory.dmp

memory/4628-906-0x0000000009C60000-0x000000000A278000-memory.dmp

memory/4628-907-0x000000000A320000-0x000000000A332000-memory.dmp

memory/4628-908-0x000000000A340000-0x000000000A44A000-memory.dmp

memory/4628-909-0x000000000A460000-0x000000000A49C000-memory.dmp

memory/4628-910-0x0000000004BF0000-0x0000000004C3C000-memory.dmp