Malware Analysis Report

2024-11-15 09:57

Sample ID 241110-b5bbhawlcz
Target ee8b8d71413f0cd5c9d2a76b34bf8791559f32c10a17eb316fb8f13ae05c5578
SHA256 ee8b8d71413f0cd5c9d2a76b34bf8791559f32c10a17eb316fb8f13ae05c5578
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee8b8d71413f0cd5c9d2a76b34bf8791559f32c10a17eb316fb8f13ae05c5578

Threat Level: Known bad

The file ee8b8d71413f0cd5c9d2a76b34bf8791559f32c10a17eb316fb8f13ae05c5578 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey family

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

Amadey

Healer

Healer family

RedLine

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:43

Reported

2024-11-10 01:45

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee8b8d71413f0cd5c9d2a76b34bf8791559f32c10a17eb316fb8f13ae05c5578.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\390764665.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ee8b8d71413f0cd5c9d2a76b34bf8791559f32c10a17eb316fb8f13ae05c5578.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\466639088.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\390764665.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ee8b8d71413f0cd5c9d2a76b34bf8791559f32c10a17eb316fb8f13ae05c5578.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\466639088.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\390764665.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\ee8b8d71413f0cd5c9d2a76b34bf8791559f32c10a17eb316fb8f13ae05c5578.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe
PID 1092 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\ee8b8d71413f0cd5c9d2a76b34bf8791559f32c10a17eb316fb8f13ae05c5578.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe
PID 1092 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\ee8b8d71413f0cd5c9d2a76b34bf8791559f32c10a17eb316fb8f13ae05c5578.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe
PID 4376 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe
PID 4376 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe
PID 4376 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe
PID 2544 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe
PID 2544 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe
PID 2544 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe
PID 3092 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe
PID 3092 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe
PID 3092 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe
PID 3092 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe
PID 3092 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe
PID 3092 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe
PID 2544 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\390764665.exe
PID 2544 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\390764665.exe
PID 2544 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\390764665.exe
PID 4456 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\390764665.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4456 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\390764665.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4456 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\390764665.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4376 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\466639088.exe
PID 4376 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\466639088.exe
PID 4376 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\466639088.exe
PID 4724 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4724 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4724 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4724 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3796 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3796 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3796 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3796 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3796 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3796 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3796 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3796 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3796 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3796 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3796 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee8b8d71413f0cd5c9d2a76b34bf8791559f32c10a17eb316fb8f13ae05c5578.exe

"C:\Users\Admin\AppData\Local\Temp\ee8b8d71413f0cd5c9d2a76b34bf8791559f32c10a17eb316fb8f13ae05c5578.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\390764665.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\390764665.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\466639088.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\466639088.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iq896748.exe

MD5 251aefc64d06bd07f156c3eba1d1fa6e
SHA1 3e243cab373e432da85facfdbfaf89dc4100cdef
SHA256 95b07e0ddee8d6b7d5a5cb3019ddb6c03ae9dbd760449ad207dee6fb570765e8
SHA512 063ea7e5d46586b2c32b644966cb7a4de8f21e1735e43ad3b1e57d343c6f7afbe77fda815b937014dfc45a1541343d8b89833e7f24c625123bfa7fadb0ec02ad

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GP927334.exe

MD5 b07e901f3a24b458c669a362611833b8
SHA1 cbdbf410b5695aca237725a0df01c0ba52c9bf77
SHA256 3cb58c97f1297a761620669ad2ae1dc8e7fe3a3ee3f595a5863cc59d1c14379c
SHA512 0bc328fd6d25f34b199e85f27efa4dfef3246120ba6e4fae0e1657fb6de90e400960d1d4e793a2ce52586f3431824c0f2e1605ae3601ed665d37505d9497f8d4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aS869536.exe

MD5 3615626dc22895653517ff999803eb64
SHA1 8a769e36061a462856d259c168d22e31f5b4e470
SHA256 c1cd6e3c66d77966e0c545c8728492cb1c63e6a113c2c08ba47ba6cd4f66c868
SHA512 224e838d481a07d80a7879d4bb99888a53c1359b22353238f77b40fd5b5bdb27b94f10392b019eae21881d477326738903c566e8dd35798048a0e9e4778f8c0e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\141426854.exe

MD5 a165b5f6b0a4bdf808b71de57bf9347d
SHA1 39a7b301e819e386c162a47e046fa384bb5ab437
SHA256 68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA512 3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

memory/2416-28-0x00000000021B0000-0x00000000021CA000-memory.dmp

memory/2416-29-0x0000000004B90000-0x0000000005134000-memory.dmp

memory/2416-30-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2416-58-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-56-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-54-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-53-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-50-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-48-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-47-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-44-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-42-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-40-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-38-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-36-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-34-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-32-0x0000000002540000-0x0000000002553000-memory.dmp

memory/2416-31-0x0000000002540000-0x0000000002553000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282079873.exe

MD5 5830d30642fc4833a17bd2f6f8f2a5a6
SHA1 097a1eae4f28d1db9cb9679f9744ead9538bf7e7
SHA256 5cd7c295be93abf7f4aca7be61dd317ab5df3573ace1199a7acbe56e0ebd3d8f
SHA512 0146b1bc6425967a413e986164c0cf21e5d5e4b44f2961900f435c44aa5a7d9091726c05c2397b7d3ebe8bf406db86b47d429ba3f5f25fe482565b77d539586a

memory/5036-92-0x0000000000400000-0x0000000000455000-memory.dmp

memory/5036-94-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\390764665.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\466639088.exe

MD5 c64a9f93587ec6b88e018024413b4ba2
SHA1 f785904098bdec8e10e77d52b6530ff10af32515
SHA256 c76445f7689b07f7ec052dd2cd90ea46eb28dad338532747968281a9163bdc02
SHA512 bda0916332ead9e67d3ede8a6aa7230336529ebb99d0d4d5454c9e3f4ebddc58024d3db1031ab2ff5d38895e167fc710d94125cdc3b9dae1ff487ed8d44a426a

memory/4348-112-0x00000000049D0000-0x0000000004A0C000-memory.dmp

memory/4348-113-0x0000000005000000-0x000000000503A000-memory.dmp

memory/4348-117-0x0000000005000000-0x0000000005035000-memory.dmp

memory/4348-119-0x0000000005000000-0x0000000005035000-memory.dmp

memory/4348-115-0x0000000005000000-0x0000000005035000-memory.dmp

memory/4348-114-0x0000000005000000-0x0000000005035000-memory.dmp

memory/4348-906-0x0000000007530000-0x0000000007B48000-memory.dmp

memory/4348-907-0x0000000007BF0000-0x0000000007C02000-memory.dmp

memory/4348-908-0x0000000007C10000-0x0000000007D1A000-memory.dmp

memory/4348-909-0x0000000007D30000-0x0000000007D6C000-memory.dmp

memory/4348-910-0x0000000002350000-0x000000000239C000-memory.dmp