Malware Analysis Report

2025-04-03 14:21

Sample ID 241110-ddyc3axnax
Target 8d7262c468fd332aed5a4a9ee9790f9f07877577a699ef900bdc8cbab8c056aa
SHA256 8d7262c468fd332aed5a4a9ee9790f9f07877577a699ef900bdc8cbab8c056aa
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d7262c468fd332aed5a4a9ee9790f9f07877577a699ef900bdc8cbab8c056aa

Threat Level: Known bad

The file 8d7262c468fd332aed5a4a9ee9790f9f07877577a699ef900bdc8cbab8c056aa was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Amadey

Detects Healer an antivirus disabler dropper

RedLine

Healer family

Healer

RedLine payload

Amadey family

Redline family

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:54

Reported

2024-11-10 02:56

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d7262c468fd332aed5a4a9ee9790f9f07877577a699ef900bdc8cbab8c056aa.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\318738513.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8d7262c468fd332aed5a4a9ee9790f9f07877577a699ef900bdc8cbab8c056aa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8d7262c468fd332aed5a4a9ee9790f9f07877577a699ef900bdc8cbab8c056aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\318738513.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\435773236.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\435773236.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\318738513.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\8d7262c468fd332aed5a4a9ee9790f9f07877577a699ef900bdc8cbab8c056aa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe
PID 5064 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\8d7262c468fd332aed5a4a9ee9790f9f07877577a699ef900bdc8cbab8c056aa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe
PID 5064 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\8d7262c468fd332aed5a4a9ee9790f9f07877577a699ef900bdc8cbab8c056aa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe
PID 916 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe
PID 916 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe
PID 916 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe
PID 3272 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe
PID 3272 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe
PID 3272 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe
PID 624 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe
PID 624 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe
PID 624 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe
PID 624 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe
PID 624 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe
PID 624 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe
PID 3272 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\318738513.exe
PID 3272 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\318738513.exe
PID 3272 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\318738513.exe
PID 5096 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\318738513.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5096 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\318738513.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5096 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\318738513.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 916 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\435773236.exe
PID 916 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\435773236.exe
PID 916 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\435773236.exe
PID 1580 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1580 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1580 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1580 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2564 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2564 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2564 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2564 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2564 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2564 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2564 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2564 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2564 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2564 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2564 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8d7262c468fd332aed5a4a9ee9790f9f07877577a699ef900bdc8cbab8c056aa.exe

"C:\Users\Admin\AppData\Local\Temp\8d7262c468fd332aed5a4a9ee9790f9f07877577a699ef900bdc8cbab8c056aa.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 932 -ip 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\318738513.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\318738513.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\435773236.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\435773236.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 67.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 72.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zN947776.exe

MD5 ec6094b502b71073f21b1417952859c0
SHA1 a3451cc9aa9e8a5b7010951c79c6b200cde30eaf
SHA256 82d6a4ee7b118193d72e23bd0cbf2aefe5285082e7f12f635327bb1e9d6c9d8a
SHA512 043e7bc68ec352a5792867a601d51cbe12eecbd92e324adb2e1037d6df707a9a3d68db8e1ef61c2c60a98cf61b030ce1e5e082c29988b4550328dcc5e576520c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kF982745.exe

MD5 7ec87d4eb3e01d58c0e1285f461a331e
SHA1 c1dfb958b600823d9898cf5dfbfc0134bb8a36a1
SHA256 4fbb3c47caae16de8ab4d3185bb290ea35b760973b69c1cb687e82e090c54fe0
SHA512 478f85824bef9494d77ed41efba77b34dbc4ff6714954abd0f3db69c70fc1ccb93b90111a98efe1a0c5e3e74f6107f673d434e14613795db52606c990cd3b359

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nU560775.exe

MD5 5fd97314ea986b0eee012b3b672be380
SHA1 ad05b086c061dfa3e409c12472e08f7ede80633d
SHA256 cffc12e5b504cb3f760e382cdd17c09b9ffa3527d6b01680c146c960666689a4
SHA512 331c0a36c16fc2e7cda144cfea07a7304b0c1fe6fbef02678352ee89bd6a3ab13d73a7980207df40674584f8baa2cab70729fa2ff852a15925d46277d843ae01

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\138970767.exe

MD5 3d10b67208452d7a91d7bd7066067676
SHA1 e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA256 5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512 b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

memory/4556-28-0x0000000002460000-0x000000000247A000-memory.dmp

memory/4556-29-0x0000000004C50000-0x00000000051F4000-memory.dmp

memory/4556-30-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

memory/4556-42-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-56-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-54-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-52-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-50-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-48-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-46-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-45-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-40-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-39-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-58-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-36-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-35-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-32-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/4556-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\239786344.exe

MD5 1e544ce92060f1da1b09809ecdf7d648
SHA1 12f0ea334581f0823cfabcdb37a38687992e3a63
SHA256 d5a584fc3cd321a1e760adbeb06effd40782410e9ceee414544ebbb557010c80
SHA512 8b000ba5f0dbff6c6e644ef36b53d90e325d057a92ccd891efd38e7425f59db2ced3a7b104ad349594eb13f3e51853a9e6b6cd01d111fa8c92f1ba3baef7a99e

memory/932-92-0x0000000000400000-0x0000000002B99000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\318738513.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/932-94-0x0000000000400000-0x0000000002B99000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\435773236.exe

MD5 37df2e2e1491c11c8bef029827386981
SHA1 69f3c5707fdeb8b4c517956c4e84cf6657f56f65
SHA256 18c606ad46e77c1ac580ef7b0d753c65b051f0eee08095329c1a447bc621296f
SHA512 27f5cc77301cf6104e920f7c6f399b362328eb1e0f5d69cc3596ad933348099d00e6329703cabba88c611a534d123f7948b3a3120aafb7d6b80d242f94ad5ae5

memory/4908-112-0x0000000004B40000-0x0000000004B7C000-memory.dmp

memory/4908-113-0x00000000077A0000-0x00000000077DA000-memory.dmp

memory/4908-119-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/4908-117-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/4908-115-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/4908-114-0x00000000077A0000-0x00000000077D5000-memory.dmp

memory/4908-906-0x0000000009CA0000-0x000000000A2B8000-memory.dmp

memory/4908-907-0x000000000A330000-0x000000000A342000-memory.dmp

memory/4908-908-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/4908-909-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/4908-910-0x0000000006CA0000-0x0000000006CEC000-memory.dmp