Malware Analysis Report

2025-06-15 22:25

Sample ID 241109-xrpsmasqhr
Target a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1N
SHA256 a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1

Threat Level: Known bad

The file a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1N was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Amadey

RedLine payload

RedLine

Healer

Detects Healer an antivirus disabler dropper

Amadey family

Healer family

Redline family

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:05

Reported

2024-11-09 19:08

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1N.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\170921003.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385902639.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\538910162.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\289963478.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\401510737.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385902639.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\170921003.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\170921003.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\289963478.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\401510737.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1416 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe
PID 1416 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe
PID 1416 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe
PID 616 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe
PID 616 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe
PID 616 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe
PID 3984 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe
PID 3984 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe
PID 3984 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe
PID 5000 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\170921003.exe
PID 5000 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\170921003.exe
PID 5000 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\170921003.exe
PID 2536 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\170921003.exe C:\Windows\Temp\1.exe
PID 2536 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\170921003.exe C:\Windows\Temp\1.exe
PID 5000 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\289963478.exe
PID 5000 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\289963478.exe
PID 5000 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\289963478.exe
PID 3984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385902639.exe
PID 3984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385902639.exe
PID 3984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385902639.exe
PID 2028 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385902639.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2028 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385902639.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2028 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385902639.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 616 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\401510737.exe
PID 616 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\401510737.exe
PID 616 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\401510737.exe
PID 456 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 456 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 456 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 456 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 456 wrote to memory of 5840 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5840 wrote to memory of 5648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5840 wrote to memory of 5648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5840 wrote to memory of 5648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5840 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5840 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5840 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5840 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5840 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5840 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5840 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5840 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5840 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5840 wrote to memory of 6100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5840 wrote to memory of 6100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5840 wrote to memory of 6100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5840 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5840 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5840 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1416 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\538910162.exe
PID 1416 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\538910162.exe
PID 1416 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\538910162.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1N.exe

"C:\Users\Admin\AppData\Local\Temp\a1999e3851be68e2b50fedf2d6a38036672077c255389fad0177dba35b974bf1N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\170921003.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\170921003.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\289963478.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\289963478.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5368 -ip 5368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 1192

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385902639.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385902639.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\401510737.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\401510737.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4672 -ip 4672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1252

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\538910162.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\538910162.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gK196070.exe

MD5 f9150ca922a24f1e8d9dec8e7ddb1eae
SHA1 eab20bbb404330bb93c66caebade4d3571e58e9d
SHA256 3a3d41e069e15640dc5686c2ef8b102e9bffa89228c08ba146028bcf5a2488c5
SHA512 31977a20c56f945a7c3f91d382e493f0b6900ff2d94382aecc2f2d77b7f107903fb59b314e26bd7e8cc59ada8d9294109a3e4953c390bcf950a106ab342a6f31

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UX382394.exe

MD5 856e4aa1e599bf692d33d28145a7d0f0
SHA1 7db9e9813ce7d30717016b4c712a7a4046f5aa3c
SHA256 1c20de9c2615abd94133118aa1e648f4acc7d061bd4f8f05a3e770dcfc4c47a7
SHA512 5e20a5b396e21068663b41ca09b5237cde28f88063c68e9d1853191ffefe04f677938694f9cd3d783f8863c186ecd002ce4bc3eacd2d30dbd01d222e9ffb6248

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YL429057.exe

MD5 5f65b3f14656fbf85a7288c2faf335bc
SHA1 92affa291b28e91495a163282208b32c386da599
SHA256 71f3e059d5c179c40dcf3e882f7b6b3bc00e5163d6935e557c5398996c429bfb
SHA512 04b16f573499ca778d2dfa9d9cbe3a6df6ec44a1f9347bdcb7a9c271b99000cbb26507f94a6f72e3a74f77b652fd45cc2787efe46aee58757ecd0906dfbca9ee

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\170921003.exe

MD5 9417ca58f026e4e5208bd6158a54356c
SHA1 8b1b8280cb2ce0a945b32d276f78de7bc7545f9c
SHA256 b4ccbe483f3af0eb59d35be964f5b081f17a0c0ad1328c4eec6f727db09c7afd
SHA512 6b8e44a37f30a9f8fc6ee13a2673c31f6b725fa8558fb06589c792d533cd061a44d1b17b79657971b49fb862b01a6555aa064c458180500e2e2ff0afc0260355

memory/2536-28-0x0000000004A20000-0x0000000004A78000-memory.dmp

memory/2536-29-0x0000000004AD0000-0x0000000005074000-memory.dmp

memory/2536-30-0x00000000050E0000-0x0000000005136000-memory.dmp

memory/2536-92-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-80-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-64-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-44-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-40-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-31-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-94-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-90-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-88-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-86-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-84-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-82-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-78-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-76-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-74-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-72-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-70-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-68-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-66-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-62-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-60-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-58-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-56-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-54-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-52-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-50-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-48-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-46-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-42-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-38-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-36-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-34-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-32-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/2536-2159-0x0000000005430000-0x000000000543A000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2940-2172-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\289963478.exe

MD5 0dbf1883d5095523f54cbb0359aaf3a0
SHA1 2c7294fd7ef826af681c9449225330dd3892c569
SHA256 7015ea5061b799b505fb1a59cc9814414184703c036f56f4bbfc7a005933014e
SHA512 5484e677dac51cb5a17626148d4fe4d07ee2fcf5e803b9dcb7747fd8f8a1a2d5854ee2b082c767b08c241bb299134631ec647244b824ffa42224524d80940b8e

memory/5368-4305-0x0000000005740000-0x00000000057D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385902639.exe

MD5 c7a78150eead6b78fba5ea072bd098bd
SHA1 9536e6a402e15d9ec434787e2d82f84e421da957
SHA256 a6a430a6fecf3389a401255a0db40cf9cb4d78ce2743cc588523cbb4b4e38537
SHA512 9cf6b82b04363d6e8502f786582402e832aba6cab0b3ab752ccb6306ce0c0b9e388341dbf80189711ebaae41a0c8d222de3979c826c2da1c10d371064fbbf169

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\401510737.exe

MD5 738ba0a46a0c9f3da4e3fe515d685d27
SHA1 14584ff9bbda7a7d8c0497d233e6ef1c2af9926f
SHA256 37cae7e2ec174adbbc9dab549b6ce15adce5e02bbd58c337080de528a64845fc
SHA512 65b3931aab84689a8f338137a3222256848ab1983ad66b73003f206e30d6e38cbb42e5e15fecca9a842c824361f12960b70b2eee57832948391c6bebcea953bc

memory/4672-4325-0x0000000004ED0000-0x0000000004F38000-memory.dmp

memory/4672-4326-0x0000000005530000-0x0000000005596000-memory.dmp

memory/4672-6473-0x0000000005750000-0x0000000005782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\538910162.exe

MD5 d3f4051e09eeb7a5bb48ed5fde857525
SHA1 523a791d44eaa4c99892d03d880c168f9169444d
SHA256 b2646e0f58128860ef4708a9ca60f9287dbbd09bf533989821683d41af551154
SHA512 59507a76e6d0d67f7d7b00f8f302a5617f2cebbb553da424ed620e3df23f2fe79c113b5c694397cb91e25d399ed30ffa111a11972e45ebdfb8cce472829064fd

memory/4948-6479-0x0000000000DB0000-0x0000000000DE0000-memory.dmp

memory/4948-6480-0x0000000003180000-0x0000000003186000-memory.dmp

memory/4948-6481-0x000000000B2C0000-0x000000000B8D8000-memory.dmp

memory/4948-6483-0x000000000ADB0000-0x000000000AEBA000-memory.dmp

memory/4948-6484-0x000000000ACA0000-0x000000000ACB2000-memory.dmp

memory/4948-6485-0x000000000ACC0000-0x000000000ACFC000-memory.dmp

memory/4948-6486-0x0000000003070000-0x00000000030BC000-memory.dmp