Malware Analysis Report

2024-12-06 02:44

Sample ID 241110-a2cvgsvmdz
Target 795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4
SHA256 795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4

Threat Level: Known bad

The file 795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Amadey

Modifies Windows Defender Real-time Protection settings

RedLine

Amadey family

Healer family

Healer

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:42

Reported

2024-11-10 00:44

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\134233926.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341398759.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\297522286.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\477789641.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\134233926.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\526917330.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341398759.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\134233926.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\297522286.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\477789641.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1132 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe
PID 1132 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe
PID 1132 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe
PID 1160 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe
PID 1160 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe
PID 1160 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe
PID 4100 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe
PID 4100 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe
PID 4100 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe
PID 884 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\134233926.exe
PID 884 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\134233926.exe
PID 884 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\134233926.exe
PID 3732 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\134233926.exe C:\Windows\Temp\1.exe
PID 3732 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\134233926.exe C:\Windows\Temp\1.exe
PID 884 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\297522286.exe
PID 884 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\297522286.exe
PID 884 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\297522286.exe
PID 4100 wrote to memory of 6700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341398759.exe
PID 4100 wrote to memory of 6700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341398759.exe
PID 4100 wrote to memory of 6700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341398759.exe
PID 6700 wrote to memory of 6800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341398759.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 6700 wrote to memory of 6800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341398759.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 6700 wrote to memory of 6800 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341398759.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1160 wrote to memory of 6840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\477789641.exe
PID 1160 wrote to memory of 6840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\477789641.exe
PID 1160 wrote to memory of 6840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\477789641.exe
PID 6800 wrote to memory of 6892 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6800 wrote to memory of 6892 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6800 wrote to memory of 6892 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6800 wrote to memory of 6924 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6800 wrote to memory of 6924 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6800 wrote to memory of 6924 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6924 wrote to memory of 6984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6924 wrote to memory of 6984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6924 wrote to memory of 6984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6924 wrote to memory of 6992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6924 wrote to memory of 6992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6924 wrote to memory of 6992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6924 wrote to memory of 7020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6924 wrote to memory of 7020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6924 wrote to memory of 7020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6924 wrote to memory of 5748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6924 wrote to memory of 5748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6924 wrote to memory of 5748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 6924 wrote to memory of 5380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6924 wrote to memory of 5380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6924 wrote to memory of 5380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6924 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6924 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 6924 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1132 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\526917330.exe
PID 1132 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\526917330.exe
PID 1132 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\526917330.exe

Processes

C:\Users\Admin\AppData\Local\Temp\795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4.exe

"C:\Users\Admin\AppData\Local\Temp\795af50363383db6cced03c6fb74363e4d02efe3a865beeb022c8f86fe8f08c4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\134233926.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\134233926.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\297522286.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\297522286.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1812 -ip 1812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1264

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341398759.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341398759.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\477789641.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\477789641.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6840 -ip 6840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 1256

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\526917330.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\526917330.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JF225582.exe

MD5 9f8b833fae6a104f7499e789e609e6ef
SHA1 edfbaf3af67baeaaa268b0be5321869c8c9df82d
SHA256 0342156aedaf2b5fdec1d4e70a688f5354da7b50c4d8c6de5537adb6e0fe593b
SHA512 aabae523d550979bf668e61043967a797fc86c06a61bdf2c2e619e1f64d47e79c2de434197c5a05e3731bfa85bc210b457d8bd9a22d677ed7b5d0d4b42983c2a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vr331199.exe

MD5 77b61c9c476eb2d9c71e7fd0e770f10e
SHA1 c461671ba6fa9e0c5865b3a171e2b091f33b01ee
SHA256 57056805a22fc9c0d5c0b32a1ff635dd4261d6853442fd137f5e0e2634ce99f2
SHA512 ebeb78d1d9003f69ae0090f9a23790eef44dca0176bd79ed7b4a7edf7388c7f80c754160b995083dbde70002edff9f6f366e73a6d1d7e2afe0b8dd466fcc7a73

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xY690567.exe

MD5 f6f1496394725a4975d9d084db37e87b
SHA1 e48546301c813f76e9eedd562e0b63c787dd50a4
SHA256 93310850abfc688e38b3fc11e85696c0f94513a306e52d1c5981b41c055da1a7
SHA512 8dde39779001f51bcc1a2133406a73fc9df81013ede2a76bc1f1966a711e97707e384d79e3a85b9898a5ecce464ac449fba3a61286cff5421933ac5769de18a6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\134233926.exe

MD5 801065670ad64c2637db108bfd22ba32
SHA1 4468ee11bc76a25e2c0ad6de8a72221607b4527b
SHA256 a97c2c88dc9719e9da704f4c58eb1446c7f6732a7dc0a393345e1708b883b80f
SHA512 8653268af69659fa6fda82ff97d8e619f82e371c6eefb73cf1ba0c278894f98df3226f7614f93c9dd88147d7c696f16faa340588a446fbc74c1a36b882c49afb

memory/3732-28-0x0000000002420000-0x0000000002478000-memory.dmp

memory/3732-29-0x0000000004A60000-0x0000000005004000-memory.dmp

memory/3732-30-0x00000000049D0000-0x0000000004A26000-memory.dmp

memory/3732-82-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-94-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-92-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-90-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-88-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-86-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-84-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-80-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-78-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-76-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-74-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-72-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-71-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-68-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-64-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-62-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-60-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-58-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-56-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-54-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-52-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-50-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-46-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-44-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-42-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-40-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-38-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-36-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-34-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-66-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-48-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-32-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-31-0x00000000049D0000-0x0000000004A21000-memory.dmp

memory/3732-2159-0x00000000052E0000-0x00000000052EA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\297522286.exe

MD5 bceb657f1424f65db867b44bae6d53a7
SHA1 f1a331778990ba8f726bb1e252dc388ac9d2cc5a
SHA256 480a061631d577cca2f2de4123d9031f09c8f1b5d9e084f6b3794881cad8a851
SHA512 c8a7657a8498003c6c6d6e667e4f0fabef47a9048acb557a521e18464c4bf2de530ed9f3338890885a79f9e1c2b0a002bd3513188461137d27ba93d8a94c080e

memory/3200-2175-0x00000000004F0000-0x00000000004FA000-memory.dmp

memory/1812-4305-0x0000000005800000-0x0000000005892000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341398759.exe

MD5 c8feb4a42159c2f8a01306647dac3d1d
SHA1 913fddee05d5b4fc8063374f0f35864f1f0b6be2
SHA256 0c8442df87e9ce0d15bcaab9ee5960a3b5c33d21ee40dc92e5a4dc8f86fee00b
SHA512 686460d818c8278a171a275169a141ec93ee392e6062243f34b77831202f33de01f582fe587757aa034484a4796fa53149883692312f004e764b50af8d676b25

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\477789641.exe

MD5 1f546edfa95e2542e74f21f571f3c3c6
SHA1 f05628c6cda9ab8516c62abfc4afe941583c5102
SHA256 f34a67ad731c92299482eab5f92d3167073714c7b2600e1c07a55eed13b5005e
SHA512 0161e70fa05c21744c2af7b6ac0e2a009642ace6526789112fd03e6ad8c1837797b0027d000963d00bc8fe16ce35661009d46c7375dce562d0d24123612913a2

memory/6840-4326-0x0000000005500000-0x0000000005566000-memory.dmp

memory/6840-4325-0x0000000004D90000-0x0000000004DF8000-memory.dmp

memory/6840-6473-0x0000000005750000-0x0000000005782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\526917330.exe

MD5 75103399f1705ef4e05d0e076d197b7f
SHA1 985ffcacb1250ca880eb6bc66a2474b3a733eae3
SHA256 a24b652d13dfdadac15144a5079dc65901e3e96125c0e4bc6f073113ab05e9c7
SHA512 2ff7aa6f6861dd7352d3db83e30a1660dd817246967145c502ea8f8b553293601bec36dba9b419998f7b12bd24c31f2c80ba2fddcce1209f6baf0b914c29aa36

memory/4020-6479-0x0000000000210000-0x0000000000240000-memory.dmp

memory/4020-6480-0x0000000002470000-0x0000000002476000-memory.dmp

memory/4020-6481-0x00000000052A0000-0x00000000058B8000-memory.dmp

memory/4020-6482-0x0000000004D90000-0x0000000004E9A000-memory.dmp

memory/4020-6483-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

memory/4020-6485-0x0000000004D20000-0x0000000004D5C000-memory.dmp

memory/4020-6486-0x0000000004EA0000-0x0000000004EEC000-memory.dmp