Malware Analysis Report

2024-11-15 09:57

Sample ID 241110-b6bzeswlew
Target af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600
SHA256 af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600

Threat Level: Known bad

The file af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Amadey family

Amadey

Healer family

Detects Healer an antivirus disabler dropper

Redline family

RedLine payload

RedLine

Healer

Modifies Windows Defender Real-time Protection settings

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:44

Reported

2024-11-10 01:47

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe
PID 2004 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe
PID 2004 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe
PID 1756 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe
PID 1756 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe
PID 1756 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe
PID 2536 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe
PID 2536 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe
PID 2536 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe
PID 3084 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe
PID 3084 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe
PID 3084 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe
PID 3084 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe
PID 3084 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe
PID 1496 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1496 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1496 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2536 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe
PID 2536 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe
PID 2536 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe
PID 3064 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3064 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3064 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3064 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1084 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1084 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1084 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1084 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1084 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1084 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1084 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1084 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1084 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1084 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1084 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1756 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe
PID 1756 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe
PID 1756 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe

"C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 240

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.152:38452 tcp
RU 193.3.19.154:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe

MD5 9a3422d1de526c4443427574a7f204cc
SHA1 e4136974c42ad2f118abd45aa2c33ec558cd95f3
SHA256 cc9f6a95d91a91f1ddaa776a10449e67616cccf70d992616f31f48a4c397f8cb
SHA512 94396e140f74f5bc5fd22a485d64757eeea253ac3fcb0d9fed55aa450d75940aed26592401ec09a2e4f39ce3e31ed3e08c3cb803e0f44dbfb194debb0e4923b3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe

MD5 306979b7cc1b7b42489f3c4297615fcb
SHA1 a87a36cf9a4c3f7976f9f2c9bd12df826974c4b9
SHA256 a8e1fe4973b61e3190128fa35d7b9ae57baf130a785837208fef9ecc73e69380
SHA512 0e4610d057a16e7dc918a846627a84fb5f762df29c25a21520d9a090277901bcd766a34e255f4350ac444d294a8c91c01bf6e2029eea2d122eab0f57d1e7daf7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe

MD5 2a2fad583afa734a9699073547e49348
SHA1 1ebe3a7a69210fe0ac39d5c22603fd2b53398aa7
SHA256 67363e7e9e9edcc47b9d13d0374674880ecc6b1cca783af14fb967fbe0b56b9b
SHA512 9feb57d2e3355eec0f9b8c7aa3778825dd18665273bae2cc99a9b2d95e0939dc003226ccb1c8ae71a2fa4f00bad8fac55dffec96be7253c5627b691b4a78e7a0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/5072-28-0x0000000000050000-0x000000000005A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe

MD5 63a3b1a520594e3eed2a3b35561f04ca
SHA1 bf5afb1b4a3000392e7739f64d986ebba471de50
SHA256 2b38ca9762b6627743a2d7965a382f8d3ec57b897acb27cb44f34da73a43f555
SHA512 b1ef1a28d27d214ea9a0180258d973f7b56ec746f0067d921bade2bc58be1e559071880de4a1ecf7e8ccc2c7b8da27e5fe17ded902c28d6e8fd55d885adc4e9b

memory/2312-47-0x0000000004B70000-0x0000000004B8A000-memory.dmp

memory/2312-48-0x0000000007210000-0x00000000077B4000-memory.dmp

memory/2312-49-0x0000000007160000-0x0000000007178000-memory.dmp

memory/2312-50-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-59-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-77-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-75-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-74-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-71-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-69-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-68-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-65-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-63-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-61-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-57-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-55-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-53-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-51-0x0000000007160000-0x0000000007172000-memory.dmp

memory/2312-78-0x0000000000400000-0x0000000002BB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe

MD5 fe0bc4d1c8ecc23179c4bd4acd72942c
SHA1 b31181d30dee3416b562daed2bc558e2cbad7139
SHA256 fe7719c0d2688d99f6791f933c4ba149ad1edfe11e8b331e4cd2464f9a35f717
SHA512 e2b11c71e9958b3bfa923e67ec8e4518d98c0004a89e4aff344c7fbe0fbd47f8d870aa64d1e13b2994ef3f43d3709099892162ad3ad825ca49a46ce48b4b182b

memory/1368-84-0x0000000000940000-0x0000000000968000-memory.dmp

memory/1368-85-0x0000000007C20000-0x0000000008238000-memory.dmp

memory/1368-86-0x0000000007660000-0x0000000007672000-memory.dmp

memory/1368-87-0x00000000077D0000-0x00000000078DA000-memory.dmp

memory/2312-80-0x0000000000400000-0x0000000002BB5000-memory.dmp

memory/1368-88-0x0000000007700000-0x000000000773C000-memory.dmp

memory/1368-89-0x00000000029F0000-0x0000000002A3C000-memory.dmp