Malware Analysis Report

2024-12-06 02:56

Sample ID 241110-cja92sxdjf
Target d842b98e4fa44e777565ed98838723e42515b25ad67e8c5f0f49552b02fd3d2c
SHA256 d842b98e4fa44e777565ed98838723e42515b25ad67e8c5f0f49552b02fd3d2c
Tags
amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d842b98e4fa44e777565ed98838723e42515b25ad67e8c5f0f49552b02fd3d2c

Threat Level: Known bad

The file d842b98e4fa44e777565ed98838723e42515b25ad67e8c5f0f49552b02fd3d2c was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Healer

Redline family

Modifies Windows Defender Real-time Protection settings

Healer family

Amadey

Amadey family

RedLine payload

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:05

Reported

2024-11-10 02:08

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d842b98e4fa44e777565ed98838723e42515b25ad67e8c5f0f49552b02fd3d2c.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az430839.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az430839.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az430839.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az430839.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az430839.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az430839.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu250738.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az430839.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d842b98e4fa44e777565ed98838723e42515b25ad67e8c5f0f49552b02fd3d2c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki227151.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki227151.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft733570.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d842b98e4fa44e777565ed98838723e42515b25ad67e8c5f0f49552b02fd3d2c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu250738.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az430839.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4016 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\d842b98e4fa44e777565ed98838723e42515b25ad67e8c5f0f49552b02fd3d2c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe
PID 4016 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\d842b98e4fa44e777565ed98838723e42515b25ad67e8c5f0f49552b02fd3d2c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe
PID 4016 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\d842b98e4fa44e777565ed98838723e42515b25ad67e8c5f0f49552b02fd3d2c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe
PID 4428 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe
PID 4428 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe
PID 4428 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe
PID 2656 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki227151.exe
PID 2656 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki227151.exe
PID 2656 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki227151.exe
PID 1140 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki227151.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az430839.exe
PID 1140 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki227151.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az430839.exe
PID 1140 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki227151.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu250738.exe
PID 1140 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki227151.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu250738.exe
PID 1140 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki227151.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu250738.exe
PID 5008 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu250738.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5008 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu250738.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 5008 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu250738.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 2656 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe
PID 2656 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe
PID 2656 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe
PID 4996 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4996 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4996 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4996 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 4124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4596 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4428 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft733570.exe
PID 4428 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft733570.exe
PID 4428 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft733570.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d842b98e4fa44e777565ed98838723e42515b25ad67e8c5f0f49552b02fd3d2c.exe

"C:\Users\Admin\AppData\Local\Temp\d842b98e4fa44e777565ed98838723e42515b25ad67e8c5f0f49552b02fd3d2c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki227151.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki227151.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az430839.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az430839.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu250738.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu250738.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4484 -ip 4484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft733570.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft733570.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.152:38452 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki692459.exe

MD5 3794989414c0fde5965a401ac13521ef
SHA1 e237ec56bd151046911512fe3c10cd46754bde23
SHA256 65aaa236940cc777ec4d63f21bceca3f10f832b16892f1047f6be5b62388785f
SHA512 39fc86ec0bf62037003b412547eb21b46b21871b0048281da1f9d60a767055742f75103dc57a5c8c10342ca042ec630cc585d9dd74cebd21f625cae1e23b023c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki913163.exe

MD5 256072c0eaf90ba49fe945f109942af3
SHA1 5ed7e42abd3460f54e264bdb23a4b03f54ac0a17
SHA256 10d1d602513658862a0ffa845528765df44414e113fc668753d0f2c02e4279bd
SHA512 0060217098559902075ea74c5d28ea0e96f9a94b471a16c9b1b07da04a28fcb9b58822171f3919af3854367690a397f9f0b6b20095849e5e1bb1debfbaec65c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki227151.exe

MD5 01ebc42d0f55cb06ad8e4f6d919a206e
SHA1 7b896821f512025a60ea986a94d3745825bfe5e0
SHA256 4ced990b2e90c60d15091f52a8d3877dc94bf88d545dc4af0ebfdc193e9c1fc3
SHA512 a5f7c17cd9f019c2adf43923f95cfcd331af6f3d30b5c89871aa828f9db6d80062dfcdff765640dae372133aa924c229ca9349c0469ec950e5ea5c9e4854ca3e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az430839.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4808-28-0x0000000000730000-0x000000000073A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu250738.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf386600.exe

MD5 5a8abace9b692b0682357af2e62aac17
SHA1 a2bb3a09851f5b824455bb99764f6b5f6149e18a
SHA256 499340427eb7754f23a6640e9e9872a04a2ffba7263f33dd297fc296aa9f6737
SHA512 6f71a2e1407140040d414f9fbb3b297b2d4e385dcfbb2dd923ef3d5d5b3e0a30638b0a78a3aec7279dc3ed1020e8f27031b65ccda653e0fa0f72d092d2e17907

memory/4484-47-0x00000000049B0000-0x00000000049CA000-memory.dmp

memory/4484-48-0x0000000007420000-0x00000000079C4000-memory.dmp

memory/4484-49-0x0000000004A40000-0x0000000004A58000-memory.dmp

memory/4484-57-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-77-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-75-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-73-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-71-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-70-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-67-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-65-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-63-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-61-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-59-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-55-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-53-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-51-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-50-0x0000000004A40000-0x0000000004A52000-memory.dmp

memory/4484-78-0x0000000000400000-0x0000000002BB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft733570.exe

MD5 fe0bc4d1c8ecc23179c4bd4acd72942c
SHA1 b31181d30dee3416b562daed2bc558e2cbad7139
SHA256 fe7719c0d2688d99f6791f933c4ba149ad1edfe11e8b331e4cd2464f9a35f717
SHA512 e2b11c71e9958b3bfa923e67ec8e4518d98c0004a89e4aff344c7fbe0fbd47f8d870aa64d1e13b2994ef3f43d3709099892162ad3ad825ca49a46ce48b4b182b

memory/3300-84-0x0000000000A40000-0x0000000000A68000-memory.dmp

memory/4484-80-0x0000000000400000-0x0000000002BB5000-memory.dmp

memory/3300-85-0x0000000007D20000-0x0000000008338000-memory.dmp

memory/3300-86-0x00000000077A0000-0x00000000077B2000-memory.dmp

memory/3300-87-0x00000000078D0000-0x00000000079DA000-memory.dmp

memory/3300-88-0x0000000007810000-0x000000000784C000-memory.dmp

memory/3300-89-0x0000000004C30000-0x0000000004C7C000-memory.dmp