Malware Analysis Report

2025-05-06 01:34

Sample ID 241110-dw1adaycqq
Target b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251
SHA256 b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251

Threat Level: Known bad

The file b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

RedLine payload

Redline family

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

Amadey

Amadey family

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:22

Reported

2024-11-10 03:24

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\150727782.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341080468.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\493760897.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\150727782.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274854674.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341080468.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\513308722.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\150727782.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274854674.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\493760897.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe
PID 2424 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe
PID 2424 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe
PID 1780 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe
PID 1780 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe
PID 1780 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe
PID 1664 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe
PID 1664 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe
PID 1664 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe
PID 100 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\150727782.exe
PID 100 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\150727782.exe
PID 100 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\150727782.exe
PID 4860 wrote to memory of 5144 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\150727782.exe C:\Windows\Temp\1.exe
PID 4860 wrote to memory of 5144 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\150727782.exe C:\Windows\Temp\1.exe
PID 100 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274854674.exe
PID 100 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274854674.exe
PID 100 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274854674.exe
PID 1664 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341080468.exe
PID 1664 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341080468.exe
PID 1664 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341080468.exe
PID 3164 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341080468.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3164 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341080468.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3164 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341080468.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 1780 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\493760897.exe
PID 1780 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\493760897.exe
PID 1780 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\493760897.exe
PID 928 wrote to memory of 5604 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 928 wrote to memory of 5604 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 928 wrote to memory of 5604 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 928 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 5388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4392 wrote to memory of 5388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4392 wrote to memory of 5388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4392 wrote to memory of 5960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4392 wrote to memory of 5960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4392 wrote to memory of 5960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4392 wrote to memory of 6152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 6152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 6152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 6180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4392 wrote to memory of 6180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4392 wrote to memory of 6180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4392 wrote to memory of 6232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4392 wrote to memory of 6232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4392 wrote to memory of 6232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2424 wrote to memory of 6544 N/A C:\Users\Admin\AppData\Local\Temp\b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\513308722.exe
PID 2424 wrote to memory of 6544 N/A C:\Users\Admin\AppData\Local\Temp\b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\513308722.exe
PID 2424 wrote to memory of 6544 N/A C:\Users\Admin\AppData\Local\Temp\b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\513308722.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251.exe

"C:\Users\Admin\AppData\Local\Temp\b10fdd33847dd24d17e0e4eb0d506db8cee8afbb4f1e3c1b75993beb65f77251.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\150727782.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\150727782.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274854674.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274854674.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4204 -ip 4204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 1260

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341080468.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341080468.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\493760897.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\493760897.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5180 -ip 5180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 1260

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\513308722.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\513308722.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HU715138.exe

MD5 620b94a9ab3fbc2b18b8d43d72de91e8
SHA1 6c7807eea7f27a6b2b67dfc94ee734dce9a24d9e
SHA256 5c8bf06e7e505cbf4f12270db7b6d19cb14fafb16b5fbdcac25f8a7bdd3c61ab
SHA512 fc07623ef0c3645a65cd9c44be0c626c414002b23bc93f28b48cbac5759441296495fa663375bb4f5442b882e78d67c5309fd92c92972212ba9382ccbd783ddf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mw581524.exe

MD5 08bf92dce6d54e00dd548b0a67b7cfff
SHA1 eb57052b6745e051458b0807a9458f14c0edcad8
SHA256 30eb6ce0d156b8e4a5a57b84d652a57314d3a3f7d4b2ad717b14a5377fa79af9
SHA512 5134027765be11e635fda83e316b3c11f930580b9674503ddf05ac22a66787f44a84a9ad7efcd273c75795972eabc1fd5e6cffa7ba576325ef0e58b1cc05f679

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ905980.exe

MD5 ce1e49715ffefabf3dcfe42bd093c66d
SHA1 87e33994ea1b3b1d4eaac4fa9c5565a3ffad6ceb
SHA256 7df19d9afa1d9810a7ff9b4e3ed121e5be8af3a4b4382d06138355a7c9bc638b
SHA512 5ebb1ad9e3feb219fe99a9e6ba9e4318d7f87dc4ed671bda3dad2d7967814d9238ec54f795fd5f527fcca554f303726a9318025557253961a6e0797f4ff336ff

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\150727782.exe

MD5 b3061eaa019761d6621cf5c3e9002046
SHA1 d7ba1eb7d3893b95082bf5b8589e836bbf7a8b35
SHA256 9c015a792744e9ebdb305d3c249d4e83259af0117337285f5c0a7a4e14141ff2
SHA512 00fd983b660dd709156951e8495bc3ba02d3c923172925070351f9f8f7e223641f36d3345bec232532db74da4bb392c7fa80c09c6f7a9c790e5e6275a198c484

memory/4860-28-0x0000000004950000-0x00000000049A8000-memory.dmp

memory/4860-29-0x0000000004A10000-0x0000000004FB4000-memory.dmp

memory/4860-30-0x0000000005000000-0x0000000005056000-memory.dmp

memory/4860-31-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-34-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-94-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-92-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-88-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-86-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-84-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-83-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-80-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-78-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-76-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-74-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-72-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-68-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-66-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-64-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-62-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-60-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-58-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-56-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-52-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-50-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-48-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-46-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-44-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-42-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-40-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-38-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-36-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-32-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-90-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-70-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-54-0x0000000005000000-0x0000000005051000-memory.dmp

memory/4860-2159-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/5144-2172-0x0000000000770000-0x000000000077A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\274854674.exe

MD5 eed9b47cf2099afe1b33e246cdc5ff34
SHA1 d2712c0189ff0b6d7f333c5bedcc1b4f792dc138
SHA256 dbbd1dac7b3c7ab6c8916425ad9a8640c6ae336efecb0022b2bd4077741b9f7a
SHA512 5a3daefd2b82b102c0b5dc80a5f097fa2ead53a331861d541aa53a8001c3004aebc0cbcf00a242b10b381b4b36f6576d130646414dfef5a76ea3728c07cd4d71

memory/4204-4305-0x0000000005740000-0x00000000057D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\341080468.exe

MD5 cbcc1d325e006e1dcdc5d36feb2dbc30
SHA1 e00870b46b5f20892cd66ecc1b00484a5886cb49
SHA256 3b98d052e9f47992e9d574225dfc536c6559a4127dd07c1a569bc7d6264c2796
SHA512 810887ee1f5b62f9811b232e53b56536d112efeaa4965ed2f815f0451e17292b201b7f505a5105e4379913419e1673f3d53adeb12a90d8829917ffbae9c74351

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\493760897.exe

MD5 28314d76c9c50bed7cfc90d8646d7506
SHA1 a38855ed91824185624ca15a72e4a2d2c5aef5cb
SHA256 0a1497866e39ec952b797846138ab66e027b5aa1c569d4cb7b9eee9de7067da4
SHA512 3330b07e7021a2aa558c1411d9e28c31c11181d103c122b8c2144de2db4236ff9ccdd9a5a62f0898f1d37c1efe18d35240f2f5b4e8bf32b67ec9f3de06af0289

memory/5180-4326-0x0000000005510000-0x0000000005576000-memory.dmp

memory/5180-4325-0x0000000004EA0000-0x0000000004F08000-memory.dmp

memory/5180-6473-0x0000000005750000-0x0000000005782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\513308722.exe

MD5 23bf8277fe81d432902a96d16906735b
SHA1 998bd641c8084bf425b2185419f3d91f4cf0dec4
SHA256 743b918aa649e9dfb54739b2ac00523fa048d1495dcf1ed3baf6afe5b10b106b
SHA512 cd0db15dd275d05d7156842ee3033fdd834c623a321ee476e53dfc400f6bf9f1a3df06e4e815071da554ba2e2b075bfc16ba2087ff92e84a29b55f501e3aadf2

memory/6544-6479-0x0000000000F80000-0x0000000000FB0000-memory.dmp

memory/6544-6480-0x0000000005760000-0x0000000005766000-memory.dmp

memory/6544-6481-0x0000000005FB0000-0x00000000065C8000-memory.dmp

memory/6544-6482-0x0000000005B10000-0x0000000005C1A000-memory.dmp

memory/6544-6483-0x0000000005A40000-0x0000000005A52000-memory.dmp

memory/6544-6484-0x0000000005AA0000-0x0000000005ADC000-memory.dmp

memory/6544-6485-0x0000000005C20000-0x0000000005C6C000-memory.dmp