Malware Analysis Report

2025-08-11 07:51

Sample ID 241111-gmd8bstkgy
Target 8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa
SHA256 8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa

Threat Level: Known bad

The file 8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Healer family

Healer

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine payload

RedLine

Amadey family

Amadey

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:54

Reported

2024-11-11 05:57

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172388869.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\312999767.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408713290.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\259020968.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\589904929.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172388869.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\312999767.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172388869.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\259020968.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408713290.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5060 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe
PID 5060 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe
PID 5060 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe
PID 4408 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe
PID 4408 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe
PID 4408 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe
PID 3236 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe
PID 3236 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe
PID 3236 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe
PID 1772 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172388869.exe
PID 1772 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172388869.exe
PID 1772 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172388869.exe
PID 1728 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172388869.exe C:\Windows\Temp\1.exe
PID 1728 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172388869.exe C:\Windows\Temp\1.exe
PID 1772 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\259020968.exe
PID 1772 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\259020968.exe
PID 1772 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\259020968.exe
PID 3236 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\312999767.exe
PID 3236 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\312999767.exe
PID 3236 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\312999767.exe
PID 3552 wrote to memory of 6732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\312999767.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3552 wrote to memory of 6732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\312999767.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3552 wrote to memory of 6732 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\312999767.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4408 wrote to memory of 6920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408713290.exe
PID 4408 wrote to memory of 6920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408713290.exe
PID 4408 wrote to memory of 6920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408713290.exe
PID 6732 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6732 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6732 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6732 wrote to memory of 5736 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6732 wrote to memory of 5736 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6732 wrote to memory of 5736 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 5736 wrote to memory of 5644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5736 wrote to memory of 5644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5736 wrote to memory of 5644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5736 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5736 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5736 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5736 wrote to memory of 5480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5736 wrote to memory of 5480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5736 wrote to memory of 5480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5736 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5736 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5736 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5736 wrote to memory of 7112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5736 wrote to memory of 7112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5736 wrote to memory of 7112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5736 wrote to memory of 5316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5736 wrote to memory of 5316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5736 wrote to memory of 5316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5060 wrote to memory of 6412 N/A C:\Users\Admin\AppData\Local\Temp\8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\589904929.exe
PID 5060 wrote to memory of 6412 N/A C:\Users\Admin\AppData\Local\Temp\8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\589904929.exe
PID 5060 wrote to memory of 6412 N/A C:\Users\Admin\AppData\Local\Temp\8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\589904929.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa.exe

"C:\Users\Admin\AppData\Local\Temp\8b39e6d4af311568d59944343f965b0fa192c1755ebd0e1b024f9663ab44f7aa.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172388869.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172388869.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\259020968.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\259020968.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6108 -ip 6108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 248

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\312999767.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\312999767.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408713290.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408713290.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6920 -ip 6920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 1252

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\589904929.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\589904929.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py440955.exe

MD5 a640f879c8f532169d47f1183775b687
SHA1 8c8c73cd9d4247da2b5584e2ec555daa4c8e1cf2
SHA256 fcdba74c828290491698bd849ed8dd95bcb120a6fc7f475cdf079adaa3cfdab8
SHA512 3e0e978e0d189d9e1571ef2d89b22e38b7d52b661be67b74303b7d9b3b1aa662b3807eee042a3db7fddd4ec8be4933b390368809d287a699121b4cc35854cf88

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mx436156.exe

MD5 03c6930d8f80cc1e2f7b1d2740414835
SHA1 4474a41878ee34da608d06146430fd81725e75cd
SHA256 0a6f256a36b61021a5f381cd20e6b098611b373c08640b3c38b8d83babe3324c
SHA512 e0bf308db56b3e8e7f13ff8644b4e7543bb0272894410cbb6acbb28de6913018c46734c7965a1950de62c6c43317c0c682d91a3c852d9fdc9a741f56efffe564

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kl401557.exe

MD5 0132d7e960e1382e2bf2fc2a33d4431a
SHA1 d2d3db9c6e3292d30c8838c52b6a8a3aba6574f8
SHA256 1192180fe5b34291873f9a534d0f6683ca6bad70d1ea124ce07d75afaafcfcbd
SHA512 db430c8b4e18e126a42ff7cf6995f3efb642e87c8564259e07641fa70ba9916465cb70dc7fd3435e2ff901f64f3f17a6905e6040d4244d58469bb36853794732

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\172388869.exe

MD5 93a3a0064aac63e2a133a03963bcec38
SHA1 0666198966309dfe6393f00938a4d653141171b4
SHA256 c4c3ead584394d048144acce5205cc784a9b5d5d11a872125c16606522dbd67a
SHA512 f9ea4b5c7ea8be258a5a7b0e34a120849490badf1c41b74f7c7134f63af4c955162179946cd1026e2b1400226e2758b5dd5c652e92a8e07bdb848fc52d851877

memory/1728-28-0x0000000002200000-0x0000000002258000-memory.dmp

memory/1728-29-0x0000000004BA0000-0x0000000005144000-memory.dmp

memory/1728-30-0x0000000004A00000-0x0000000004A56000-memory.dmp

memory/1728-86-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-94-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-92-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-90-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-88-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-84-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-82-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-80-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-78-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-74-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-72-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-70-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-68-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-66-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-62-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-60-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-58-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-56-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-54-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-52-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-48-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-46-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-44-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-42-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-40-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-38-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-34-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-32-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-76-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-64-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-50-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-36-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-31-0x0000000004A00000-0x0000000004A51000-memory.dmp

memory/1728-2159-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\259020968.exe

MD5 a001a63868e4a433a08da53730f962b8
SHA1 cee516372abba590aed5f172e2f56b28591d99d6
SHA256 c9e07d1324203441153a4c2f64a8a4c21b1f257a0c0b72ced43bfd4f9b7d8187
SHA512 baf180fdfe398e5e25667e7f193f41ea2d14f6a259f27c5407f9e4b3ac5e823f5df57296c37fda5357561baa5a835fcc8b315de4ca2d905099f95bf4434dc68b

memory/3888-2175-0x0000000000D30000-0x0000000000D3A000-memory.dmp

memory/6108-4305-0x0000000005750000-0x00000000057E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\312999767.exe

MD5 f9b20c19cc1c412b2b77f379fa037ce8
SHA1 b8a1a68d57141c5054fc3296a3c6470269a80e7d
SHA256 aea3550c0164e16aec74057964431308f3ad1a2551c9081b7d260b1a009d5237
SHA512 a64d83109151d59130081d484470fb0960187af6581fdbc3529f850005e09d56985aee9adad5de3db3f57fad28773d1452a59dfe36260f4bff8002d7f6fc1014

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\408713290.exe

MD5 156aefbb87e5f0b90c8a5beecdff25c1
SHA1 5c9277f5da98696271784f1c19bb837815c067dd
SHA256 9df98b2d38ca3243a313401fc7da2351e61379e24c19acae43640b62f3074043
SHA512 7f5655ce146aaecdffd668c3b7597e26a8e3d0a5e549231e25c36c4ff2ffa321cd98de8f0ea8db6ce04084fc902eea90739809c32170b19484de145124976182

memory/6920-4325-0x0000000004D50000-0x0000000004DB8000-memory.dmp

memory/6920-4326-0x0000000005510000-0x0000000005576000-memory.dmp

memory/6920-6473-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\589904929.exe

MD5 23bf8277fe81d432902a96d16906735b
SHA1 998bd641c8084bf425b2185419f3d91f4cf0dec4
SHA256 743b918aa649e9dfb54739b2ac00523fa048d1495dcf1ed3baf6afe5b10b106b
SHA512 cd0db15dd275d05d7156842ee3033fdd834c623a321ee476e53dfc400f6bf9f1a3df06e4e815071da554ba2e2b075bfc16ba2087ff92e84a29b55f501e3aadf2

memory/6412-6480-0x0000000000920000-0x0000000000950000-memory.dmp

memory/6412-6481-0x0000000005240000-0x0000000005246000-memory.dmp

memory/6412-6482-0x00000000058B0000-0x0000000005EC8000-memory.dmp

memory/6412-6483-0x00000000053A0000-0x00000000054AA000-memory.dmp

memory/6412-6484-0x00000000052B0000-0x00000000052C2000-memory.dmp

memory/6412-6485-0x0000000005310000-0x000000000534C000-memory.dmp

memory/6412-6486-0x0000000005350000-0x000000000539C000-memory.dmp