Malware Analysis Report

2024-12-07 03:57

Sample ID 241113-ptcl3s1pdy
Target 0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6N.exe
SHA256 0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6

Threat Level: Known bad

The file 0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6N.exe was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Healer family

Detects Healer an antivirus disabler dropper

Redline family

Healer

RedLine

Amadey

Amadey family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 12:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 12:36

Reported

2024-11-13 12:38

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6N.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a57189868.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c80838904.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a57189868.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c80838904.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f10390953.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b23611264.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d64507247.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a57189868.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b23611264.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d64507247.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe
PID 4996 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe
PID 4996 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe
PID 3260 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe
PID 3260 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe
PID 3260 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe
PID 4772 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe
PID 4772 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe
PID 4772 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe
PID 324 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a57189868.exe
PID 324 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a57189868.exe
PID 324 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a57189868.exe
PID 1932 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a57189868.exe C:\Windows\Temp\1.exe
PID 1932 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a57189868.exe C:\Windows\Temp\1.exe
PID 324 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b23611264.exe
PID 324 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b23611264.exe
PID 324 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b23611264.exe
PID 4772 wrote to memory of 6892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c80838904.exe
PID 4772 wrote to memory of 6892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c80838904.exe
PID 4772 wrote to memory of 6892 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c80838904.exe
PID 6892 wrote to memory of 6992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c80838904.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 6892 wrote to memory of 6992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c80838904.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 6892 wrote to memory of 6992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c80838904.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3260 wrote to memory of 7044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d64507247.exe
PID 3260 wrote to memory of 7044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d64507247.exe
PID 3260 wrote to memory of 7044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d64507247.exe
PID 6992 wrote to memory of 7100 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6992 wrote to memory of 7100 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6992 wrote to memory of 7100 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 6992 wrote to memory of 7136 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6992 wrote to memory of 7136 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 6992 wrote to memory of 7136 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 7136 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 7136 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 7136 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 7136 wrote to memory of 5176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 7136 wrote to memory of 5176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 7136 wrote to memory of 5176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 7136 wrote to memory of 3796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 7136 wrote to memory of 3796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 7136 wrote to memory of 3796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 7136 wrote to memory of 5648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 7136 wrote to memory of 5648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 7136 wrote to memory of 5648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 7136 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 7136 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 7136 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 7136 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 7136 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 7136 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4996 wrote to memory of 6768 N/A C:\Users\Admin\AppData\Local\Temp\0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f10390953.exe
PID 4996 wrote to memory of 6768 N/A C:\Users\Admin\AppData\Local\Temp\0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f10390953.exe
PID 4996 wrote to memory of 6768 N/A C:\Users\Admin\AppData\Local\Temp\0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f10390953.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6N.exe

"C:\Users\Admin\AppData\Local\Temp\0ec6f8045a7cb96d01eeed2e42ee79180479d29b925763e85ad2581e35f9b8f6N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a57189868.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a57189868.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b23611264.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b23611264.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1256

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c80838904.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c80838904.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d64507247.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d64507247.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 7044 -ip 7044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 1192

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f10390953.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f10390953.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mh351989.exe

MD5 46e4c58556af7488a9dc5cdc35f0ac72
SHA1 c5bd2722709c84a72a46dcf7a9a60d4f67687c79
SHA256 be8f45993b064daacf43c20bd861ca9a89c41616161b101214eb611b4c37004c
SHA512 421d7245ceb1d367b2624c71e2deccc5a2b7ee0be58b9caa938c8ac7dc4c0f51503c488408e0ddad48d2729cb40afa0c2cd0f818fa50168632589b17b6635936

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vd256615.exe

MD5 ec7c8da6969f961f4986fc711cd6d3cb
SHA1 acb99b8db86503fdc7ca3161c69d18d0ef5729b2
SHA256 526ec66f05ae4fcc52f32a4e84bc70d8d46739a3dc0caed9a00aa16ff05380b7
SHA512 e80b9b0fa9f59c91b95d4386e41c869146de60c5acbb9f40f28e3d23f90e44bae950f35b3a0c3ed23017c7b4539aa58e0fc712410bf9963e5eca1077172a9b97

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO738619.exe

MD5 aff4178b6ddcee1c4675fd6658360195
SHA1 3c988e3fd99f0459ea65c0b181d6c48ef74e61e3
SHA256 c190c7af582d6ea456e8c521f81105ac4b5cd8984c7d8e82fc33438dd961b598
SHA512 f99191b78780f9cf1e3a48f1a4114e934b2fe620c9953535ce4accdad6d8766cb437115e2d402fa98c36e2c88de5d9479b2d4c7737bbd27be74f598839d39d49

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a57189868.exe

MD5 e37691154d478cba1cc4b5a1ed2ae143
SHA1 3e687bc70725e2a8ae32d53015d01af29f59fa58
SHA256 c563959c0ae59735d67279ecbb924c125dead57f2f9678fbca1d93bc246e3713
SHA512 cea289f0e7ac75a0ed4f7480e81646d398a9cd1241e7d0006f1c5be6a54614954e4a48a4446de28b1dd215726c9d190cc2d64c8f7eb44ec0c85430e2075a7ad4

memory/1932-28-0x00000000048F0000-0x0000000004948000-memory.dmp

memory/1932-29-0x0000000004AA0000-0x0000000005044000-memory.dmp

memory/1932-30-0x00000000049E0000-0x0000000004A36000-memory.dmp

memory/1932-31-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-56-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-94-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-92-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-88-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-86-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-84-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-82-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-81-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-78-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-76-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-74-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-72-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-70-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-68-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-66-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-62-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-60-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-58-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-54-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-52-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-50-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-48-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-46-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-44-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-42-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-40-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-38-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-36-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-90-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-34-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-32-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-64-0x00000000049E0000-0x0000000004A31000-memory.dmp

memory/1932-2159-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2256-2172-0x0000000000A50000-0x0000000000A5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b23611264.exe

MD5 0d68709a57df93b326c485420068f2e9
SHA1 d5b2d758341ea1cbf43dd4d5681bc229ff5ea494
SHA256 cb05620146a158bdf8dacac6e6946ed80c71a2eb83ee157ca5fdd7476f5374b7
SHA512 16ef9aca2b11ab0a5d08273887a59f04c5ea9ce90ef02304e3769a299d1b201381d0ba5e3b3477df725c39accffb25b1c117e75bdc8374afe3a3f4a899eb06ff

memory/4676-4305-0x0000000005750000-0x00000000057E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c80838904.exe

MD5 607f5298ecf90c781e19f258b2cff55c
SHA1 dbc18884871fc291919579b9451ecb7d3eb65c46
SHA256 d228ec510bd651e0f5a1a131d7738664a6e65e1111cf45e2d4842e0b5cfd3c94
SHA512 fd84ce5761a591090301771352e02748ba96667c2a7f58bc05655c35ade69328419f2a0a90e7e58af8c4b357928579dbafdf0a5254cf11dab207c8c66e7ef227

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d64507247.exe

MD5 1f19a05c4a77e942e5bf7e3c512a3b2c
SHA1 03b22d99aba20d8306976a31d5a58fc76d7ff43d
SHA256 b9b5bd440409709b8c50c1435f36b106a2f2fd3abe8ec825905773b7c49306d9
SHA512 60aab0ed0751077870753321fb003664a6b98797605b94201a113ebf4bcd45204f4e117b4ca938f25c9a23d3c51812b01105e907b3ba07a69d9c3859d837b919

memory/7044-4325-0x0000000002780000-0x00000000027E8000-memory.dmp

memory/7044-4326-0x0000000005570000-0x00000000055D6000-memory.dmp

memory/7044-6473-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f10390953.exe

MD5 12cc930a1968353f1fa5efa402d03fe2
SHA1 9628e680d8c82842e3ef8bfd28a5fabf0088ae88
SHA256 f7ddf043e686c79b8f49b063493623b7929b88e2534c8abf8ce5d9475c3392a2
SHA512 539ed1948f9b1354ab3ca4eeed163ad815cb0b7317e2dbdec9071d13f467687d2a5b551984ffae87411359e608fa44afb8742aeac54b3c2153ee6faddec5c7c0

memory/6768-6479-0x0000000000F50000-0x0000000000F80000-memory.dmp

memory/6768-6480-0x0000000003240000-0x0000000003246000-memory.dmp

memory/6768-6481-0x0000000005FB0000-0x00000000065C8000-memory.dmp

memory/6768-6483-0x0000000005AA0000-0x0000000005BAA000-memory.dmp

memory/6768-6484-0x00000000057C0000-0x00000000057D2000-memory.dmp

memory/6768-6485-0x0000000005820000-0x000000000585C000-memory.dmp

memory/6768-6486-0x0000000005990000-0x00000000059DC000-memory.dmp