Malware Analysis Report

2024-12-07 04:03

Sample ID 241113-xt2j7sxjfy
Target f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173N.exe
SHA256 f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173
Tags
amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173

Threat Level: Known bad

The file f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173N.exe was found to be: Known bad.

Malicious Activity Summary

amadey healer redline 9c0adb most discovery dropper evasion infostealer persistence trojan

Amadey family

Modifies Windows Defender Real-time Protection settings

RedLine

Redline family

RedLine payload

Healer

Detects Healer an antivirus disabler dropper

Healer family

Amadey

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 19:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 19:09

Reported

2024-11-13 19:11

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173N.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a48479049.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73331472.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a48479049.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d99487842.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f07032969.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b42457606.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73331472.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a48479049.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b42457606.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d99487842.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe
PID 1900 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe
PID 1900 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe
PID 3596 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe
PID 3596 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe
PID 3596 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe
PID 1816 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe
PID 1816 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe
PID 1816 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe
PID 3992 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a48479049.exe
PID 3992 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a48479049.exe
PID 3992 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a48479049.exe
PID 1444 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a48479049.exe C:\Windows\Temp\1.exe
PID 1444 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a48479049.exe C:\Windows\Temp\1.exe
PID 3992 wrote to memory of 5616 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b42457606.exe
PID 3992 wrote to memory of 5616 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b42457606.exe
PID 3992 wrote to memory of 5616 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b42457606.exe
PID 1816 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73331472.exe
PID 1816 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73331472.exe
PID 1816 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73331472.exe
PID 4472 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73331472.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4472 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73331472.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4472 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73331472.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3596 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d99487842.exe
PID 3596 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d99487842.exe
PID 3596 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d99487842.exe
PID 4968 wrote to memory of 6092 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4968 wrote to memory of 6092 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4968 wrote to memory of 6092 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4968 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 6232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 6232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 6232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 6240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2460 wrote to memory of 6240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2460 wrote to memory of 6240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2460 wrote to memory of 6292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2460 wrote to memory of 6292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2460 wrote to memory of 6292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2460 wrote to memory of 6356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 6356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 6356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 6384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2460 wrote to memory of 6384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2460 wrote to memory of 6384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2460 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2460 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2460 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1900 wrote to memory of 6728 N/A C:\Users\Admin\AppData\Local\Temp\f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f07032969.exe
PID 1900 wrote to memory of 6728 N/A C:\Users\Admin\AppData\Local\Temp\f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f07032969.exe
PID 1900 wrote to memory of 6728 N/A C:\Users\Admin\AppData\Local\Temp\f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f07032969.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173N.exe

"C:\Users\Admin\AppData\Local\Temp\f84cc8466299ecc2aecd7af1d493d1d4a5124ace59913346bddefa87dafe7173N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a48479049.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a48479049.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b42457606.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b42457606.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5616 -ip 5616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 1256

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73331472.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73331472.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d99487842.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d99487842.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4864 -ip 4864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1236

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f07032969.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f07032969.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 193.3.19.154:80 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CN662681.exe

MD5 936bc5ad8f9e9c2f17f702476f38355d
SHA1 a01d39d6552f90d6f85c07b17ea40b33029d55ce
SHA256 38d1dc761cfb356f1c5a9ccb55661fa682ae62465a18005533c1d5acc9fc1cb8
SHA512 554abe13a6d784e54c8ae206e83713534d18714802f49331ac6d46655d28bf026f5e55124c4275660017f32bb5fd9da8ef9a2b6a8ce3cbfe5004651db5393116

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yw891170.exe

MD5 9900c41939b63fa079753d6f0dc994dd
SHA1 9b93cc680a50fcf57a5db73ee3c06ef33502c34b
SHA256 fab4d50079e99c9c7f5eea17629e72c18a5de4644f6cced04189e361d26a28b4
SHA512 f49500bc68c7f2da79f20e8fc5661b318737253c3c80ae71e69fad421e4de50bd3575cb732550bdf49dc683557ac6c97f8ac1486e20e9afff97ca9fdf6a2d9c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mQ915099.exe

MD5 14873bfabdb83e199ba2424afb3a283d
SHA1 b66a67dc529bcbfc9d86c2e96162c3450a62f35c
SHA256 84d86b37dc10f1bce525aa990eea6cb7e7e2957c2f6e496216cc7a4bfb095cc1
SHA512 b8309968cf1da6146bf1fcec4dcbcbfecaa736fc67f9e19204b050463c42b7bd5c540337c960ddca86eb51a3d9bb79befe90b5dd2c1042c73d1eb7c4f68fc3be

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a48479049.exe

MD5 8ff9c457cf23b38485a732bce4c84f9e
SHA1 55ec857969c1f374b3c7b2a38782fe94e8f6fc00
SHA256 dcaa27964ae38d34dbaccbff9e7cb5ebb063e7f2a00b70658b346f16a77ab7f9
SHA512 25f10cdb40f011bbba695359d6daa5ea24ae1661e9dc151b8ce03b1e8242809e642301c1fef095103840f3612ef3aedb848cee727d00564ffd088b1a7c0d84f4

memory/1444-28-0x0000000004970000-0x00000000049C8000-memory.dmp

memory/1444-29-0x00000000049D0000-0x0000000004F74000-memory.dmp

memory/1444-30-0x0000000004FC0000-0x0000000005016000-memory.dmp

memory/1444-92-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-60-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-94-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-90-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-88-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-86-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-84-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-82-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-81-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-78-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-76-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-74-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-72-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-70-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-68-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-66-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-64-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-62-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-58-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-56-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-54-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-52-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-50-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-48-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-46-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-44-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-42-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-40-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-38-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-36-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-34-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-32-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-31-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1444-2159-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b42457606.exe

MD5 8c608b4930e474e13b869ef18189fee4
SHA1 9e21ff1d3b3c95675e202dfb26bf3af6d182fd5d
SHA256 a089e2d8ac665f891c033eccf023251b6f215079a5b0a655e24cc6c7867b5dc3
SHA512 33908f5eb01cdb8d9b292a362f6f1a0a87f4100fdb90467e9e0e69f351d1fcd1ce8456c5681ce693e3ab38a5c51a7f1e41e55b7e1b2bcf30b83bbe50a32079ba

memory/5568-2175-0x0000000000340000-0x000000000034A000-memory.dmp

memory/5616-4305-0x0000000005750000-0x00000000057E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73331472.exe

MD5 5aac65e8b9ffa2dee3747bcc464295a7
SHA1 19a8346a45b4779daf4a559de9c3708ceb4554c2
SHA256 209239d6ebc114694fab4cb9a6733bac61090065d81fe0db6aef204b8787e55e
SHA512 c651d7599a6fab8f1c392766ba5256352a7da0631478e02016217308481760b6de10bdca09516eb6c505bd2c912a3c21acdf04a30f5065d07cc7f2c7f881c3e9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d99487842.exe

MD5 392f2fe984b8270c4ae617d2ae60fc5c
SHA1 f454e8ee73358a8c1d4edc2b2b1ec36736b5755b
SHA256 bfe7c2259bcf0002df265a10e94e4380f8f0ce125e4539cbb7670b6cc369d479
SHA512 01621add3526a79c94d62f4daadd140a3e1dde6a189d34edffc186917d6d4eb799f907245eed961f79f7b26c221c9c812f425b152edafd17e59a6c3e51a498fb

memory/4864-4325-0x0000000004EE0000-0x0000000004F48000-memory.dmp

memory/4864-4326-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/4864-6473-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f07032969.exe

MD5 3c0f955d30c067333872ef45a1bfff49
SHA1 3e96a99f011c87d4b8c84287e804d5073ae4cd3f
SHA256 90fc25e439c966a5302e4a39965d7473e9976f4a08f5e494537986015e075c99
SHA512 f0efe11da7d7a1a9993fc0307da3740f170559ed99b5704c5f69c8739ee86c1cc14ae07ad9ad7daf72429259ddce6f45441089b360a371bcd3dbb74cbae22527

memory/6728-6479-0x0000000000580000-0x00000000005B0000-memory.dmp

memory/6728-6480-0x0000000002720000-0x0000000002726000-memory.dmp

memory/6728-6481-0x0000000005520000-0x0000000005B38000-memory.dmp

memory/6728-6482-0x0000000005010000-0x000000000511A000-memory.dmp

memory/6728-6483-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/6728-6484-0x0000000004F60000-0x0000000004F9C000-memory.dmp

memory/6728-6485-0x0000000004FB0000-0x0000000004FFC000-memory.dmp