Malware Analysis Report

2025-08-10 23:10

Sample ID 230423-zmqkgahd7s
Target b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4
SHA256 b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4

Threat Level: Known bad

The file b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 20:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 20:50

Reported

2023-04-23 20:52

Platform

win10-20230220-en

Max time kernel

97s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge532209.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4256 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe
PID 4256 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe
PID 4256 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe
PID 4104 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe
PID 4104 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe
PID 4104 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe
PID 4144 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe
PID 4144 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe
PID 4144 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe
PID 2532 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe
PID 2532 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe
PID 2532 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe
PID 2532 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe
PID 2532 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe
PID 3044 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3044 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 3044 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
PID 4144 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe
PID 4144 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe
PID 4144 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe
PID 4312 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4312 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4312 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4312 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2496 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2496 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2496 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2496 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2496 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2496 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2496 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2496 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2496 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2496 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2496 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4104 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe
PID 4104 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe
PID 4104 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe
PID 4256 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge532209.exe
PID 4256 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge532209.exe
PID 4256 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge532209.exe
PID 4312 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 4312 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 4312 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4.exe

"C:\Users\Admin\AppData\Local\Temp\b80f14534e31a9705dc5f0d203e9838b4795a0977926b7d040dc8f6a42daf4b4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb7ae701b3" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge532209.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge532209.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Network

Country Destination Domain Proto
RU 193.3.19.154:80 193.3.19.154 tcp
US 8.8.8.8:53 154.19.3.193.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
N/A 185.161.248.142:38452 tcp
US 20.189.173.2:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe

MD5 2fd9aa68544b56c3e3ca59f349c1f9bc
SHA1 7e5c86100808545a738b8e54d04b1ddc58022535
SHA256 87d88ae0acfec206089d3333156ab5c0febfed00995616fbf9d021159c8cc6a3
SHA512 11ea565d3553864a267a099bba6392916c5cf0e061d70bf4b282ee43eb39d4f14c6b0e77dcbfcb7c45f239d4ab788f3487750e3302d8bb7c7fd42a9fa0a9566b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki212744.exe

MD5 2fd9aa68544b56c3e3ca59f349c1f9bc
SHA1 7e5c86100808545a738b8e54d04b1ddc58022535
SHA256 87d88ae0acfec206089d3333156ab5c0febfed00995616fbf9d021159c8cc6a3
SHA512 11ea565d3553864a267a099bba6392916c5cf0e061d70bf4b282ee43eb39d4f14c6b0e77dcbfcb7c45f239d4ab788f3487750e3302d8bb7c7fd42a9fa0a9566b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe

MD5 109a78aa95e46d400f298e2413266634
SHA1 df07508990d319d7fb2c7b6cd35ea2195675c692
SHA256 1761d720d1c3aec2d47b8abbc248aab422b3d368e4f1861be4e9c77d901faa26
SHA512 c1d1e38feb2a1c4b10bee528ca2c55e8050843e964880d2631449a26162965d4da29b6bb0c4ed521808e320177e4d991dd6dbb2521aef3c655cade68c4bde559

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki298702.exe

MD5 109a78aa95e46d400f298e2413266634
SHA1 df07508990d319d7fb2c7b6cd35ea2195675c692
SHA256 1761d720d1c3aec2d47b8abbc248aab422b3d368e4f1861be4e9c77d901faa26
SHA512 c1d1e38feb2a1c4b10bee528ca2c55e8050843e964880d2631449a26162965d4da29b6bb0c4ed521808e320177e4d991dd6dbb2521aef3c655cade68c4bde559

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe

MD5 5b5c75a9a5a9eba88436c609dde2c296
SHA1 38e49367ffda431e58cdb89741d820ee413161cb
SHA256 ee5f1d9c7ef5915cd257146919b254d00b258edf0899498fe5c33ac599910e86
SHA512 9884336575dd0f6ca4823483d028c9e2041a76aa179b374a20b2ffdeb2329a414a6976511a9ccb731bf9ba4390b31f17c132fdf5adfe1a2f9783cb35394e97c9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki007613.exe

MD5 5b5c75a9a5a9eba88436c609dde2c296
SHA1 38e49367ffda431e58cdb89741d820ee413161cb
SHA256 ee5f1d9c7ef5915cd257146919b254d00b258edf0899498fe5c33ac599910e86
SHA512 9884336575dd0f6ca4823483d028c9e2041a76aa179b374a20b2ffdeb2329a414a6976511a9ccb731bf9ba4390b31f17c132fdf5adfe1a2f9783cb35394e97c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az595124.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2684-151-0x0000000000670000-0x000000000067A000-memory.dmp

memory/4256-152-0x0000000006BD0000-0x0000000006CE1000-memory.dmp

memory/4256-153-0x0000000000400000-0x0000000002C97000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu844939.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe

MD5 a9891aff23463349365d9db34f973f37
SHA1 459b2ad7e1abf10cd47ae094748978a0dfd92676
SHA256 394e802f27b9e9d2d75ba23dcc0ac8526f998a63f9e7eb91937bd443884537cd
SHA512 5c5775b5187cafb78accea2da03a7f3629d7a09785fe2d109598b8c5c1f44a0ab9f442224f80d39df541da4ff4ea276cdf0ced68057e57fc0f04f7e0f6a3f40d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf829870.exe

MD5 a9891aff23463349365d9db34f973f37
SHA1 459b2ad7e1abf10cd47ae094748978a0dfd92676
SHA256 394e802f27b9e9d2d75ba23dcc0ac8526f998a63f9e7eb91937bd443884537cd
SHA512 5c5775b5187cafb78accea2da03a7f3629d7a09785fe2d109598b8c5c1f44a0ab9f442224f80d39df541da4ff4ea276cdf0ced68057e57fc0f04f7e0f6a3f40d

memory/2540-169-0x0000000004850000-0x000000000488C000-memory.dmp

memory/2540-170-0x00000000073D0000-0x00000000078CE000-memory.dmp

memory/2540-171-0x0000000004C00000-0x0000000004C3A000-memory.dmp

memory/2540-172-0x0000000002BD0000-0x0000000002C16000-memory.dmp

memory/2540-173-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/2540-174-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/2540-175-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/2540-176-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-177-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-179-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-181-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-183-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-185-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-187-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-189-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-191-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-193-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-195-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-197-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-199-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-201-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-203-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-205-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-207-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-209-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-211-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-213-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-215-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-217-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-219-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-221-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-223-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-225-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-227-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-229-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-231-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-233-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-235-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-237-0x0000000004C00000-0x0000000004C35000-memory.dmp

memory/2540-968-0x0000000009C50000-0x000000000A256000-memory.dmp

memory/2540-969-0x0000000007370000-0x0000000007382000-memory.dmp

memory/2540-970-0x000000000A260000-0x000000000A36A000-memory.dmp

memory/2540-971-0x000000000A370000-0x000000000A3AE000-memory.dmp

memory/2540-972-0x000000000A510000-0x000000000A55B000-memory.dmp

memory/2540-974-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/2540-975-0x000000000A670000-0x000000000A6D6000-memory.dmp

memory/2540-976-0x000000000AD30000-0x000000000ADC2000-memory.dmp

memory/2540-978-0x000000000AE40000-0x000000000AEB6000-memory.dmp

memory/2540-977-0x000000000ADD0000-0x000000000AE20000-memory.dmp

memory/2540-979-0x000000000AF10000-0x000000000B0D2000-memory.dmp

memory/2540-980-0x000000000B0E0000-0x000000000B60C000-memory.dmp

memory/2540-981-0x000000000B730000-0x000000000B74E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe

MD5 f4db6d6fbdaf7cd19acf74730c25e546
SHA1 f58214a69e38ca598b3ad8ceb4cbf19e80287b54
SHA256 2b7c954c60ef04e4695bd70e430b61a529e48c92859076e58c0e9021f6137e94
SHA512 7c3155213724f79c98fb20f77373b4a5f0df9428273871d510fce44d90e96b3b13a5f81386c2c88380937ecfe43a40be2f6030b89745de99f3f2c6ec2923f1f3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft587575.exe

MD5 f4db6d6fbdaf7cd19acf74730c25e546
SHA1 f58214a69e38ca598b3ad8ceb4cbf19e80287b54
SHA256 2b7c954c60ef04e4695bd70e430b61a529e48c92859076e58c0e9021f6137e94
SHA512 7c3155213724f79c98fb20f77373b4a5f0df9428273871d510fce44d90e96b3b13a5f81386c2c88380937ecfe43a40be2f6030b89745de99f3f2c6ec2923f1f3

memory/4956-988-0x0000000004720000-0x000000000473A000-memory.dmp

memory/4956-989-0x00000000048C0000-0x00000000048D8000-memory.dmp

memory/4956-1018-0x00000000001D0000-0x00000000001FD000-memory.dmp

memory/4956-1019-0x00000000072E0000-0x00000000072F0000-memory.dmp

memory/4956-1020-0x00000000072E0000-0x00000000072F0000-memory.dmp

memory/4956-1021-0x00000000072E0000-0x00000000072F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge532209.exe

MD5 f61b8d16e770939720b0b9674b5e9567
SHA1 3185e26bcfe268bbfac9b21b2dd9e982d2256e74
SHA256 abd17bff4b80107153789c8fefbe6ff82aafacbf1381195e38a69f6724c6306c
SHA512 db0554e2dba4a1ccf24486a624507a32e86314ca233c04dcd53fce9f8d81be66d742764b1dd6b5069c5c842919c8b3a00fb7cc3f2fb7c5b45331408617b8e911

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge532209.exe

MD5 f61b8d16e770939720b0b9674b5e9567
SHA1 3185e26bcfe268bbfac9b21b2dd9e982d2256e74
SHA256 abd17bff4b80107153789c8fefbe6ff82aafacbf1381195e38a69f6724c6306c
SHA512 db0554e2dba4a1ccf24486a624507a32e86314ca233c04dcd53fce9f8d81be66d742764b1dd6b5069c5c842919c8b3a00fb7cc3f2fb7c5b45331408617b8e911

memory/2988-1030-0x0000000007180000-0x0000000007190000-memory.dmp

memory/2988-1032-0x0000000007180000-0x0000000007190000-memory.dmp

memory/2988-1033-0x0000000007180000-0x0000000007190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

memory/2988-1826-0x0000000007180000-0x0000000007190000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 cfe2ef912f30ac9bc36d8686888ca0d3
SHA1 ddbbb63670b2f5bd903dadcff54ff8270825499b
SHA256 675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d
SHA512 5e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 cfe2ef912f30ac9bc36d8686888ca0d3
SHA1 ddbbb63670b2f5bd903dadcff54ff8270825499b
SHA256 675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d
SHA512 5e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 cfe2ef912f30ac9bc36d8686888ca0d3
SHA1 ddbbb63670b2f5bd903dadcff54ff8270825499b
SHA256 675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d
SHA512 5e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

MD5 1304f384653e08ae497008ff13498608
SHA1 d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA256 2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA512 4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1