Malware Analysis Report

2025-06-16 03:29

Sample ID 230506-a35lwsfc64
Target 5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee
SHA256 5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee
Tags
amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee

Threat Level: Known bad

The file 5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

AsyncRat

StormKitty payload

StormKitty

Amadey

Async RAT payload

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Windows security modification

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up geolocation information via web service

Drops desktop.ini file(s)

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-06 00:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-06 00:45

Reported

2023-05-06 00:47

Platform

win10v2004-20230220-en

Max time kernel

147s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9273860.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\e78b785c92f83ca9c9ae2b63ad0dc971\Admin@TPAVZECK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\e78b785c92f83ca9c9ae2b63ad0dc971\Admin@TPAVZECK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\e78b785c92f83ca9c9ae2b63ad0dc971\Admin@TPAVZECK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\e78b785c92f83ca9c9ae2b63ad0dc971\Admin@TPAVZECK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\e78b785c92f83ca9c9ae2b63ad0dc971\Admin@TPAVZECK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\e78b785c92f83ca9c9ae2b63ad0dc971\Admin@TPAVZECK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\e78b785c92f83ca9c9ae2b63ad0dc971\Admin@TPAVZECK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\e78b785c92f83ca9c9ae2b63ad0dc971\Admin@TPAVZECK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3300 set thread context of 4812 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1039321.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1039321.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1039321.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9273860.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe
PID 2028 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe
PID 2028 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe
PID 2520 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe
PID 2520 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe
PID 2520 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe
PID 2520 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1039321.exe
PID 2520 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1039321.exe
PID 2520 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1039321.exe
PID 2028 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9273860.exe
PID 2028 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9273860.exe
PID 2028 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9273860.exe
PID 4392 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9273860.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 4392 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9273860.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 4392 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9273860.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 1852 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1852 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1852 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1852 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1852 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1852 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1852 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 3300 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 3300 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 3300 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 3300 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3300 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3300 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3300 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3300 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3300 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3300 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3300 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3300 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3300 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3300 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4812 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1244 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1244 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1244 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1244 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1244 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1244 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1244 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1244 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4812 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2100 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2100 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2100 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2100 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2100 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee.exe

"C:\Users\Admin\AppData\Local\Temp\5effc80d5f389747bd27654eba317d8287f5f35ee6aaffc434ae24fdca702cee.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1039321.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1039321.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9273860.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9273860.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe"

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WFVnWbVdsjuyLY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp"

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 251.124.91.77.in-addr.arpa udp
AT 212.113.119.255:80 212.113.119.255 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 255.119.113.212.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 67.55.52.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 104.208.16.90:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.242.101.226:443 tcp
NL 84.53.175.11:80 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe

MD5 94c8580085493c8cbed3f3e76253ebd3
SHA1 1892b5e51c4f8e5f451f95ee1853eb2acdc0d5c7
SHA256 cee4666d0c94f418b8af9b3d67d29f29ded6d371b281cf566e9984fb50f8470a
SHA512 510c74601a05c2c1d4d7fa76764f300bff04fa865261c7e3a94d8955fed6e4684e73f1b9f015c02f08c959ac9d97b4b8d7e02c40e71ddda6a83bdf303d1ef9c8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3725335.exe

MD5 94c8580085493c8cbed3f3e76253ebd3
SHA1 1892b5e51c4f8e5f451f95ee1853eb2acdc0d5c7
SHA256 cee4666d0c94f418b8af9b3d67d29f29ded6d371b281cf566e9984fb50f8470a
SHA512 510c74601a05c2c1d4d7fa76764f300bff04fa865261c7e3a94d8955fed6e4684e73f1b9f015c02f08c959ac9d97b4b8d7e02c40e71ddda6a83bdf303d1ef9c8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe

MD5 4de3a9adb965cf6078c83cc7e282672e
SHA1 9a6ed9507a615124286174b032b9cf885a246fb7
SHA256 d169326ceff33fa4be1cff338f69dcfcfd99bb8128ec0a07e13b8a2a1db2795d
SHA512 2e78d02b478550e2bbd7d27a25dcf68c342e2f12d399d826e254db8c160079032de70a4998ad329ec8a0c07f4bf5852311f1360c7a17840e63f3ea5472f8d141

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3187983.exe

MD5 4de3a9adb965cf6078c83cc7e282672e
SHA1 9a6ed9507a615124286174b032b9cf885a246fb7
SHA256 d169326ceff33fa4be1cff338f69dcfcfd99bb8128ec0a07e13b8a2a1db2795d
SHA512 2e78d02b478550e2bbd7d27a25dcf68c342e2f12d399d826e254db8c160079032de70a4998ad329ec8a0c07f4bf5852311f1360c7a17840e63f3ea5472f8d141

memory/1620-147-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/1620-148-0x0000000004B10000-0x00000000050B4000-memory.dmp

memory/1620-149-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-150-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-152-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-154-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-156-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-158-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-160-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-162-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-164-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-166-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-168-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-170-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-172-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-174-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-176-0x0000000004A90000-0x0000000004AA2000-memory.dmp

memory/1620-177-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/1620-178-0x0000000004B00000-0x0000000004B10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1039321.exe

MD5 ecedb783463e6e443d9fb2520bb9b47a
SHA1 92201583163af2b35e48b28445489deb8187bf8c
SHA256 06b6537eb9571620a9c20cd414bfcb67a61264b3ca7081873d4ecca14743d553
SHA512 b0bff795c90f26a1202fb7d861e539fd25e7a9f5ccd97fe1c22de92d1d8cb416d28a006cc88b994f461c43e7a8bb9643ae9a7ad3569278b2e08ff658daf6188e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1039321.exe

MD5 ecedb783463e6e443d9fb2520bb9b47a
SHA1 92201583163af2b35e48b28445489deb8187bf8c
SHA256 06b6537eb9571620a9c20cd414bfcb67a61264b3ca7081873d4ecca14743d553
SHA512 b0bff795c90f26a1202fb7d861e539fd25e7a9f5ccd97fe1c22de92d1d8cb416d28a006cc88b994f461c43e7a8bb9643ae9a7ad3569278b2e08ff658daf6188e

memory/4892-183-0x0000000000D70000-0x0000000000D98000-memory.dmp

memory/4892-184-0x0000000008020000-0x0000000008638000-memory.dmp

memory/4892-185-0x0000000007A80000-0x0000000007A92000-memory.dmp

memory/4892-186-0x0000000007BB0000-0x0000000007CBA000-memory.dmp

memory/4892-187-0x0000000007B20000-0x0000000007B5C000-memory.dmp

memory/4892-188-0x0000000007B10000-0x0000000007B20000-memory.dmp

memory/4892-189-0x0000000007E40000-0x0000000007EA6000-memory.dmp

memory/4892-190-0x0000000008A20000-0x0000000008AB2000-memory.dmp

memory/4892-191-0x0000000008BC0000-0x0000000008C10000-memory.dmp

memory/4892-192-0x0000000008C90000-0x0000000008D06000-memory.dmp

memory/4892-193-0x00000000094A0000-0x0000000009662000-memory.dmp

memory/4892-194-0x0000000009BA0000-0x000000000A0CC000-memory.dmp

memory/4892-195-0x0000000008DB0000-0x0000000008DCE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9273860.exe

MD5 36de5f0f6a0dce159621d41b402e3ea7
SHA1 51d3b218699268260ce0d8a4930bfe0c59b519d5
SHA256 81511ab49aa918cdfb411daf5153b5dbd2f2640269d1ca2673a9f3fa15f52e53
SHA512 b1748555dcc12b8c409ff6af691a18d289d5c61ba1cdb74fdc66f1bd6e6fa3302d712f13df872a7bf238b0f0bb242a3a6524dd71b26c06edabfbf0293b0b4a59

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9273860.exe

MD5 36de5f0f6a0dce159621d41b402e3ea7
SHA1 51d3b218699268260ce0d8a4930bfe0c59b519d5
SHA256 81511ab49aa918cdfb411daf5153b5dbd2f2640269d1ca2673a9f3fa15f52e53
SHA512 b1748555dcc12b8c409ff6af691a18d289d5c61ba1cdb74fdc66f1bd6e6fa3302d712f13df872a7bf238b0f0bb242a3a6524dd71b26c06edabfbf0293b0b4a59

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 36de5f0f6a0dce159621d41b402e3ea7
SHA1 51d3b218699268260ce0d8a4930bfe0c59b519d5
SHA256 81511ab49aa918cdfb411daf5153b5dbd2f2640269d1ca2673a9f3fa15f52e53
SHA512 b1748555dcc12b8c409ff6af691a18d289d5c61ba1cdb74fdc66f1bd6e6fa3302d712f13df872a7bf238b0f0bb242a3a6524dd71b26c06edabfbf0293b0b4a59

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 36de5f0f6a0dce159621d41b402e3ea7
SHA1 51d3b218699268260ce0d8a4930bfe0c59b519d5
SHA256 81511ab49aa918cdfb411daf5153b5dbd2f2640269d1ca2673a9f3fa15f52e53
SHA512 b1748555dcc12b8c409ff6af691a18d289d5c61ba1cdb74fdc66f1bd6e6fa3302d712f13df872a7bf238b0f0bb242a3a6524dd71b26c06edabfbf0293b0b4a59

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 36de5f0f6a0dce159621d41b402e3ea7
SHA1 51d3b218699268260ce0d8a4930bfe0c59b519d5
SHA256 81511ab49aa918cdfb411daf5153b5dbd2f2640269d1ca2673a9f3fa15f52e53
SHA512 b1748555dcc12b8c409ff6af691a18d289d5c61ba1cdb74fdc66f1bd6e6fa3302d712f13df872a7bf238b0f0bb242a3a6524dd71b26c06edabfbf0293b0b4a59

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

memory/3300-234-0x0000000000EA0000-0x0000000000F58000-memory.dmp

memory/3300-235-0x00000000058D0000-0x000000000596C000-memory.dmp

memory/3300-236-0x00000000059B0000-0x00000000059BA000-memory.dmp

memory/3300-237-0x0000000005A50000-0x0000000005A60000-memory.dmp

memory/3300-238-0x0000000005C60000-0x0000000005CB6000-memory.dmp

memory/3300-239-0x0000000005A50000-0x0000000005A60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 36de5f0f6a0dce159621d41b402e3ea7
SHA1 51d3b218699268260ce0d8a4930bfe0c59b519d5
SHA256 81511ab49aa918cdfb411daf5153b5dbd2f2640269d1ca2673a9f3fa15f52e53
SHA512 b1748555dcc12b8c409ff6af691a18d289d5c61ba1cdb74fdc66f1bd6e6fa3302d712f13df872a7bf238b0f0bb242a3a6524dd71b26c06edabfbf0293b0b4a59

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp

MD5 2959692d282311823df7b43450be20d6
SHA1 1a498e14779ce4c43aac96a64b132fcdccc265ce
SHA256 08556ab8ea511c917f893bd619dde2ca7b734d8ecab5e6ab40584e4d816121d4
SHA512 67b6eb84b98546891372ea494bec4d252bfc7230df980d928414dfd1eb3521a6ca774a347f9dfd25eecc5d9493df9e2b3d02943accfcb662855d5ca21089309e

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

memory/4812-264-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ch5FK0QgiAPF0lZ.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/4812-268-0x0000000005080000-0x0000000005090000-memory.dmp

memory/4812-359-0x0000000005080000-0x0000000005090000-memory.dmp

C:\Users\Admin\AppData\Local\e78b785c92f83ca9c9ae2b63ad0dc971\Admin@TPAVZECK_en-US\System\Process.txt

MD5 56abae8a89771cefaf107b6442730b38
SHA1 feab48b2bb8ab60aa046fb4814a9e9201769bf3b
SHA256 8053265abb462052ed7d8dafdd4d4d203736b048cded9eabfc038ad4ae3daeb3
SHA512 ed5128645d7d145075477f930952ef608ce0ae0f70ba51f5e6251d953a2b17719a04822fc29a6f17246b22d79870e6a9166e11f05677b19281dd599da47edeae

memory/4812-409-0x0000000005080000-0x0000000005090000-memory.dmp

memory/4812-412-0x00000000060C0000-0x00000000060CA000-memory.dmp

C:\Users\Admin\AppData\Local\e3ca9dd40c7a905887d80d9a74093fdb\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4812-418-0x0000000006160000-0x0000000006172000-memory.dmp

C:\Users\Admin\AppData\Local\e78b785c92f83ca9c9ae2b63ad0dc971\Admin@TPAVZECK_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/4812-440-0x0000000005080000-0x0000000005090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 36de5f0f6a0dce159621d41b402e3ea7
SHA1 51d3b218699268260ce0d8a4930bfe0c59b519d5
SHA256 81511ab49aa918cdfb411daf5153b5dbd2f2640269d1ca2673a9f3fa15f52e53
SHA512 b1748555dcc12b8c409ff6af691a18d289d5c61ba1cdb74fdc66f1bd6e6fa3302d712f13df872a7bf238b0f0bb242a3a6524dd71b26c06edabfbf0293b0b4a59