Malware Analysis Report

2025-06-16 03:29

Sample ID 230506-a5vjpsfc69
Target 25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8
SHA256 25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8
Tags
amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8

Threat Level: Known bad

The file 25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8 was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan

StormKitty payload

Modifies Windows Defender Real-time Protection settings

Amadey

StormKitty

AsyncRat

Async RAT payload

Downloads MZ/PE file

Windows security modification

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Adds Run key to start application

Checks installed software on the system

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-06 00:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-06 00:48

Reported

2023-05-06 00:50

Platform

win10v2004-20230220-en

Max time kernel

146s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3712807.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\2987033f707e41b813d6c61aeca1c7f4\Admin@LYVTYGSI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\2987033f707e41b813d6c61aeca1c7f4\Admin@LYVTYGSI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\2987033f707e41b813d6c61aeca1c7f4\Admin@LYVTYGSI_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\2987033f707e41b813d6c61aeca1c7f4\Admin@LYVTYGSI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\2987033f707e41b813d6c61aeca1c7f4\Admin@LYVTYGSI_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\2987033f707e41b813d6c61aeca1c7f4\Admin@LYVTYGSI_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\2987033f707e41b813d6c61aeca1c7f4\Admin@LYVTYGSI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\2987033f707e41b813d6c61aeca1c7f4\Admin@LYVTYGSI_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1204 set thread context of 4912 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7856640.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7856640.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7856640.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3712807.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe
PID 2132 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe
PID 2132 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe
PID 1804 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe
PID 1804 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe
PID 1804 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe
PID 1804 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7856640.exe
PID 1804 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7856640.exe
PID 1804 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7856640.exe
PID 2132 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3712807.exe
PID 2132 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3712807.exe
PID 2132 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3712807.exe
PID 1440 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3712807.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 1440 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3712807.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 1440 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3712807.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 1084 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1084 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1084 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1084 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1084 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1084 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 1204 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 1204 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 1204 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1204 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1204 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1204 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1204 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1204 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1204 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1204 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4912 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3820 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3820 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3820 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3820 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3820 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3820 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3820 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3820 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4912 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4328 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4328 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4328 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4328 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4328 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8.exe

"C:\Users\Admin\AppData\Local\Temp\25be124a9300b7343fe56574f21f5d06fc71fe66ffc1de579541439a5f3367f8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7856640.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7856640.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3712807.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3712807.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe"

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WFVnWbVdsjuyLY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp"

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Network

Country Destination Domain Proto
US 52.242.101.226:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 177.17.30.184.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 251.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 84.150.43.20.in-addr.arpa udp
US 8.8.8.8:53 138.238.32.23.in-addr.arpa udp
AT 212.113.119.255:80 212.113.119.255 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 255.119.113.212.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 67.55.52.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.89.178.27:443 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe

MD5 618d1aea0fc4ef07f1fd2049d41dc9f6
SHA1 0e2a435ec968e53019008d7269beaedfa2f8ac7f
SHA256 5b95cf7c18737a8e331c3285995b5907d5d4e33051799f4e56db2c64ae16dec6
SHA512 044784721401d300ebd8eeaa81c5751cb36d69beaf5b0b31b8b1731f3abe836c826bdf18a346ddebbd3fd2bcd3810b2ee58474a0a61b293f073469320baf27bd

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8843379.exe

MD5 618d1aea0fc4ef07f1fd2049d41dc9f6
SHA1 0e2a435ec968e53019008d7269beaedfa2f8ac7f
SHA256 5b95cf7c18737a8e331c3285995b5907d5d4e33051799f4e56db2c64ae16dec6
SHA512 044784721401d300ebd8eeaa81c5751cb36d69beaf5b0b31b8b1731f3abe836c826bdf18a346ddebbd3fd2bcd3810b2ee58474a0a61b293f073469320baf27bd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe

MD5 063dac39cbae704d76b505f4072a5efd
SHA1 1e66678519f1c07cd0384f6d9da2d1acaaf28828
SHA256 511ee7420ec949a652bf9a7c4973053ca6a5e582ad0aa271798379cba9571453
SHA512 ee3eddbf25d5365eb36ef3f2834674bfe0328f32f06601fc30869ba13f013062cb60ced0860a8549eafd97c2299ddbf02289f9338ff5db4bced514a46b119e9c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6999686.exe

MD5 063dac39cbae704d76b505f4072a5efd
SHA1 1e66678519f1c07cd0384f6d9da2d1acaaf28828
SHA256 511ee7420ec949a652bf9a7c4973053ca6a5e582ad0aa271798379cba9571453
SHA512 ee3eddbf25d5365eb36ef3f2834674bfe0328f32f06601fc30869ba13f013062cb60ced0860a8549eafd97c2299ddbf02289f9338ff5db4bced514a46b119e9c

memory/3024-147-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/3024-148-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/3024-149-0x0000000004C30000-0x00000000051D4000-memory.dmp

memory/3024-150-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-151-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-153-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-155-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-157-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-159-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-161-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-163-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-165-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-169-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-167-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-171-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-173-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-175-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-177-0x00000000025A0000-0x00000000025B2000-memory.dmp

memory/3024-178-0x0000000004C20000-0x0000000004C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7856640.exe

MD5 7e61a7a5b909be4d10e7877436cd4599
SHA1 b49064bc6796251eafe530954203685cb9715205
SHA256 40a38f8609f70b97ac9c671c13c14842959e450e353e03007b99c9e885b4bca2
SHA512 3646fdc0a7b936a995a69a0a81eaa39269a564fb6bf27aee04a03eb58bf5d540bbda07c4fe6a917a91d4908647fb7605931d989cca4ede6ebc7b23c02bc0cd02

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7856640.exe

MD5 7e61a7a5b909be4d10e7877436cd4599
SHA1 b49064bc6796251eafe530954203685cb9715205
SHA256 40a38f8609f70b97ac9c671c13c14842959e450e353e03007b99c9e885b4bca2
SHA512 3646fdc0a7b936a995a69a0a81eaa39269a564fb6bf27aee04a03eb58bf5d540bbda07c4fe6a917a91d4908647fb7605931d989cca4ede6ebc7b23c02bc0cd02

memory/5064-183-0x00000000001D0000-0x00000000001F8000-memory.dmp

memory/5064-184-0x0000000007480000-0x0000000007A98000-memory.dmp

memory/5064-185-0x0000000006F00000-0x0000000006F12000-memory.dmp

memory/5064-186-0x0000000007030000-0x000000000713A000-memory.dmp

memory/5064-187-0x0000000006F60000-0x0000000006F9C000-memory.dmp

memory/5064-188-0x0000000007330000-0x0000000007340000-memory.dmp

memory/5064-189-0x0000000007290000-0x00000000072F6000-memory.dmp

memory/5064-190-0x0000000007E80000-0x0000000007F12000-memory.dmp

memory/5064-191-0x0000000007E30000-0x0000000007E80000-memory.dmp

memory/5064-192-0x0000000007FA0000-0x0000000008016000-memory.dmp

memory/5064-193-0x0000000008AD0000-0x0000000008C92000-memory.dmp

memory/5064-194-0x00000000091D0000-0x00000000096FC000-memory.dmp

memory/5064-195-0x0000000008210000-0x000000000822E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3712807.exe

MD5 75bcc199848c396bc83506047accc8c6
SHA1 f53a842c83ae2b1a446f3c68185a3108ca6a8cd8
SHA256 afbf39f31db62e4ac72a7a66a53818a343799a02c24a019edd452ca161d7f5fd
SHA512 e181b254c5064f15c3da3566c765b921ac78b6cccccb4ce15e54ad205777225c02ec4fb4db13ec68882a067b18f1d84f792743773c8d7f55bd196a9432487545

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3712807.exe

MD5 75bcc199848c396bc83506047accc8c6
SHA1 f53a842c83ae2b1a446f3c68185a3108ca6a8cd8
SHA256 afbf39f31db62e4ac72a7a66a53818a343799a02c24a019edd452ca161d7f5fd
SHA512 e181b254c5064f15c3da3566c765b921ac78b6cccccb4ce15e54ad205777225c02ec4fb4db13ec68882a067b18f1d84f792743773c8d7f55bd196a9432487545

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 75bcc199848c396bc83506047accc8c6
SHA1 f53a842c83ae2b1a446f3c68185a3108ca6a8cd8
SHA256 afbf39f31db62e4ac72a7a66a53818a343799a02c24a019edd452ca161d7f5fd
SHA512 e181b254c5064f15c3da3566c765b921ac78b6cccccb4ce15e54ad205777225c02ec4fb4db13ec68882a067b18f1d84f792743773c8d7f55bd196a9432487545

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 75bcc199848c396bc83506047accc8c6
SHA1 f53a842c83ae2b1a446f3c68185a3108ca6a8cd8
SHA256 afbf39f31db62e4ac72a7a66a53818a343799a02c24a019edd452ca161d7f5fd
SHA512 e181b254c5064f15c3da3566c765b921ac78b6cccccb4ce15e54ad205777225c02ec4fb4db13ec68882a067b18f1d84f792743773c8d7f55bd196a9432487545

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 75bcc199848c396bc83506047accc8c6
SHA1 f53a842c83ae2b1a446f3c68185a3108ca6a8cd8
SHA256 afbf39f31db62e4ac72a7a66a53818a343799a02c24a019edd452ca161d7f5fd
SHA512 e181b254c5064f15c3da3566c765b921ac78b6cccccb4ce15e54ad205777225c02ec4fb4db13ec68882a067b18f1d84f792743773c8d7f55bd196a9432487545

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

memory/1204-234-0x0000000000430000-0x00000000004E8000-memory.dmp

memory/1204-235-0x0000000004E40000-0x0000000004EDC000-memory.dmp

memory/1204-236-0x0000000002770000-0x000000000277A000-memory.dmp

memory/1204-237-0x0000000004EE0000-0x0000000004F36000-memory.dmp

memory/1204-238-0x0000000005110000-0x0000000005120000-memory.dmp

memory/1204-239-0x0000000005110000-0x0000000005120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 75bcc199848c396bc83506047accc8c6
SHA1 f53a842c83ae2b1a446f3c68185a3108ca6a8cd8
SHA256 afbf39f31db62e4ac72a7a66a53818a343799a02c24a019edd452ca161d7f5fd
SHA512 e181b254c5064f15c3da3566c765b921ac78b6cccccb4ce15e54ad205777225c02ec4fb4db13ec68882a067b18f1d84f792743773c8d7f55bd196a9432487545

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp

MD5 5060e3260042ee08489398b1b4b9e309
SHA1 03d408ce3c6d6139fe8c9c8cddfc3a9b6af86b25
SHA256 915343ec28cad26ac22fd50cc449dcaac1cf33d871abe177e4b70f18a68d54e6
SHA512 8ea0be270d4f4a239016586afaa4e68240b0439c3b7778f4c255ef9eecda1e26c5e076dc65d5710d41bb511d16fdcfaf1949b4749b54f183e8ac872c774b1d39

memory/4912-263-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ch5FK0QgiAPF0lZ.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/4912-267-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/4912-365-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

C:\Users\Admin\AppData\Local\2987033f707e41b813d6c61aeca1c7f4\Admin@LYVTYGSI_en-US\System\Process.txt

MD5 4a3052cd49a3f3a2a6267a4d20aaaca3
SHA1 c47b73357c9e99d3c04b04b24c18ac6a516a3f18
SHA256 6ec03eaf3193cbc41064ded9fca8c9a2a617428d293b66be2893dea15af4a1a5
SHA512 a0b34ecbc1d1e35df409fa63a1816e9f323fe1bcf1a0953dfeb3911a078e224ed4fd08dd900932636b41638c1d8482ddc9a906d3329d423f1cb782ce022bf49f

memory/4912-408-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/4912-411-0x0000000005FD0000-0x0000000005FDA000-memory.dmp

C:\Users\Admin\AppData\Local\16ceea5716a40a05a45dfdaa8def4660\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4912-417-0x0000000006060000-0x0000000006072000-memory.dmp

memory/4912-439-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 75bcc199848c396bc83506047accc8c6
SHA1 f53a842c83ae2b1a446f3c68185a3108ca6a8cd8
SHA256 afbf39f31db62e4ac72a7a66a53818a343799a02c24a019edd452ca161d7f5fd
SHA512 e181b254c5064f15c3da3566c765b921ac78b6cccccb4ce15e54ad205777225c02ec4fb4db13ec68882a067b18f1d84f792743773c8d7f55bd196a9432487545