Malware Analysis Report

2025-06-16 03:29

Sample ID 230506-bads5sfc77
Target b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4
SHA256 b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4
Tags
amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4

Threat Level: Known bad

The file b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4 was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan

Amadey

StormKitty

Modifies Windows Defender Real-time Protection settings

AsyncRat

StormKitty payload

Async RAT payload

Downloads MZ/PE file

Executes dropped EXE

Windows security modification

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Drops desktop.ini file(s)

Looks up geolocation information via web service

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-06 00:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-06 00:56

Reported

2023-05-06 00:58

Platform

win10v2004-20230220-en

Max time kernel

145s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3253564.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\14ab0279b31b7a66497a88a5bd6ae164\Admin@HCIDPJOT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\14ab0279b31b7a66497a88a5bd6ae164\Admin@HCIDPJOT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\14ab0279b31b7a66497a88a5bd6ae164\Admin@HCIDPJOT_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\14ab0279b31b7a66497a88a5bd6ae164\Admin@HCIDPJOT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\14ab0279b31b7a66497a88a5bd6ae164\Admin@HCIDPJOT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\14ab0279b31b7a66497a88a5bd6ae164\Admin@HCIDPJOT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\14ab0279b31b7a66497a88a5bd6ae164\Admin@HCIDPJOT_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4516 set thread context of 4108 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1301651.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1301651.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1301651.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3253564.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4732 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe
PID 4732 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe
PID 4732 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe
PID 1464 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe
PID 1464 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe
PID 1464 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe
PID 1464 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1301651.exe
PID 1464 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1301651.exe
PID 1464 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1301651.exe
PID 4732 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3253564.exe
PID 4732 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3253564.exe
PID 4732 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3253564.exe
PID 4656 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3253564.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 4656 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3253564.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 4656 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3253564.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 628 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 628 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 628 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 628 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 628 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 628 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 628 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 628 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 628 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 4516 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4516 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4516 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4516 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4516 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4516 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4516 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4516 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4516 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4516 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4516 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4108 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 3480 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3480 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3480 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3480 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3480 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3480 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3480 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3480 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3480 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4108 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4108 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4068 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4068 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4068 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4068 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4068 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4.exe

"C:\Users\Admin\AppData\Local\Temp\b8c6f0c2f040d1d8d942d29b20553136b65058e0c6c11c650ac47d0e997caea4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1301651.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1301651.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3253564.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3253564.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe"

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WFVnWbVdsjuyLY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C9E.tmp"

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 251.124.91.77.in-addr.arpa udp
AT 212.113.119.255:80 212.113.119.255 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 255.119.113.212.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 67.55.52.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe

MD5 59a621658d6dee24cca496d73169f05a
SHA1 12ed8ce8fbf69175e2450b06862a7195d9ee16c8
SHA256 46156cc03f1dbd6a30b71e8baa1705a504e5b90b2abaa29dd6007bd17781d3c8
SHA512 95d64e9f5ee79f1133c6bceb09719134d545a6869d96615c51b5d3ae29b082fbcd06593222117b0f10a4f287a74285d0e949c14604e3cf46c2f394150115ce1c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6711694.exe

MD5 59a621658d6dee24cca496d73169f05a
SHA1 12ed8ce8fbf69175e2450b06862a7195d9ee16c8
SHA256 46156cc03f1dbd6a30b71e8baa1705a504e5b90b2abaa29dd6007bd17781d3c8
SHA512 95d64e9f5ee79f1133c6bceb09719134d545a6869d96615c51b5d3ae29b082fbcd06593222117b0f10a4f287a74285d0e949c14604e3cf46c2f394150115ce1c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe

MD5 8fcb817bf8a93759b8d88d25a82ca15d
SHA1 457ba843c9d993cec696016ac4272f3c06cc6760
SHA256 804b5edc8b9d56adf8aab870b3704284bf668b86f6118454964914a126473a68
SHA512 dd135e4c8c65dcc76b6c89a18fd89743f581943b53aacf864fe43ca8cc422a8be22bff3197ed2feb8d00c3e8271f73ec71e94cfb85ab5095f49e2b9ec9dc26c8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0462063.exe

MD5 8fcb817bf8a93759b8d88d25a82ca15d
SHA1 457ba843c9d993cec696016ac4272f3c06cc6760
SHA256 804b5edc8b9d56adf8aab870b3704284bf668b86f6118454964914a126473a68
SHA512 dd135e4c8c65dcc76b6c89a18fd89743f581943b53aacf864fe43ca8cc422a8be22bff3197ed2feb8d00c3e8271f73ec71e94cfb85ab5095f49e2b9ec9dc26c8

memory/1676-149-0x0000000004C40000-0x00000000051E4000-memory.dmp

memory/1676-150-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/1676-148-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/1676-147-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/1676-151-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-152-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-154-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-156-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-158-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-160-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-162-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-164-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-166-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-168-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-170-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-172-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-174-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-176-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-178-0x0000000002450000-0x0000000002462000-memory.dmp

memory/1676-179-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/1676-180-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/1676-181-0x0000000004C30000-0x0000000004C40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1301651.exe

MD5 8c7f7239d10233ebc79822663c787412
SHA1 10c65e04dc7e1fbf0c4efbcde4553df77743cb4f
SHA256 530b1eaf78b1b3cd6af0f5b85168b3226d882658c115466bca53bc86cd351401
SHA512 419a383e06585528ae81f36f828a9b80528be53627f63403d9c628e566507feb98081d1ba1688cb7adc467b6658bc0834fdc6d9f6167a1bdc0fc49f7b80490ea

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1301651.exe

MD5 8c7f7239d10233ebc79822663c787412
SHA1 10c65e04dc7e1fbf0c4efbcde4553df77743cb4f
SHA256 530b1eaf78b1b3cd6af0f5b85168b3226d882658c115466bca53bc86cd351401
SHA512 419a383e06585528ae81f36f828a9b80528be53627f63403d9c628e566507feb98081d1ba1688cb7adc467b6658bc0834fdc6d9f6167a1bdc0fc49f7b80490ea

memory/1436-186-0x0000000000D80000-0x0000000000DA8000-memory.dmp

memory/1436-187-0x0000000008040000-0x0000000008658000-memory.dmp

memory/1436-188-0x0000000007AB0000-0x0000000007AC2000-memory.dmp

memory/1436-189-0x0000000007BE0000-0x0000000007CEA000-memory.dmp

memory/1436-190-0x0000000007B10000-0x0000000007B4C000-memory.dmp

memory/1436-191-0x0000000007B50000-0x0000000007B60000-memory.dmp

memory/1436-192-0x0000000007E50000-0x0000000007EB6000-memory.dmp

memory/1436-193-0x0000000008A00000-0x0000000008A92000-memory.dmp

memory/1436-194-0x0000000008B20000-0x0000000008B96000-memory.dmp

memory/1436-195-0x0000000008DD0000-0x0000000008F92000-memory.dmp

memory/1436-196-0x0000000009B30000-0x000000000A05C000-memory.dmp

memory/1436-197-0x0000000008C80000-0x0000000008C9E000-memory.dmp

memory/1436-198-0x0000000008CD0000-0x0000000008D20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3253564.exe

MD5 b52504e695fa9c607dada8985fdf0cf6
SHA1 55726a70e2a1605acd68ba3d6654250f79f0339d
SHA256 155ae987750a818da4946c0d3e942d650940db113a5b96edcc32969d224bb811
SHA512 984f635e340473d067b71b87156162a131c6ed0e6c29005b9a2ba758a1f7cae7a9966b4cedeea4118adb0a16aa21e1848c2bc2106e08f16a6fb0a81f4500b8dd

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3253564.exe

MD5 b52504e695fa9c607dada8985fdf0cf6
SHA1 55726a70e2a1605acd68ba3d6654250f79f0339d
SHA256 155ae987750a818da4946c0d3e942d650940db113a5b96edcc32969d224bb811
SHA512 984f635e340473d067b71b87156162a131c6ed0e6c29005b9a2ba758a1f7cae7a9966b4cedeea4118adb0a16aa21e1848c2bc2106e08f16a6fb0a81f4500b8dd

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 b52504e695fa9c607dada8985fdf0cf6
SHA1 55726a70e2a1605acd68ba3d6654250f79f0339d
SHA256 155ae987750a818da4946c0d3e942d650940db113a5b96edcc32969d224bb811
SHA512 984f635e340473d067b71b87156162a131c6ed0e6c29005b9a2ba758a1f7cae7a9966b4cedeea4118adb0a16aa21e1848c2bc2106e08f16a6fb0a81f4500b8dd

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 b52504e695fa9c607dada8985fdf0cf6
SHA1 55726a70e2a1605acd68ba3d6654250f79f0339d
SHA256 155ae987750a818da4946c0d3e942d650940db113a5b96edcc32969d224bb811
SHA512 984f635e340473d067b71b87156162a131c6ed0e6c29005b9a2ba758a1f7cae7a9966b4cedeea4118adb0a16aa21e1848c2bc2106e08f16a6fb0a81f4500b8dd

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 b52504e695fa9c607dada8985fdf0cf6
SHA1 55726a70e2a1605acd68ba3d6654250f79f0339d
SHA256 155ae987750a818da4946c0d3e942d650940db113a5b96edcc32969d224bb811
SHA512 984f635e340473d067b71b87156162a131c6ed0e6c29005b9a2ba758a1f7cae7a9966b4cedeea4118adb0a16aa21e1848c2bc2106e08f16a6fb0a81f4500b8dd

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

memory/4516-237-0x0000000000140000-0x00000000001F8000-memory.dmp

memory/4516-238-0x0000000004A60000-0x0000000004AFC000-memory.dmp

memory/4516-239-0x0000000004B10000-0x0000000004B1A000-memory.dmp

memory/4516-240-0x0000000004C70000-0x0000000004CC6000-memory.dmp

memory/4516-241-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/4516-242-0x0000000004D30000-0x0000000004D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 b52504e695fa9c607dada8985fdf0cf6
SHA1 55726a70e2a1605acd68ba3d6654250f79f0339d
SHA256 155ae987750a818da4946c0d3e942d650940db113a5b96edcc32969d224bb811
SHA512 984f635e340473d067b71b87156162a131c6ed0e6c29005b9a2ba758a1f7cae7a9966b4cedeea4118adb0a16aa21e1848c2bc2106e08f16a6fb0a81f4500b8dd

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Local\Temp\tmp9C9E.tmp

MD5 9784f9fde28cd404a2243325ceddad0a
SHA1 75f60bc82b0bf895dca08d7f530cbaec99feb557
SHA256 167fce7354eba29d790111ec507ef454028b2c3c8f41f048167417145ce3e428
SHA512 d92ce81ec6eec59918c63ad60f61c35e804b971c8f3e3b650bb7cb7d5d8db4445643ea799318b4fe3b317a857d718efc67c46bfc805cb1a0a1706974053f394a

memory/4108-266-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ch5FK0QgiAPF0lZ.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/4108-270-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/4108-375-0x0000000004E40000-0x0000000004E50000-memory.dmp

C:\Users\Admin\AppData\Local\14ab0279b31b7a66497a88a5bd6ae164\Admin@HCIDPJOT_en-US\System\Process.txt

MD5 e04a5198bceb453bd0e56c9fa1018f8e
SHA1 140190a5a65af7eb54f236339db7119211c18ab6
SHA256 361cb81a5b04698052ac798439e6d5fc3e072e23c725129c1c0160dffe2da73e
SHA512 a859d669778e5c69e724539504b38aa2122bbcc18bb65d331e94b844e0ab0c458e919f22185e8155f6a9f54063f58c44ea71445ceab46b91bfbfb88e0f27c6c1

memory/4108-412-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/4108-415-0x0000000005ED0000-0x0000000005EDA000-memory.dmp

C:\Users\Admin\AppData\Local\bb334f632946e564db10aa98f4663955\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4108-421-0x0000000006D80000-0x0000000006D92000-memory.dmp

memory/4108-443-0x0000000004E40000-0x0000000004E50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 b52504e695fa9c607dada8985fdf0cf6
SHA1 55726a70e2a1605acd68ba3d6654250f79f0339d
SHA256 155ae987750a818da4946c0d3e942d650940db113a5b96edcc32969d224bb811
SHA512 984f635e340473d067b71b87156162a131c6ed0e6c29005b9a2ba758a1f7cae7a9966b4cedeea4118adb0a16aa21e1848c2bc2106e08f16a6fb0a81f4500b8dd