Malware Analysis Report

2025-06-16 03:30

Sample ID 230506-bf9g1ahe8t
Target 882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a
SHA256 882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a
Tags
amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a

Threat Level: Known bad

The file 882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

AsyncRat

Amadey

StormKitty

StormKitty payload

Async RAT payload

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Windows security modification

Executes dropped EXE

Loads dropped DLL

Looks up geolocation information via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Checks installed software on the system

Drops desktop.ini file(s)

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-06 01:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-06 01:06

Reported

2023-05-06 01:08

Platform

win10v2004-20230220-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7096839.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4236 set thread context of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8290872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8290872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8290872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7096839.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3372 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe
PID 3372 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe
PID 3372 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe
PID 3464 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe
PID 3464 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe
PID 3464 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe
PID 3464 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8290872.exe
PID 3464 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8290872.exe
PID 3464 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8290872.exe
PID 3372 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7096839.exe
PID 3372 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7096839.exe
PID 3372 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7096839.exe
PID 2900 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7096839.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 2900 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7096839.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 2900 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7096839.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 636 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 636 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 636 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 636 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 636 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 636 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 636 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 636 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 636 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 4236 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4236 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4236 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4236 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4236 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4236 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4236 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4236 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4236 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4236 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4236 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4672 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4056 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4056 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4056 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4056 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4056 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4056 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4056 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4056 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4672 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3896 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3896 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3896 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3896 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3896 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a.exe

"C:\Users\Admin\AppData\Local\Temp\882d69f0657d7d392b1f93ab593e298c24a48fdbba0e717f03a82a982448b30a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8290872.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8290872.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7096839.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7096839.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe"

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WFVnWbVdsjuyLY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC3BD.tmp"

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 251.124.91.77.in-addr.arpa udp
AT 212.113.119.255:80 212.113.119.255 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 255.119.113.212.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 67.55.52.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 20.189.173.12:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
NL 8.238.20.126:80 tcp
US 93.184.220.29:80 tcp
NL 8.238.20.126:80 tcp
US 40.125.122.176:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 97.114.18.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 40.125.122.176:443 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 40.125.122.176:443 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe

MD5 2b461e1113f975647c89a6c60d16075a
SHA1 42f14f2fd0b093d24b1f8dc1004bbd286d7c9fe2
SHA256 1a8a50597c5edcf5dfea022bb053746bb8a62d5e33245b2d43ab4377d5b81086
SHA512 0024e7ba934e618b1f314ba401fc55172bdb7b844ab4f67b29e29497044452f58e49b5df573c4e7dd056c520724893eccc9f9674229e1c631d9d671a724a33a0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6003266.exe

MD5 2b461e1113f975647c89a6c60d16075a
SHA1 42f14f2fd0b093d24b1f8dc1004bbd286d7c9fe2
SHA256 1a8a50597c5edcf5dfea022bb053746bb8a62d5e33245b2d43ab4377d5b81086
SHA512 0024e7ba934e618b1f314ba401fc55172bdb7b844ab4f67b29e29497044452f58e49b5df573c4e7dd056c520724893eccc9f9674229e1c631d9d671a724a33a0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe

MD5 3a14f272668e1fc8c7fe963816095aa7
SHA1 d7855c60be6acb28b842319e135af3bd44681595
SHA256 216850e014c61ea8de3ca808dfc936661b3ecccfad72fe5d8f614817db0b2c75
SHA512 060a5989574ee5568841e238c620ec324f0343a44d0e5fed89dd38d7af37901bc8c4dfe3a635f60089e3126c00126c478860f60b7042eba1f1f6b99d9f277b9e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9027372.exe

MD5 3a14f272668e1fc8c7fe963816095aa7
SHA1 d7855c60be6acb28b842319e135af3bd44681595
SHA256 216850e014c61ea8de3ca808dfc936661b3ecccfad72fe5d8f614817db0b2c75
SHA512 060a5989574ee5568841e238c620ec324f0343a44d0e5fed89dd38d7af37901bc8c4dfe3a635f60089e3126c00126c478860f60b7042eba1f1f6b99d9f277b9e

memory/876-147-0x0000000002610000-0x0000000002620000-memory.dmp

memory/876-148-0x0000000004A70000-0x0000000005014000-memory.dmp

memory/876-149-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-150-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-152-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-154-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-156-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-158-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-160-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-162-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-164-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-166-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-168-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-170-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-172-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-174-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-176-0x0000000002400000-0x0000000002412000-memory.dmp

memory/876-177-0x0000000002610000-0x0000000002620000-memory.dmp

memory/876-178-0x0000000002610000-0x0000000002620000-memory.dmp

memory/876-179-0x0000000002610000-0x0000000002620000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8290872.exe

MD5 5b6cc39fcd7078581f673b335d8689c1
SHA1 f48d7252de0bf11ec0f4b3e557fbcd5acc64321c
SHA256 103a440c891e8809e8e12b7e51569d7863fe987ef350e8fdf9885b894e5ce352
SHA512 bed8ce4829a35b0cec533a0324c0d1ff897f9fb7161fe430e006d0156ac405ed18ebf1df4adf9f4ec7a3245877432f57618512a4fbd8722cd943dcf748f09a9f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8290872.exe

MD5 5b6cc39fcd7078581f673b335d8689c1
SHA1 f48d7252de0bf11ec0f4b3e557fbcd5acc64321c
SHA256 103a440c891e8809e8e12b7e51569d7863fe987ef350e8fdf9885b894e5ce352
SHA512 bed8ce4829a35b0cec533a0324c0d1ff897f9fb7161fe430e006d0156ac405ed18ebf1df4adf9f4ec7a3245877432f57618512a4fbd8722cd943dcf748f09a9f

memory/1540-184-0x0000000000320000-0x0000000000348000-memory.dmp

memory/1540-185-0x00000000075A0000-0x0000000007BB8000-memory.dmp

memory/1540-186-0x0000000007030000-0x0000000007042000-memory.dmp

memory/1540-187-0x0000000007160000-0x000000000726A000-memory.dmp

memory/1540-188-0x0000000007090000-0x00000000070CC000-memory.dmp

memory/1540-189-0x0000000007110000-0x0000000007120000-memory.dmp

memory/1540-190-0x00000000073F0000-0x0000000007456000-memory.dmp

memory/1540-191-0x0000000007F60000-0x0000000007FF2000-memory.dmp

memory/1540-192-0x0000000008050000-0x00000000080A0000-memory.dmp

memory/1540-193-0x0000000008120000-0x0000000008196000-memory.dmp

memory/1540-194-0x0000000008380000-0x0000000008542000-memory.dmp

memory/1540-195-0x0000000009090000-0x00000000095BC000-memory.dmp

memory/1540-196-0x0000000008280000-0x000000000829E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7096839.exe

MD5 64169d8880995092d398867463e8bc21
SHA1 140e080d61a8b79f864155e99a01c5c9c8e5bdde
SHA256 560aa7adb332005784e420c3b8b766e841658cb7c919b0c1c1202b87b3e5e390
SHA512 4a4848e777aaea2cae2b97daa7837cacceef48f9689dd84b2cdec0018655058bd55986e40e8e4c1416600511226466ee0e4d8c46f2ab1dc15baf27b68c87339b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7096839.exe

MD5 64169d8880995092d398867463e8bc21
SHA1 140e080d61a8b79f864155e99a01c5c9c8e5bdde
SHA256 560aa7adb332005784e420c3b8b766e841658cb7c919b0c1c1202b87b3e5e390
SHA512 4a4848e777aaea2cae2b97daa7837cacceef48f9689dd84b2cdec0018655058bd55986e40e8e4c1416600511226466ee0e4d8c46f2ab1dc15baf27b68c87339b

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 64169d8880995092d398867463e8bc21
SHA1 140e080d61a8b79f864155e99a01c5c9c8e5bdde
SHA256 560aa7adb332005784e420c3b8b766e841658cb7c919b0c1c1202b87b3e5e390
SHA512 4a4848e777aaea2cae2b97daa7837cacceef48f9689dd84b2cdec0018655058bd55986e40e8e4c1416600511226466ee0e4d8c46f2ab1dc15baf27b68c87339b

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 64169d8880995092d398867463e8bc21
SHA1 140e080d61a8b79f864155e99a01c5c9c8e5bdde
SHA256 560aa7adb332005784e420c3b8b766e841658cb7c919b0c1c1202b87b3e5e390
SHA512 4a4848e777aaea2cae2b97daa7837cacceef48f9689dd84b2cdec0018655058bd55986e40e8e4c1416600511226466ee0e4d8c46f2ab1dc15baf27b68c87339b

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 64169d8880995092d398867463e8bc21
SHA1 140e080d61a8b79f864155e99a01c5c9c8e5bdde
SHA256 560aa7adb332005784e420c3b8b766e841658cb7c919b0c1c1202b87b3e5e390
SHA512 4a4848e777aaea2cae2b97daa7837cacceef48f9689dd84b2cdec0018655058bd55986e40e8e4c1416600511226466ee0e4d8c46f2ab1dc15baf27b68c87339b

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

memory/4236-235-0x0000000000910000-0x00000000009C8000-memory.dmp

memory/4236-236-0x0000000005250000-0x00000000052EC000-memory.dmp

memory/4236-237-0x00000000052F0000-0x00000000052FA000-memory.dmp

memory/4236-238-0x0000000005430000-0x0000000005486000-memory.dmp

memory/4236-239-0x0000000005570000-0x0000000005580000-memory.dmp

memory/4236-240-0x0000000005570000-0x0000000005580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 64169d8880995092d398867463e8bc21
SHA1 140e080d61a8b79f864155e99a01c5c9c8e5bdde
SHA256 560aa7adb332005784e420c3b8b766e841658cb7c919b0c1c1202b87b3e5e390
SHA512 4a4848e777aaea2cae2b97daa7837cacceef48f9689dd84b2cdec0018655058bd55986e40e8e4c1416600511226466ee0e4d8c46f2ab1dc15baf27b68c87339b

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Local\Temp\tmpC3BD.tmp

MD5 06663a594a7660711434968e7929eb34
SHA1 e4ac2d885b5b810e004cec7fe3f0cc5dd3a95db5
SHA256 6e53a1a613e93bfe67631c2e20f05a91fb4d2cc1d9c86c12355e479b4fae3bbc
SHA512 9c002058228d6003362d58f7306c6fd24650291435ecc64291114d1d3a6f818a7ad003c2bdf20742ee71a783da357de5221237bac906d5ae68fb9a39f5f71f4b

memory/4672-264-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ch5FK0QgiAPF0lZ.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/4672-268-0x0000000003060000-0x0000000003070000-memory.dmp

memory/4672-337-0x0000000003060000-0x0000000003070000-memory.dmp

C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\System\Process.txt

MD5 5b1b10c3b3a77658990df4a58c8d0d6e
SHA1 59b877b6a2dce34944f729239073fead7e736525
SHA256 0c3a2a062c976c5bec681b70331a581f93580ebfd3e116e352fdc908e05fcccc
SHA512 c7a49cf9a9ebafd623b045a8c3c6b05a84695255120965ab4334b58d026777cc3fd81f2b59e8ae01d1cad77172bffe26165fc68b3a5458efc0b80fd7b3a60ef9

memory/4672-411-0x0000000003060000-0x0000000003070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 64169d8880995092d398867463e8bc21
SHA1 140e080d61a8b79f864155e99a01c5c9c8e5bdde
SHA256 560aa7adb332005784e420c3b8b766e841658cb7c919b0c1c1202b87b3e5e390
SHA512 4a4848e777aaea2cae2b97daa7837cacceef48f9689dd84b2cdec0018655058bd55986e40e8e4c1416600511226466ee0e4d8c46f2ab1dc15baf27b68c87339b

memory/4672-416-0x00000000068C0000-0x00000000068CA000-memory.dmp

C:\Users\Admin\AppData\Local\60b016ba50962dbf3c718c602d1bed76\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4672-422-0x0000000007560000-0x0000000007572000-memory.dmp

C:\Users\Admin\AppData\Local\cae88fc88dee08cfb9eeb06aa19a5609\Admin@TLGENAJY_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/4672-444-0x0000000003060000-0x0000000003070000-memory.dmp