Malware Analysis Report

2025-06-16 03:30

Sample ID 230506-bkkz7she9z
Target b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e
SHA256 b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e
Tags
amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e

Threat Level: Known bad

The file b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan

StormKitty payload

Amadey

Modifies Windows Defender Real-time Protection settings

AsyncRat

StormKitty

Async RAT payload

Downloads MZ/PE file

Executes dropped EXE

Windows security modification

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up geolocation information via web service

Drops desktop.ini file(s)

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-06 01:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-06 01:12

Reported

2023-05-06 01:14

Platform

win10-20230220-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\1661fdb181c33f484346009f4aea3b2c\Admin@YJIYKEBB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\1661fdb181c33f484346009f4aea3b2c\Admin@YJIYKEBB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\1661fdb181c33f484346009f4aea3b2c\Admin@YJIYKEBB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\1661fdb181c33f484346009f4aea3b2c\Admin@YJIYKEBB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\1661fdb181c33f484346009f4aea3b2c\Admin@YJIYKEBB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\1661fdb181c33f484346009f4aea3b2c\Admin@YJIYKEBB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\1661fdb181c33f484346009f4aea3b2c\Admin@YJIYKEBB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\1661fdb181c33f484346009f4aea3b2c\Admin@YJIYKEBB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3680 set thread context of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7737278.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7737278.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7737278.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2014296.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe
PID 2008 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe
PID 2008 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe
PID 1908 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe
PID 1908 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe
PID 1908 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe
PID 1908 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7737278.exe
PID 1908 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7737278.exe
PID 1908 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7737278.exe
PID 2008 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2014296.exe
PID 2008 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2014296.exe
PID 2008 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2014296.exe
PID 3988 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2014296.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 3988 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2014296.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 3988 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2014296.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 4524 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4524 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4524 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4524 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4524 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4524 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4524 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 4524 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 4524 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 3680 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 3680 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 3680 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 3680 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3680 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3680 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3680 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3680 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3680 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3680 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3680 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4864 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 652 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 652 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 652 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 652 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 652 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 652 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 652 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 652 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4864 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2776 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2776 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2776 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2776 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2776 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e.exe

"C:\Users\Admin\AppData\Local\Temp\b3199350d13625d04e262f07517970c6581006e5ec880f39865d265a43f8193e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7737278.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7737278.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2014296.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2014296.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe"

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WFVnWbVdsjuyLY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF0C8.tmp"

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Network

Country Destination Domain Proto
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 251.124.91.77.in-addr.arpa udp
AT 212.113.119.255:80 212.113.119.255 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 104.208.16.90:443 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 67.55.52.23.in-addr.arpa udp
US 8.8.8.8:53 255.119.113.212.in-addr.arpa udp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe

MD5 f69c7cf2d97cceb17bb83279feafbe72
SHA1 f1491a091faa8a69982ad1eaa7b237e9e4633d98
SHA256 c18894431977d0bd92c733791de523142f30361595ae1c02532b2bed6449cf2e
SHA512 c808ec225e04747d2fc5f0eb6c23f70e47a55e5ad395147024c77600deeced0446659791417c9aa146b340299d7ca5ffee30b80b8036dd2a799667b1836e34e4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0328013.exe

MD5 f69c7cf2d97cceb17bb83279feafbe72
SHA1 f1491a091faa8a69982ad1eaa7b237e9e4633d98
SHA256 c18894431977d0bd92c733791de523142f30361595ae1c02532b2bed6449cf2e
SHA512 c808ec225e04747d2fc5f0eb6c23f70e47a55e5ad395147024c77600deeced0446659791417c9aa146b340299d7ca5ffee30b80b8036dd2a799667b1836e34e4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe

MD5 562d6c20f80150a7b65d259f834975be
SHA1 82026ed98ab30a5acfab79618669b7741c9bbc02
SHA256 ac7910f17668f8d96295b97a7f13dddb7c95b9508ca6d7d9f1b7c9d479713a2f
SHA512 8b23b05dcc507becd67370072cd9b705f74ae5056e3d612a434fad5f920ba284324fc7c9ccbdf93fc616136890f88991297afb540f1d3a3e00cb12b5e71c2aa0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o9141065.exe

MD5 562d6c20f80150a7b65d259f834975be
SHA1 82026ed98ab30a5acfab79618669b7741c9bbc02
SHA256 ac7910f17668f8d96295b97a7f13dddb7c95b9508ca6d7d9f1b7c9d479713a2f
SHA512 8b23b05dcc507becd67370072cd9b705f74ae5056e3d612a434fad5f920ba284324fc7c9ccbdf93fc616136890f88991297afb540f1d3a3e00cb12b5e71c2aa0

memory/2404-135-0x0000000002140000-0x000000000215A000-memory.dmp

memory/2404-136-0x0000000004B20000-0x000000000501E000-memory.dmp

memory/2404-137-0x0000000002430000-0x0000000002448000-memory.dmp

memory/2404-138-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/2404-139-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/2404-140-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/2404-141-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-142-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-144-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-146-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-148-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-150-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-152-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-154-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-156-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-158-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-160-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-162-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-164-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-166-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-168-0x0000000002430000-0x0000000002442000-memory.dmp

memory/2404-169-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/2404-170-0x0000000004B10000-0x0000000004B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7737278.exe

MD5 9d5ee28932d25f3a7924761c5c810b1c
SHA1 16f8a2a1783e52a0c56d33edec15cde122d1df50
SHA256 e969d7e3ab096fea823763f1fa8a1307472eb5ca9aaa44ece60cc749a621897d
SHA512 0319d425639ab951dd8cf755d9ed6a2268bbbe507905591a0e33e725bfb2acc8385a067e9a8291990ac73cf21c6b515a0cafbb2ac3032ed97c84ad9c73d5d7f1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7737278.exe

MD5 9d5ee28932d25f3a7924761c5c810b1c
SHA1 16f8a2a1783e52a0c56d33edec15cde122d1df50
SHA256 e969d7e3ab096fea823763f1fa8a1307472eb5ca9aaa44ece60cc749a621897d
SHA512 0319d425639ab951dd8cf755d9ed6a2268bbbe507905591a0e33e725bfb2acc8385a067e9a8291990ac73cf21c6b515a0cafbb2ac3032ed97c84ad9c73d5d7f1

memory/4116-175-0x0000000000E70000-0x0000000000E98000-memory.dmp

memory/4116-176-0x00000000081D0000-0x00000000087D6000-memory.dmp

memory/4116-177-0x0000000003180000-0x0000000003192000-memory.dmp

memory/4116-178-0x0000000007CD0000-0x0000000007DDA000-memory.dmp

memory/4116-179-0x0000000007C80000-0x0000000007C90000-memory.dmp

memory/4116-180-0x0000000007BC0000-0x0000000007BFE000-memory.dmp

memory/4116-181-0x0000000007C00000-0x0000000007C4B000-memory.dmp

memory/4116-182-0x0000000007F10000-0x0000000007F76000-memory.dmp

memory/4116-183-0x0000000008980000-0x0000000008A12000-memory.dmp

memory/4116-184-0x0000000008D10000-0x0000000008D86000-memory.dmp

memory/4116-185-0x00000000095F0000-0x00000000097B2000-memory.dmp

memory/4116-186-0x0000000009CF0000-0x000000000A21C000-memory.dmp

memory/4116-187-0x0000000008E30000-0x0000000008E4E000-memory.dmp

memory/4116-188-0x00000000018A0000-0x00000000018F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2014296.exe

MD5 e708aeb1eb3409f12c92cec324dac0ab
SHA1 bdf81ac1ac62d6f5eb96ccaf78844d2476fc8a0f
SHA256 87aac103e665bf7a0c09869bd5f1ce876e696d7d9d6777a03fca429bda379a73
SHA512 0c8ea617137620e0a3b29503d720b509f5e087da2db2acaa1aa1b62cd38c3af03be7c53fe71c8a05c0356f23b90af88710434df1f3dd7dd0e1f0b137c919b33d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2014296.exe

MD5 e708aeb1eb3409f12c92cec324dac0ab
SHA1 bdf81ac1ac62d6f5eb96ccaf78844d2476fc8a0f
SHA256 87aac103e665bf7a0c09869bd5f1ce876e696d7d9d6777a03fca429bda379a73
SHA512 0c8ea617137620e0a3b29503d720b509f5e087da2db2acaa1aa1b62cd38c3af03be7c53fe71c8a05c0356f23b90af88710434df1f3dd7dd0e1f0b137c919b33d

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e708aeb1eb3409f12c92cec324dac0ab
SHA1 bdf81ac1ac62d6f5eb96ccaf78844d2476fc8a0f
SHA256 87aac103e665bf7a0c09869bd5f1ce876e696d7d9d6777a03fca429bda379a73
SHA512 0c8ea617137620e0a3b29503d720b509f5e087da2db2acaa1aa1b62cd38c3af03be7c53fe71c8a05c0356f23b90af88710434df1f3dd7dd0e1f0b137c919b33d

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e708aeb1eb3409f12c92cec324dac0ab
SHA1 bdf81ac1ac62d6f5eb96ccaf78844d2476fc8a0f
SHA256 87aac103e665bf7a0c09869bd5f1ce876e696d7d9d6777a03fca429bda379a73
SHA512 0c8ea617137620e0a3b29503d720b509f5e087da2db2acaa1aa1b62cd38c3af03be7c53fe71c8a05c0356f23b90af88710434df1f3dd7dd0e1f0b137c919b33d

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e708aeb1eb3409f12c92cec324dac0ab
SHA1 bdf81ac1ac62d6f5eb96ccaf78844d2476fc8a0f
SHA256 87aac103e665bf7a0c09869bd5f1ce876e696d7d9d6777a03fca429bda379a73
SHA512 0c8ea617137620e0a3b29503d720b509f5e087da2db2acaa1aa1b62cd38c3af03be7c53fe71c8a05c0356f23b90af88710434df1f3dd7dd0e1f0b137c919b33d

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

memory/3680-220-0x0000000000FA0000-0x0000000001058000-memory.dmp

memory/3680-221-0x00000000058E0000-0x000000000597C000-memory.dmp

memory/3680-222-0x0000000005880000-0x000000000588A000-memory.dmp

memory/3680-223-0x0000000005B60000-0x0000000005BB6000-memory.dmp

memory/3680-224-0x0000000005B50000-0x0000000005B60000-memory.dmp

memory/3680-225-0x0000000005E70000-0x0000000005E7C000-memory.dmp

memory/3680-226-0x0000000005B50000-0x0000000005B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e708aeb1eb3409f12c92cec324dac0ab
SHA1 bdf81ac1ac62d6f5eb96ccaf78844d2476fc8a0f
SHA256 87aac103e665bf7a0c09869bd5f1ce876e696d7d9d6777a03fca429bda379a73
SHA512 0c8ea617137620e0a3b29503d720b509f5e087da2db2acaa1aa1b62cd38c3af03be7c53fe71c8a05c0356f23b90af88710434df1f3dd7dd0e1f0b137c919b33d

memory/3680-228-0x00000000083E0000-0x0000000008466000-memory.dmp

memory/3680-229-0x000000000A990000-0x000000000A9CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Local\Temp\tmpF0C8.tmp

MD5 65ae8c250e444879c4a39dd597673787
SHA1 7dfc4d5af72ef8c261211fe88bbed443a47adab2
SHA256 ff7d2ea63747cc13e5acbffc13f28a8702345671f6ba9658ed7ee12bb2078af4
SHA512 5c9df5dedb35a18b9467d7bd26e175ee62bcba584791280139c61ebb6e385e629e53e7aa448ce26fc4ed4295cc8b92eefe1faff502f4543c9965b9099d77c3c5

memory/4864-252-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ch5FK0QgiAPF0lZ.exe.log

MD5 90acfd72f14a512712b1a7380c0faf60
SHA1 40ba4accb8faa75887e84fb8e38d598dc8cf0f12
SHA256 20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86
SHA512 29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

memory/4864-256-0x00000000051A0000-0x00000000051B0000-memory.dmp

C:\Users\Admin\AppData\Local\1661fdb181c33f484346009f4aea3b2c\Admin@YJIYKEBB_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/4864-339-0x00000000051A0000-0x00000000051B0000-memory.dmp

C:\Users\Admin\AppData\Local\1661fdb181c33f484346009f4aea3b2c\Admin@YJIYKEBB_en-US\System\Process.txt

MD5 28172b6054be482e0c9a5c19783a18dc
SHA1 28bf85986f067a5b414b087da7ff454023df4865
SHA256 8f0b2f1c4244f82bd8a89f5a9bc9dc34f714a127bfd3355cfda507a547062143
SHA512 7da904378b164ddc01121e45ece5fca7f018d45ae898c490138b837c392341edc056b2551a55b1e65006e7a854d15889cf0b0e18ddc4bf6b2d87dd81be18c84d

memory/4864-369-0x00000000051A0000-0x00000000051B0000-memory.dmp

memory/4864-372-0x0000000005C50000-0x0000000005C5A000-memory.dmp

C:\Users\Admin\AppData\Local\2880b78dc89795f8e720a6af490525b0\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4864-378-0x0000000006100000-0x0000000006112000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 e708aeb1eb3409f12c92cec324dac0ab
SHA1 bdf81ac1ac62d6f5eb96ccaf78844d2476fc8a0f
SHA256 87aac103e665bf7a0c09869bd5f1ce876e696d7d9d6777a03fca429bda379a73
SHA512 0c8ea617137620e0a3b29503d720b509f5e087da2db2acaa1aa1b62cd38c3af03be7c53fe71c8a05c0356f23b90af88710434df1f3dd7dd0e1f0b137c919b33d

memory/4864-401-0x00000000051A0000-0x00000000051B0000-memory.dmp