Malware Analysis Report

2025-06-16 03:30

Sample ID 230506-ck71eafe86
Target 2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5
SHA256 2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5
Tags
amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5

Threat Level: Known bad

The file 2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5 was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan

AsyncRat

StormKitty

Modifies Windows Defender Real-time Protection settings

Amadey

StormKitty payload

Async RAT payload

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks installed software on the system

Drops desktop.ini file(s)

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-06 02:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-06 02:09

Reported

2023-05-06 02:11

Platform

win10-20230220-en

Max time kernel

147s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\75eaffb55ece329fa6fe967b617bc3dc\Admin@WBIJUTSD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\75eaffb55ece329fa6fe967b617bc3dc\Admin@WBIJUTSD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\75eaffb55ece329fa6fe967b617bc3dc\Admin@WBIJUTSD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\75eaffb55ece329fa6fe967b617bc3dc\Admin@WBIJUTSD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\75eaffb55ece329fa6fe967b617bc3dc\Admin@WBIJUTSD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\75eaffb55ece329fa6fe967b617bc3dc\Admin@WBIJUTSD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\75eaffb55ece329fa6fe967b617bc3dc\Admin@WBIJUTSD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\75eaffb55ece329fa6fe967b617bc3dc\Admin@WBIJUTSD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\75eaffb55ece329fa6fe967b617bc3dc\Admin@WBIJUTSD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4304 set thread context of 3120 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7517818.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7517818.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7517818.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6639355.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4024 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe
PID 4024 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe
PID 4024 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe
PID 3488 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe
PID 3488 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe
PID 3488 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe
PID 3488 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7517818.exe
PID 3488 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7517818.exe
PID 3488 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7517818.exe
PID 4024 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6639355.exe
PID 4024 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6639355.exe
PID 4024 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6639355.exe
PID 3564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6639355.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 3564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6639355.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 3564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6639355.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 1100 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1100 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1100 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1100 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1100 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1100 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 1100 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1100 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1100 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 4304 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4304 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4304 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 4304 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4304 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4304 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4304 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4304 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4304 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4304 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4304 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3120 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 360 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 360 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 360 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 360 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 360 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 360 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 360 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 360 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 360 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3120 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2648 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2648 wrote to memory of 4116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2648 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2648 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2648 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5.exe

"C:\Users\Admin\AppData\Local\Temp\2059ea972619698b01c8ba3d027bd3894061e97df759f47276269c145ce986f5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7517818.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7517818.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6639355.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6639355.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe"

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WFVnWbVdsjuyLY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E15.tmp"

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Network

Country Destination Domain Proto
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 251.124.91.77.in-addr.arpa udp
AT 212.113.119.255:80 212.113.119.255 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 255.119.113.212.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 67.55.52.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
FR 40.79.150.121:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 97.114.18.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe

MD5 e03e5b9091f5ac5783a8da659e684cb7
SHA1 5dd0095970e9a524499f6b43d1f0142416b8f89e
SHA256 df6c7488be887f99431f568c4cfdf89db48e3aa8f389c59dbb9d624edb9b7b71
SHA512 5ffb607fcf99de7f2b479cd2414ea845985f98d7edfdda5ee34c20c32ec1e95a32a83de4598a4e82594bc7594c2db5d2c5bf046756f420749ec6d082b8c087d1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8231373.exe

MD5 e03e5b9091f5ac5783a8da659e684cb7
SHA1 5dd0095970e9a524499f6b43d1f0142416b8f89e
SHA256 df6c7488be887f99431f568c4cfdf89db48e3aa8f389c59dbb9d624edb9b7b71
SHA512 5ffb607fcf99de7f2b479cd2414ea845985f98d7edfdda5ee34c20c32ec1e95a32a83de4598a4e82594bc7594c2db5d2c5bf046756f420749ec6d082b8c087d1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe

MD5 5ae99bc4b70cd4fa5f22e6397ff284e2
SHA1 d8e4ef71ccc3562cafe8c7cc30ef035042ed070e
SHA256 bd1c63586fadd2e9658707df33b14e43cafae947a16b6c41cf5b7b9bf3a67a39
SHA512 b3f900122e36049b85b8922487d247eeb42bb0404d5b1556dac9052088c50ba58f9350eb93d0b0bec507b6da819553b767f164a2654857d0dbd775e28694bff0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7228667.exe

MD5 5ae99bc4b70cd4fa5f22e6397ff284e2
SHA1 d8e4ef71ccc3562cafe8c7cc30ef035042ed070e
SHA256 bd1c63586fadd2e9658707df33b14e43cafae947a16b6c41cf5b7b9bf3a67a39
SHA512 b3f900122e36049b85b8922487d247eeb42bb0404d5b1556dac9052088c50ba58f9350eb93d0b0bec507b6da819553b767f164a2654857d0dbd775e28694bff0

memory/2692-135-0x0000000000680000-0x000000000069A000-memory.dmp

memory/2692-136-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/2692-137-0x0000000004AA0000-0x0000000004F9E000-memory.dmp

memory/2692-138-0x0000000002210000-0x0000000002228000-memory.dmp

memory/2692-139-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-150-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-148-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-162-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-160-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-166-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-164-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-158-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-156-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-154-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-152-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-146-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-144-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-142-0x0000000002210000-0x0000000002222000-memory.dmp

memory/2692-140-0x0000000002210000-0x0000000002222000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7517818.exe

MD5 e90468c76b73dfc27ff21d5e0dd0e919
SHA1 550155200b5b54d44d1a9370c4e067874c77b301
SHA256 baf1c3a165f23a8322d11d2c97d3155724127014bad79af23f89ea3051d72c2f
SHA512 2e2b261f40a28d72e1c95175558f89a9bfd2d019754f5c67d35f54c900a005a5f16cb4ea8bf782693672c5aa2ea655774e2683d47a0fafc7ebb13b09485384fd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7517818.exe

MD5 e90468c76b73dfc27ff21d5e0dd0e919
SHA1 550155200b5b54d44d1a9370c4e067874c77b301
SHA256 baf1c3a165f23a8322d11d2c97d3155724127014bad79af23f89ea3051d72c2f
SHA512 2e2b261f40a28d72e1c95175558f89a9bfd2d019754f5c67d35f54c900a005a5f16cb4ea8bf782693672c5aa2ea655774e2683d47a0fafc7ebb13b09485384fd

memory/4644-171-0x0000000000D00000-0x0000000000D28000-memory.dmp

memory/4644-172-0x0000000007F90000-0x0000000008596000-memory.dmp

memory/4644-173-0x00000000079E0000-0x00000000079F2000-memory.dmp

memory/4644-174-0x0000000007B10000-0x0000000007C1A000-memory.dmp

memory/4644-175-0x0000000007A40000-0x0000000007A7E000-memory.dmp

memory/4644-176-0x0000000007A80000-0x0000000007ACB000-memory.dmp

memory/4644-177-0x0000000007AF0000-0x0000000007B00000-memory.dmp

memory/4644-178-0x0000000007DA0000-0x0000000007E06000-memory.dmp

memory/4644-179-0x0000000008950000-0x00000000089E2000-memory.dmp

memory/4644-180-0x0000000008B70000-0x0000000008BE6000-memory.dmp

memory/4644-181-0x0000000009370000-0x0000000009532000-memory.dmp

memory/4644-182-0x0000000009A70000-0x0000000009F9C000-memory.dmp

memory/4644-183-0x00000000091C0000-0x00000000091DE000-memory.dmp

memory/4644-184-0x0000000004FF0000-0x0000000005040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6639355.exe

MD5 790a3219091b2bf448a194986471c6da
SHA1 a17e38cc8f969079ed99c76581ad9a9439311547
SHA256 2c531a59c3ee587a35603d6daf37cf44ad13dbbbab02e6fbf6b053e6689308ec
SHA512 ab7aba1ba4e03c454df665065eb799d1261bad02d9deea1b4d0db503933db398ce210d820d8b03cc7563acdea5b278a85e072b9c04fc67a7def5b4aaacf76335

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6639355.exe

MD5 790a3219091b2bf448a194986471c6da
SHA1 a17e38cc8f969079ed99c76581ad9a9439311547
SHA256 2c531a59c3ee587a35603d6daf37cf44ad13dbbbab02e6fbf6b053e6689308ec
SHA512 ab7aba1ba4e03c454df665065eb799d1261bad02d9deea1b4d0db503933db398ce210d820d8b03cc7563acdea5b278a85e072b9c04fc67a7def5b4aaacf76335

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 790a3219091b2bf448a194986471c6da
SHA1 a17e38cc8f969079ed99c76581ad9a9439311547
SHA256 2c531a59c3ee587a35603d6daf37cf44ad13dbbbab02e6fbf6b053e6689308ec
SHA512 ab7aba1ba4e03c454df665065eb799d1261bad02d9deea1b4d0db503933db398ce210d820d8b03cc7563acdea5b278a85e072b9c04fc67a7def5b4aaacf76335

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 790a3219091b2bf448a194986471c6da
SHA1 a17e38cc8f969079ed99c76581ad9a9439311547
SHA256 2c531a59c3ee587a35603d6daf37cf44ad13dbbbab02e6fbf6b053e6689308ec
SHA512 ab7aba1ba4e03c454df665065eb799d1261bad02d9deea1b4d0db503933db398ce210d820d8b03cc7563acdea5b278a85e072b9c04fc67a7def5b4aaacf76335

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 790a3219091b2bf448a194986471c6da
SHA1 a17e38cc8f969079ed99c76581ad9a9439311547
SHA256 2c531a59c3ee587a35603d6daf37cf44ad13dbbbab02e6fbf6b053e6689308ec
SHA512 ab7aba1ba4e03c454df665065eb799d1261bad02d9deea1b4d0db503933db398ce210d820d8b03cc7563acdea5b278a85e072b9c04fc67a7def5b4aaacf76335

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

memory/4304-216-0x0000000000930000-0x00000000009E8000-memory.dmp

memory/4304-217-0x00000000051F0000-0x000000000528C000-memory.dmp

memory/4304-218-0x00000000052B0000-0x00000000052BA000-memory.dmp

memory/4304-219-0x0000000005500000-0x0000000005556000-memory.dmp

memory/4304-220-0x0000000005860000-0x000000000586C000-memory.dmp

memory/4304-221-0x0000000005300000-0x0000000005310000-memory.dmp

memory/4304-222-0x0000000005300000-0x0000000005310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 790a3219091b2bf448a194986471c6da
SHA1 a17e38cc8f969079ed99c76581ad9a9439311547
SHA256 2c531a59c3ee587a35603d6daf37cf44ad13dbbbab02e6fbf6b053e6689308ec
SHA512 ab7aba1ba4e03c454df665065eb799d1261bad02d9deea1b4d0db503933db398ce210d820d8b03cc7563acdea5b278a85e072b9c04fc67a7def5b4aaacf76335

memory/4304-224-0x0000000007D70000-0x0000000007DF6000-memory.dmp

memory/4304-225-0x000000000A320000-0x000000000A35C000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Local\Temp\tmp9E15.tmp

MD5 9e40ba5ed22a2f96430907df7fb2f391
SHA1 e61464247fc1760c9e72e94db5599708879c0df3
SHA256 912b13eabb8d7c7f4c1528d5ac0570f7285e10ff82b057b76337ae6abccfbdd0
SHA512 c2b500f72d87e66477d6bd0580fe414e9e49637558010884ac10f127e96850dfe93614db2c87430e7d6ab1e5252c8f56aa536f15bf249405a35594b75d799320

memory/3120-248-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ch5FK0QgiAPF0lZ.exe.log

MD5 90acfd72f14a512712b1a7380c0faf60
SHA1 40ba4accb8faa75887e84fb8e38d598dc8cf0f12
SHA256 20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86
SHA512 29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

memory/3120-252-0x00000000055C0000-0x00000000055D0000-memory.dmp

memory/3120-361-0x00000000055C0000-0x00000000055D0000-memory.dmp

C:\Users\Admin\AppData\Local\75eaffb55ece329fa6fe967b617bc3dc\Admin@WBIJUTSD_en-US\System\Process.txt

MD5 2eb1efa553aec13a7a29f0f6c6a9143b
SHA1 3a21f798c2623e8ff12d908056928a0c4381fedd
SHA256 6695132ef4cf655034c6a50a37a9c8ea032ee3388f6fcc9c98731a853147316b
SHA512 d4be7f8a6036996f5cd3ca9e352426e9188269733a351285a81ee31658dd657bc3ebafa5583c943da91abf9791197862201fa2623f36b839cac3ee9ae5c2e854

memory/3120-365-0x00000000055C0000-0x00000000055D0000-memory.dmp

memory/3120-368-0x0000000006680000-0x000000000668A000-memory.dmp

C:\Users\Admin\AppData\Local\bb620f7c486ed3001e6270a2cb2bcace\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/3120-374-0x0000000006710000-0x0000000006722000-memory.dmp

memory/3120-396-0x00000000055C0000-0x00000000055D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 790a3219091b2bf448a194986471c6da
SHA1 a17e38cc8f969079ed99c76581ad9a9439311547
SHA256 2c531a59c3ee587a35603d6daf37cf44ad13dbbbab02e6fbf6b053e6689308ec
SHA512 ab7aba1ba4e03c454df665065eb799d1261bad02d9deea1b4d0db503933db398ce210d820d8b03cc7563acdea5b278a85e072b9c04fc67a7def5b4aaacf76335