Malware Analysis Report

2025-06-16 03:30

Sample ID 230506-cklr6sfe77
Target 4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4
SHA256 4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4
Tags
amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4

Threat Level: Known bad

The file 4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4 was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat stormkitty default discovery evasion persistence rat spyware stealer trojan

StormKitty

Modifies Windows Defender Real-time Protection settings

Amadey

AsyncRat

StormKitty payload

Async RAT payload

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Windows security modification

Checks installed software on the system

Looks up external IP address via web service

Looks up geolocation information via web service

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-06 02:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-06 02:08

Reported

2023-05-06 02:10

Platform

win10v2004-20230220-en

Max time kernel

147s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4.exe"

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6479451.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\bc89eb4cd8d1f904c9b4ceb5e7e6a4bd\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\bc89eb4cd8d1f904c9b4ceb5e7e6a4bd\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\bc89eb4cd8d1f904c9b4ceb5e7e6a4bd\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\bc89eb4cd8d1f904c9b4ceb5e7e6a4bd\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\bc89eb4cd8d1f904c9b4ceb5e7e6a4bd\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\bc89eb4cd8d1f904c9b4ceb5e7e6a4bd\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
File created C:\Users\Admin\AppData\Local\bc89eb4cd8d1f904c9b4ceb5e7e6a4bd\Admin@ROBKQPFG_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2652 set thread context of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1008264.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1008264.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1008264.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6479451.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe
PID 1876 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe
PID 1876 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe
PID 3928 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe
PID 3928 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe
PID 3928 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe
PID 3928 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1008264.exe
PID 3928 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1008264.exe
PID 3928 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1008264.exe
PID 1876 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6479451.exe
PID 1876 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6479451.exe
PID 1876 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6479451.exe
PID 4860 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6479451.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 4860 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6479451.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 4860 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6479451.exe C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
PID 3088 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3088 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3088 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3088 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3088 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3088 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 3088 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 3088 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 3088 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 2652 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 2652 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 2652 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 2652 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 2652 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 2652 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 2652 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 2652 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 2652 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 2652 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe
PID 4924 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4220 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4220 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4220 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4220 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4220 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4220 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4220 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4220 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4924 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3024 wrote to memory of 3268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3024 wrote to memory of 3268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3024 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3024 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3024 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4.exe

"C:\Users\Admin\AppData\Local\Temp\4bbdded3f5aeeec4f9db7939013a42ad1a57869e11c8bbdfdd9a16ddcd0fbad4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1008264.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1008264.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6479451.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6479451.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe"

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WFVnWbVdsjuyLY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF5A.tmp"

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

Network

Country Destination Domain Proto
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 39.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 251.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 40.125.122.176:443 tcp
AT 212.113.119.255:80 212.113.119.255 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 255.119.113.212.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 67.55.52.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 254.161.241.8.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 209.197.3.8:80 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe

MD5 fdb6b6fbcc0a798a54e6f6c14184235f
SHA1 64137c4a2a0759ceb8480b7a7fb02db230820d5c
SHA256 fc6182c769b31a94d9572e4a1918f072338d88bf2b0c6a4d8bd7f8e611714ff1
SHA512 3633d02addf8749d2cfdb666074cf8509dc5b399ec5f628c3a15dbbdd5cc4bd230c1f6409bfca9fd69f9cd4dc710e79b5b016838d6bc12ca88f7fbece8bd9751

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8210030.exe

MD5 fdb6b6fbcc0a798a54e6f6c14184235f
SHA1 64137c4a2a0759ceb8480b7a7fb02db230820d5c
SHA256 fc6182c769b31a94d9572e4a1918f072338d88bf2b0c6a4d8bd7f8e611714ff1
SHA512 3633d02addf8749d2cfdb666074cf8509dc5b399ec5f628c3a15dbbdd5cc4bd230c1f6409bfca9fd69f9cd4dc710e79b5b016838d6bc12ca88f7fbece8bd9751

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe

MD5 e177ae84ae1c297c649f3ba40686df54
SHA1 ffda6c88c146509149fad180cb0071abf10319d1
SHA256 3d15b39bbd5007e7d5298dc187469b21251f3a1c86d3644c466b2848504a735b
SHA512 28631ff9af8f7c3c5de0102d24ed7ad2be2093ca3ab0cbacf3f1bf7096c175a3e49df8f8faa380e8ef983b1433340dfb4eb87dd841df1fc7cb34ddccf04f220e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1489147.exe

MD5 e177ae84ae1c297c649f3ba40686df54
SHA1 ffda6c88c146509149fad180cb0071abf10319d1
SHA256 3d15b39bbd5007e7d5298dc187469b21251f3a1c86d3644c466b2848504a735b
SHA512 28631ff9af8f7c3c5de0102d24ed7ad2be2093ca3ab0cbacf3f1bf7096c175a3e49df8f8faa380e8ef983b1433340dfb4eb87dd841df1fc7cb34ddccf04f220e

memory/3992-148-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/3992-147-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/3992-149-0x0000000004A50000-0x0000000004FF4000-memory.dmp

memory/3992-150-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-151-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-153-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-155-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-157-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-159-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-161-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-163-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-165-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-167-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-169-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-171-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-173-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-175-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-177-0x0000000002350000-0x0000000002362000-memory.dmp

memory/3992-178-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/3992-179-0x0000000004A40000-0x0000000004A50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1008264.exe

MD5 3a619759d046ebdbf5943e646088a838
SHA1 81b16c1cfabaee4ea602258c9ead2080e0ab90c1
SHA256 2cbc43cdbc02a7d04c5cc53d688b2e50f3b1f3e86162b413e45eda1a0e99d1ad
SHA512 7e9c537856b66b48ee537b4de929a3b14eadc322b78c85ac8fa94fbd83f9f2cbe0c4e8eb749bb6390bd5f20268c55b806039cc5f029e935ea8d71b9c66387245

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1008264.exe

MD5 3a619759d046ebdbf5943e646088a838
SHA1 81b16c1cfabaee4ea602258c9ead2080e0ab90c1
SHA256 2cbc43cdbc02a7d04c5cc53d688b2e50f3b1f3e86162b413e45eda1a0e99d1ad
SHA512 7e9c537856b66b48ee537b4de929a3b14eadc322b78c85ac8fa94fbd83f9f2cbe0c4e8eb749bb6390bd5f20268c55b806039cc5f029e935ea8d71b9c66387245

memory/4680-184-0x0000000000A70000-0x0000000000A98000-memory.dmp

memory/4680-185-0x0000000007DE0000-0x00000000083F8000-memory.dmp

memory/4680-186-0x0000000002CB0000-0x0000000002CC2000-memory.dmp

memory/4680-187-0x00000000078D0000-0x00000000079DA000-memory.dmp

memory/4680-188-0x0000000007800000-0x000000000783C000-memory.dmp

memory/4680-189-0x00000000078C0000-0x00000000078D0000-memory.dmp

memory/4680-190-0x0000000007B40000-0x0000000007BA6000-memory.dmp

memory/4680-191-0x00000000086E0000-0x0000000008772000-memory.dmp

memory/4680-192-0x0000000008800000-0x0000000008876000-memory.dmp

memory/4680-193-0x00000000087A0000-0x00000000087BE000-memory.dmp

memory/4680-194-0x0000000008AA0000-0x0000000008C62000-memory.dmp

memory/4680-195-0x0000000009810000-0x0000000009D3C000-memory.dmp

memory/4680-196-0x0000000002B80000-0x0000000002BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6479451.exe

MD5 c6c7329d7a34f043ad8931e75fe4f239
SHA1 00fd9ad23f93c02fe61e079ade9cdd6f6689483a
SHA256 735a657a1b50c9d8adffb1bbbf0aff02f8d3fa3f29d014e2f6743c252d4f4285
SHA512 972125c423a75216bf9a82030b5c40a6142eace16764cc76453376d27d3cd9d30d82b4ad13e1b768fc999343963e85feec6d63c8d53b9f067110956c6927a8da

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6479451.exe

MD5 c6c7329d7a34f043ad8931e75fe4f239
SHA1 00fd9ad23f93c02fe61e079ade9cdd6f6689483a
SHA256 735a657a1b50c9d8adffb1bbbf0aff02f8d3fa3f29d014e2f6743c252d4f4285
SHA512 972125c423a75216bf9a82030b5c40a6142eace16764cc76453376d27d3cd9d30d82b4ad13e1b768fc999343963e85feec6d63c8d53b9f067110956c6927a8da

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 c6c7329d7a34f043ad8931e75fe4f239
SHA1 00fd9ad23f93c02fe61e079ade9cdd6f6689483a
SHA256 735a657a1b50c9d8adffb1bbbf0aff02f8d3fa3f29d014e2f6743c252d4f4285
SHA512 972125c423a75216bf9a82030b5c40a6142eace16764cc76453376d27d3cd9d30d82b4ad13e1b768fc999343963e85feec6d63c8d53b9f067110956c6927a8da

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 c6c7329d7a34f043ad8931e75fe4f239
SHA1 00fd9ad23f93c02fe61e079ade9cdd6f6689483a
SHA256 735a657a1b50c9d8adffb1bbbf0aff02f8d3fa3f29d014e2f6743c252d4f4285
SHA512 972125c423a75216bf9a82030b5c40a6142eace16764cc76453376d27d3cd9d30d82b4ad13e1b768fc999343963e85feec6d63c8d53b9f067110956c6927a8da

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 c6c7329d7a34f043ad8931e75fe4f239
SHA1 00fd9ad23f93c02fe61e079ade9cdd6f6689483a
SHA256 735a657a1b50c9d8adffb1bbbf0aff02f8d3fa3f29d014e2f6743c252d4f4285
SHA512 972125c423a75216bf9a82030b5c40a6142eace16764cc76453376d27d3cd9d30d82b4ad13e1b768fc999343963e85feec6d63c8d53b9f067110956c6927a8da

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

memory/2652-235-0x0000000000D10000-0x0000000000DC8000-memory.dmp

memory/2652-236-0x00000000055F0000-0x000000000568C000-memory.dmp

memory/2652-237-0x0000000005700000-0x000000000570A000-memory.dmp

memory/2652-238-0x0000000005830000-0x0000000005886000-memory.dmp

memory/2652-239-0x00000000056D0000-0x00000000056E0000-memory.dmp

memory/2652-240-0x00000000056D0000-0x00000000056E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 c6c7329d7a34f043ad8931e75fe4f239
SHA1 00fd9ad23f93c02fe61e079ade9cdd6f6689483a
SHA256 735a657a1b50c9d8adffb1bbbf0aff02f8d3fa3f29d014e2f6743c252d4f4285
SHA512 972125c423a75216bf9a82030b5c40a6142eace16764cc76453376d27d3cd9d30d82b4ad13e1b768fc999343963e85feec6d63c8d53b9f067110956c6927a8da

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 73df88d68a4f5e066784d462788cf695
SHA1 e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256 f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA512 64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

C:\Users\Admin\AppData\Local\Temp\tmpAF5A.tmp

MD5 b474d5645f6e196f4f977fb98e12c698
SHA1 2e394883c30db60b693e07ab62c2b8e14e133d86
SHA256 8b94c252f67cf5742b815ed57f52e17f03bf987e051a16ce3f1ccff336d6058b
SHA512 cca5f7a035957cfc8ef46284948fdba8470ddc5363936eff51bc176a29e498467ae71476b8f790658ad82caf2ebe21e921422fb9dc28bc3185d547813a6e86bb

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

memory/4924-265-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000089001\Ch5FK0QgiAPF0lZ.exe

MD5 47a8c45bba270132b73e104012f91303
SHA1 90db9ee76798a92e7d0f34177806e7c29f725be4
SHA256 6c44a3d4dd6f58f47bddb684e038f4e3a3bc029d9263771aa996be35b0121830
SHA512 ba2ee4a9d384ca4c22d3000d15327c2d2e3613f6942cd0b9e9ba980971b032db4a950460eeb1ff64c2229035082069b0b9e165e9d6050a92a6dcc8e5d7754abe

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ch5FK0QgiAPF0lZ.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/4924-269-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/4924-373-0x00000000053F0000-0x0000000005400000-memory.dmp

C:\Users\Admin\AppData\Local\bc89eb4cd8d1f904c9b4ceb5e7e6a4bd\Admin@ROBKQPFG_en-US\System\Process.txt

MD5 d15427633b40cf14e5f638dd47e67e69
SHA1 29b7300623d0f1ac78972298605cf28ebf513918
SHA256 42916601e9ff80be587fe1e8f1fe525a2094ce0721a86252c42eef942d8a3fd3
SHA512 65f2396e31342fc2f9a6d23e19c048d4b3cd2c24623675d60f4535e0f8f5b3812d8554ff8a9e602d89423118828b2c6aefdec3e5e824a86b2a76d79ef99b0bb0

memory/4924-411-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/4924-414-0x00000000063C0000-0x00000000063CA000-memory.dmp

C:\Users\Admin\AppData\Local\0d190aa2d37c1d60bc2efbca4cf6b02b\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4924-420-0x0000000007190000-0x00000000071A2000-memory.dmp

memory/4924-442-0x00000000053F0000-0x0000000005400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe

MD5 c6c7329d7a34f043ad8931e75fe4f239
SHA1 00fd9ad23f93c02fe61e079ade9cdd6f6689483a
SHA256 735a657a1b50c9d8adffb1bbbf0aff02f8d3fa3f29d014e2f6743c252d4f4285
SHA512 972125c423a75216bf9a82030b5c40a6142eace16764cc76453376d27d3cd9d30d82b4ad13e1b768fc999343963e85feec6d63c8d53b9f067110956c6927a8da