Malware Analysis Report

2025-04-03 09:39

Sample ID 230502-lyzqmacd7t
Target file.exe
SHA256 f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e
Tags
amadey systembc persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey systembc persistence trojan

SystemBC

Amadey

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-02 09:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-02 09:57

Reported

2023-05-02 09:59

Platform

win7-20230220-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 336 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 336 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 336 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1536 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1536 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1536 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1536 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1536 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
PID 1536 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
PID 1536 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
PID 1536 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3277.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
UA 194.40.243.240:3666 tcp
UA 194.40.243.240:3666 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
UA 194.40.243.240:3666 tcp
UA 194.40.243.240:3666 tcp
N/A 127.0.0.1:4449 tcp
UA 194.40.243.240:3666 tcp
N/A 127.0.0.1:4449 tcp
UA 194.40.243.240:3666 tcp
N/A 127.0.0.1:4449 tcp
UA 194.40.243.240:3666 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
UA 194.40.243.240:3666 tcp
UA 194.40.243.240:3666 tcp

Files

memory/1716-54-0x0000000000970000-0x0000000000A10000-memory.dmp

memory/1716-55-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1716-56-0x0000000000470000-0x0000000000476000-memory.dmp

memory/1716-58-0x0000000004820000-0x0000000004860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3277.tmp.bat

MD5 0b35d3d9bb3679bc83c86f58a8d24379
SHA1 861add7162e68d03974ef637de673b76aa397f57
SHA256 f91d5f1c8045285ef0160e4014551ef3b07a2f761d2e7a689770aecd77f93a20
SHA512 5cebe2d0addeb79e482be732151e7f719599e95e26d595869c6256a9cd165f3d7112581c344fcdbdc6134d5ad2545bcd7724087221753e0f20fd8b62e595633c

C:\Users\Admin\AppData\Local\Temp\tmp3277.tmp.bat

MD5 0b35d3d9bb3679bc83c86f58a8d24379
SHA1 861add7162e68d03974ef637de673b76aa397f57
SHA256 f91d5f1c8045285ef0160e4014551ef3b07a2f761d2e7a689770aecd77f93a20
SHA512 5cebe2d0addeb79e482be732151e7f719599e95e26d595869c6256a9cd165f3d7112581c344fcdbdc6134d5ad2545bcd7724087221753e0f20fd8b62e595633c

\Users\Admin\AppData\Roaming\RuntimeBroker.exe

MD5 fec1bb333482a2e245660c0e4026f85d
SHA1 a08544a217c47a3d77292f013afa6d84f93f0821
SHA256 f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e
SHA512 f283cf4815219bf20672f86cfd81aa4eb1813863e168f0f21e44033d86d4df1d8e55e6ee214f293dd6734e33f24d556a8694b7d0b0c239fcc8762cae90016c9f

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

MD5 fec1bb333482a2e245660c0e4026f85d
SHA1 a08544a217c47a3d77292f013afa6d84f93f0821
SHA256 f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e
SHA512 f283cf4815219bf20672f86cfd81aa4eb1813863e168f0f21e44033d86d4df1d8e55e6ee214f293dd6734e33f24d556a8694b7d0b0c239fcc8762cae90016c9f

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

MD5 fec1bb333482a2e245660c0e4026f85d
SHA1 a08544a217c47a3d77292f013afa6d84f93f0821
SHA256 f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e
SHA512 f283cf4815219bf20672f86cfd81aa4eb1813863e168f0f21e44033d86d4df1d8e55e6ee214f293dd6734e33f24d556a8694b7d0b0c239fcc8762cae90016c9f

memory/1296-71-0x00000000011E0000-0x0000000001280000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/1296-74-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-02 09:57

Reported

2023-05-02 09:59

Platform

win10v2004-20230220-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\elXnPr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000020050\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sc64.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021061\\sc64.dll, rundll" C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\update.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\elXnPr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 1724 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 1724 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 3988 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Users\Admin\AppData\Local\Temp\elXnPr.exe
PID 3988 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Users\Admin\AppData\Local\Temp\elXnPr.exe
PID 3988 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Users\Admin\AppData\Local\Temp\elXnPr.exe
PID 4440 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\elXnPr.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 4440 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\elXnPr.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 4440 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\elXnPr.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1724 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3948 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3948 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 3276 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3276 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3276 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3212 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3212 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3212 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3948 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 3948 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 3948 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 3948 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 3948 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 3948 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 4956 wrote to memory of 4852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4956 wrote to memory of 4852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3212 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
PID 3212 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
PID 3212 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\update.exe

"C:\Users\Admin\AppData\Local\Temp\update.exe"

C:\Users\Admin\AppData\Local\Temp\elXnPr.exe

"C:\Users\Admin\AppData\Local\Temp\elXnPr.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3988 -ip 3988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1852

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9B1C.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

"C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 nftday.art udp
US 172.67.151.248:443 nftday.art tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 248.151.67.172.in-addr.arpa udp
US 172.67.151.248:443 nftday.art tcp
NL 20.224.151.203:443 tcp
US 8.8.8.8:53 tadogem.com udp
US 104.21.96.152:80 tadogem.com tcp
US 104.21.96.152:80 tadogem.com tcp
US 172.67.151.248:443 nftday.art tcp
US 8.8.8.8:53 152.96.21.104.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
FI 65.21.119.52:4277 tcp
US 8.8.8.8:53 52.119.21.65.in-addr.arpa udp
UA 194.40.243.240:3666 tcp
US 192.229.221.95:80 tcp
US 40.125.122.176:443 tcp
UA 194.40.243.240:3666 tcp
UA 194.40.243.240:3666 tcp
US 13.89.179.9:443 tcp
N/A 127.0.0.1:4449 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
UA 194.40.243.240:3666 tcp
US 40.125.122.176:443 tcp
N/A 127.0.0.1:4449 tcp
UA 194.40.243.240:3666 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
N/A 127.0.0.1:4449 tcp
US 93.184.221.240:80 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
US 40.125.122.176:443 tcp
N/A 127.0.0.1:4449 tcp
UA 194.40.243.240:3666 tcp
N/A 127.0.0.1:4449 tcp
UA 194.40.243.240:3666 tcp
US 40.125.122.176:443 tcp
UA 194.40.243.240:3666 tcp
UA 194.40.243.240:3666 tcp
UA 194.40.243.240:3666 tcp
N/A 127.0.0.1:4449 tcp
US 40.125.122.176:443 tcp
N/A 127.0.0.1:4449 tcp
UA 194.40.243.240:3666 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
US 40.125.122.176:443 tcp
UA 194.40.243.240:3666 tcp
N/A 127.0.0.1:4449 tcp
UA 194.40.243.240:3666 tcp

Files

memory/1724-133-0x0000000000CA0000-0x0000000000D40000-memory.dmp

memory/1724-134-0x0000000005620000-0x0000000005621000-memory.dmp

memory/1724-135-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/1724-136-0x0000000005E30000-0x00000000063D4000-memory.dmp

memory/1724-137-0x00000000057C0000-0x0000000005852000-memory.dmp

memory/1724-138-0x0000000005880000-0x00000000058F6000-memory.dmp

memory/1724-139-0x00000000059A0000-0x0000000005A3C000-memory.dmp

memory/1724-141-0x0000000005870000-0x0000000005880000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\update.exe

MD5 c80864ec4f40c15a4589d19a1e6cd3ca
SHA1 60179fed90422c2db1cefa9e05762965fa0e4283
SHA256 1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
SHA512 acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1

C:\Users\Admin\AppData\Local\Temp\update.exe

MD5 c80864ec4f40c15a4589d19a1e6cd3ca
SHA1 60179fed90422c2db1cefa9e05762965fa0e4283
SHA256 1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
SHA512 acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1

memory/3988-155-0x0000000000E80000-0x0000000000F14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\update.exe

MD5 c80864ec4f40c15a4589d19a1e6cd3ca
SHA1 60179fed90422c2db1cefa9e05762965fa0e4283
SHA256 1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
SHA512 acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1

C:\Users\Admin\AppData\Local\Temp\elXnPr.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\elXnPr.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

memory/3988-161-0x00000000057A0000-0x00000000057B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\tmp9B1C.tmp.bat

MD5 47715aef6a60ec61c594ed8f5088a476
SHA1 e652c9ae69f0a592d1da5af4494e338d29c8735c
SHA256 0dbe9c8d6bd5e1960cf27d0be9a22597de9c51de378476978ecbcbba37e3e41b
SHA512 e014685cb3da7f4168aaf887ffa60ebc04326d5a8f377c9d35f603df081e8d96dc67254a9db96d1ac61e6017a472202892a8c4814ae24c340a218fc10940f1be

C:\Users\Admin\AppData\Local\Temp\013461898371

MD5 747dbe1fe0cd999d44d230c2921556ff
SHA1 b95c5a76303574416b65c0c6ce2d004bda38df42
SHA256 a56bad536af3c169e44bb72d6a55f41dcea54df0ddb4b2cc916ec37a06f93109
SHA512 78f1a8d7fcbf0354cb4b81c627fcc1e6cb4afe28ecd9ccf991f093eadce11b1a2ddbcc53daf478718783789cdee0799669f3c787cca4f89be92af98da1e64d4b

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

memory/1516-213-0x0000000000C10000-0x0000000000C50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

MD5 fec1bb333482a2e245660c0e4026f85d
SHA1 a08544a217c47a3d77292f013afa6d84f93f0821
SHA256 f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e
SHA512 f283cf4815219bf20672f86cfd81aa4eb1813863e168f0f21e44033d86d4df1d8e55e6ee214f293dd6734e33f24d556a8694b7d0b0c239fcc8762cae90016c9f

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

MD5 fec1bb333482a2e245660c0e4026f85d
SHA1 a08544a217c47a3d77292f013afa6d84f93f0821
SHA256 f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e
SHA512 f283cf4815219bf20672f86cfd81aa4eb1813863e168f0f21e44033d86d4df1d8e55e6ee214f293dd6734e33f24d556a8694b7d0b0c239fcc8762cae90016c9f

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/4912-232-0x00000000067E0000-0x00000000067EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/1516-250-0x0000000009A60000-0x0000000009A70000-memory.dmp

memory/1516-251-0x0000000009A60000-0x0000000009A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57