2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe
Size

208KB
MD5

6b1c274e0b37c953837c140a540294af
SHA1

6ef8f31ad0cf2e420daae5170f8f430a48eb6e6f
SHA256

2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2
SHA512

f1103734c2d0b9cef92a0f67c6938522aa2c643726c304ab4df7ab74cd10fc77c3c789c3bc52d26d48464a86c15e21463006ff86a436117de64f4f5aefebfd2e
SSDEEP

3072:AYkMRPgF8PIiUBKbTYPCxAHBQVEh+eNiboB4NLthEjQT67:AW4fUwPYYQOh+LCQEj9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 13 IoCs

pid	Process
2576	ULIWIN.exe
2688	RGE.exe
2372	KMOQHXY.exe
576	SEBKWV.exe
752	AMI.exe
1472	GMCZ.exe
1844	SCVRCV.exe
2144	TZXH.exe
2060	SXDCDF.exe
1080	ENW.exe
964	MVV.exe
1968	VDGE.exe
2968	GTZFP.exe

Loads dropped DLL 18 IoCs

pid	Process
2064	cmd.exe
2064	cmd.exe
2440	cmd.exe
2440	cmd.exe
580	cmd.exe
580	cmd.exe
1388	cmd.exe
1388	cmd.exe
1572	cmd.exe
1572	cmd.exe
2908	cmd.exe
2908	cmd.exe
1060	cmd.exe
1060	cmd.exe
1280	cmd.exe
1280	cmd.exe
2888	cmd.exe
2888	cmd.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\ULIWIN.exe.bat	2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe
File created	C:\windows\SysWOW64\SEBKWV.exe	KMOQHXY.exe
File created	C:\windows\SysWOW64\GMCZ.exe	AMI.exe
File created	C:\windows\SysWOW64\GMCZ.exe.bat	AMI.exe
File created	C:\windows\SysWOW64\MVV.exe.bat	ENW.exe
File created	C:\windows\SysWOW64\ULIWIN.exe	2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe
File opened for modification	C:\windows\SysWOW64\ULIWIN.exe	2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe
File opened for modification	C:\windows\SysWOW64\SEBKWV.exe	KMOQHXY.exe
File created	C:\windows\SysWOW64\SEBKWV.exe.bat	KMOQHXY.exe
File opened for modification	C:\windows\SysWOW64\GMCZ.exe	AMI.exe
File created	C:\windows\SysWOW64\MVV.exe	ENW.exe
File opened for modification	C:\windows\SysWOW64\MVV.exe	ENW.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\windows\system\KMOQHXY.exe.bat	RGE.exe
File created	C:\windows\system\VDGE.exe	MVV.exe
File created	C:\windows\system\AMI.exe.bat	SEBKWV.exe
File created	C:\windows\system\SCVRCV.exe.bat	GMCZ.exe
File created	C:\windows\system\SCVRCV.exe	GMCZ.exe
File opened for modification	C:\windows\TZXH.exe	SCVRCV.exe
File opened for modification	C:\windows\SXDCDF.exe	TZXH.exe
File created	C:\windows\SXDCDF.exe.bat	TZXH.exe
File created	C:\windows\ENW.exe	SXDCDF.exe
File opened for modification	C:\windows\ENW.exe	SXDCDF.exe
File created	C:\windows\RGE.exe	ULIWIN.exe
File opened for modification	C:\windows\system\SCVRCV.exe	GMCZ.exe
File created	C:\windows\TZXH.exe.bat	SCVRCV.exe
File opened for modification	C:\windows\RGE.exe	ULIWIN.exe
File created	C:\windows\RGE.exe.bat	ULIWIN.exe
File created	C:\windows\system\KMOQHXY.exe	RGE.exe
File created	C:\windows\system\AMI.exe	SEBKWV.exe
File created	C:\windows\TZXH.exe	SCVRCV.exe
File created	C:\windows\system\GTZFP.exe.bat	VDGE.exe
File created	C:\windows\ENW.exe.bat	SXDCDF.exe
File opened for modification	C:\windows\system\VDGE.exe	MVV.exe
File created	C:\windows\system\VDGE.exe.bat	MVV.exe
File created	C:\windows\system\GTZFP.exe	VDGE.exe
File opened for modification	C:\windows\system\GTZFP.exe	VDGE.exe
File opened for modification	C:\windows\system\KMOQHXY.exe	RGE.exe
File opened for modification	C:\windows\system\AMI.exe	SEBKWV.exe
File created	C:\windows\SXDCDF.exe	TZXH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1640	2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe
2576	ULIWIN.exe
2688	RGE.exe
2372	KMOQHXY.exe
576	SEBKWV.exe
752	AMI.exe
1472	GMCZ.exe
1844	SCVRCV.exe
2144	TZXH.exe
2060	SXDCDF.exe
1080	ENW.exe
964	MVV.exe
1968	VDGE.exe
2968	GTZFP.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
1640	2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe
1640	2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe
2576	ULIWIN.exe
2576	ULIWIN.exe
2688	RGE.exe
2688	RGE.exe
2372	KMOQHXY.exe
2372	KMOQHXY.exe
576	SEBKWV.exe
576	SEBKWV.exe
752	AMI.exe
752	AMI.exe
1472	GMCZ.exe
1472	GMCZ.exe
1844	SCVRCV.exe
1844	SCVRCV.exe
2144	TZXH.exe
2144	TZXH.exe
2060	SXDCDF.exe
2060	SXDCDF.exe
1080	ENW.exe
1080	ENW.exe
964	MVV.exe
964	MVV.exe
1968	VDGE.exe
1968	VDGE.exe
2968	GTZFP.exe
2968	GTZFP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2064	1640	2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe	28
PID 1640 wrote to memory of 2064	1640	2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe	28
PID 1640 wrote to memory of 2064	1640	2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe	28
PID 1640 wrote to memory of 2064	1640	2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe	28
PID 2064 wrote to memory of 2576	2064	cmd.exe	30
PID 2064 wrote to memory of 2576	2064	cmd.exe	30
PID 2064 wrote to memory of 2576	2064	cmd.exe	30
PID 2064 wrote to memory of 2576	2064	cmd.exe	30
PID 2576 wrote to memory of 2588	2576	ULIWIN.exe	31
PID 2576 wrote to memory of 2588	2576	ULIWIN.exe	31
PID 2576 wrote to memory of 2588	2576	ULIWIN.exe	31
PID 2576 wrote to memory of 2588	2576	ULIWIN.exe	31
PID 2588 wrote to memory of 2688	2588	cmd.exe	33
PID 2588 wrote to memory of 2688	2588	cmd.exe	33
PID 2588 wrote to memory of 2688	2588	cmd.exe	33
PID 2588 wrote to memory of 2688	2588	cmd.exe	33
PID 2688 wrote to memory of 2440	2688	RGE.exe	34
PID 2688 wrote to memory of 2440	2688	RGE.exe	34
PID 2688 wrote to memory of 2440	2688	RGE.exe	34
PID 2688 wrote to memory of 2440	2688	RGE.exe	34
PID 2440 wrote to memory of 2372	2440	cmd.exe	36
PID 2440 wrote to memory of 2372	2440	cmd.exe	36
PID 2440 wrote to memory of 2372	2440	cmd.exe	36
PID 2440 wrote to memory of 2372	2440	cmd.exe	36
PID 2372 wrote to memory of 580	2372	KMOQHXY.exe	37
PID 2372 wrote to memory of 580	2372	KMOQHXY.exe	37
PID 2372 wrote to memory of 580	2372	KMOQHXY.exe	37
PID 2372 wrote to memory of 580	2372	KMOQHXY.exe	37
PID 580 wrote to memory of 576	580	cmd.exe	39
PID 580 wrote to memory of 576	580	cmd.exe	39
PID 580 wrote to memory of 576	580	cmd.exe	39
PID 580 wrote to memory of 576	580	cmd.exe	39
PID 576 wrote to memory of 1388	576	SEBKWV.exe	40
PID 576 wrote to memory of 1388	576	SEBKWV.exe	40
PID 576 wrote to memory of 1388	576	SEBKWV.exe	40
PID 576 wrote to memory of 1388	576	SEBKWV.exe	40
PID 1388 wrote to memory of 752	1388	cmd.exe	42
PID 1388 wrote to memory of 752	1388	cmd.exe	42
PID 1388 wrote to memory of 752	1388	cmd.exe	42
PID 1388 wrote to memory of 752	1388	cmd.exe	42
PID 752 wrote to memory of 1572	752	AMI.exe	43
PID 752 wrote to memory of 1572	752	AMI.exe	43
PID 752 wrote to memory of 1572	752	AMI.exe	43
PID 752 wrote to memory of 1572	752	AMI.exe	43
PID 1572 wrote to memory of 1472	1572	cmd.exe	45
PID 1572 wrote to memory of 1472	1572	cmd.exe	45
PID 1572 wrote to memory of 1472	1572	cmd.exe	45
PID 1572 wrote to memory of 1472	1572	cmd.exe	45
PID 1472 wrote to memory of 2908	1472	GMCZ.exe	46
PID 1472 wrote to memory of 2908	1472	GMCZ.exe	46
PID 1472 wrote to memory of 2908	1472	GMCZ.exe	46
PID 1472 wrote to memory of 2908	1472	GMCZ.exe	46
PID 2908 wrote to memory of 1844	2908	cmd.exe	48
PID 2908 wrote to memory of 1844	2908	cmd.exe	48
PID 2908 wrote to memory of 1844	2908	cmd.exe	48
PID 2908 wrote to memory of 1844	2908	cmd.exe	48
PID 1844 wrote to memory of 2304	1844	SCVRCV.exe	49
PID 1844 wrote to memory of 2304	1844	SCVRCV.exe	49
PID 1844 wrote to memory of 2304	1844	SCVRCV.exe	49
PID 1844 wrote to memory of 2304	1844	SCVRCV.exe	49
PID 2304 wrote to memory of 2144	2304	cmd.exe	51
PID 2304 wrote to memory of 2144	2304	cmd.exe	51
PID 2304 wrote to memory of 2144	2304	cmd.exe	51
PID 2304 wrote to memory of 2144	2304	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe
"C:\Users\Admin\AppData\Local\Temp\2ff382324d6f087327c18d84ff620dbecbbf8d1816337f5ab44309ebf0bd79e2.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\ULIWIN.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\windows\SysWOW64\ULIWIN.exe
    C:\windows\system32\ULIWIN.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\RGE.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\windows\RGE.exe
        
        C:\windows\RGE.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\KMOQHXY.exe.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\windows\system\KMOQHXY.exe
        
        C:\windows\system\KMOQHXY.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\SEBKWV.exe.bat" "
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\windows\SysWOW64\SEBKWV.exe
        
        C:\windows\system32\SEBKWV.exe
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\AMI.exe.bat" "
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\windows\system\AMI.exe
        
        C:\windows\system\AMI.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\GMCZ.exe.bat" "
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\windows\SysWOW64\GMCZ.exe
        
        C:\windows\system32\GMCZ.exe
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\SCVRCV.exe.bat" "
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\windows\system\SCVRCV.exe
        
        C:\windows\system\SCVRCV.exe
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\TZXH.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\windows\TZXH.exe
        
        C:\windows\TZXH.exe
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\SXDCDF.exe.bat" "
        18⤵
        
        PID:2376
        
        C:\windows\SXDCDF.exe
        
        C:\windows\SXDCDF.exe
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\ENW.exe.bat" "
        20⤵
        
        PID:2080
        
        C:\windows\ENW.exe
        
        C:\windows\ENW.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\MVV.exe.bat" "
        22⤵
        Loads dropped DLL
        
        PID:1060
        
        C:\windows\SysWOW64\MVV.exe
        
        C:\windows\system32\MVV.exe
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\VDGE.exe.bat" "
        24⤵
        Loads dropped DLL
        
        PID:1280
        
        C:\windows\system\VDGE.exe
        
        C:\windows\system\VDGE.exe
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\GTZFP.exe.bat" "
        26⤵
        Loads dropped DLL
        
        PID:2888
        
        C:\windows\system\GTZFP.exe
        
        C:\windows\system\GTZFP.exe
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ENW.exe.bat

Filesize
52B

MD5
da4e953d6b968713cb113ea1c8400790

SHA1
4fcdda0b9326290aba0eca79942074271a266507

SHA256
b365aefc6fba28f3aa1b9d4d40c62a79823d3918989e0cdaaadda7fec96350a6

SHA512
9aa768c33c7d1a64253aa3ec377072bf335c8b9ff1b6d3a837e7b8983d30b2836e136801587e462faa501c0085c65d998ef0636d0f75f0cab733990d256c78c8

Download Submit
C:\Windows\RGE.exe

Filesize
208KB

MD5
16902fa45e809f51bc37c58a701a0851

SHA1
a9cd6312928cc770abfb79a76c9314b7b75b2659

SHA256
518e74d8aa15c7258a2658a587017bad2b3330d712f84d36ccb45632b74df13a

SHA512
1fa3da567d54bab23790a1f63a826c9da1e34d424b0461ff9f19105078f2e53c18e1a47fcb65d57eecb6bcd0ee16e29f129777100c36a3bcec0112052f6356cb

Download Submit
C:\Windows\RGE.exe.bat

Filesize
52B

MD5
3e31eff86caa32eab4816c1b8e073883

SHA1
c47941c8682e4c3e25416bd24d8d6c58ecf82003

SHA256
01b064506c45aa0f1040c3c5dc0035ca27c2f3ce7045432658cc5a6b5545c869

SHA512
54e6c9bcf985bb027a8b46192676a228003de9641fde597941a07ba4444f578d13cb71c2e11b809f6eefd1a1b0b1c8d9e40bd4b56748a4cada2af1260af3f889

Download Submit
C:\Windows\SXDCDF.exe

Filesize
208KB

MD5
2833095a8ff544016d87716da5d3a93c

SHA1
379597e68296cfcd5ac99faea70561695e8ba994

SHA256
b83b51d6373ab8708c6e27438d723830cf7873bf1c3a05d37fa0ce6a7e428915

SHA512
b85952bfbb14d12bd3e4d788e136d9b1d763777e9998d6e1cef7103bf74449031cc0ec24b15cd4aea98498cc28d670a1a8dd3f4f4e457abcb3eb95d7eebefda0

Download Submit
C:\Windows\SXDCDF.exe.bat

Filesize
58B

MD5
c43262c225386da56c6d333384f6595a

SHA1
c4e7526ea2b068ac696468d6ac4431aaa78deccb

SHA256
8732139e92414b54e81e372eb698943041eab4d33681a0e42062272ddc8ea801

SHA512
e486b1bcc7eacd77e024eda25cabd99042d8acd3a9b3e17c5cf91713d76b7b9c6c11c1d221a92da6bd5342add51c8ab8447da2cbc795c61ed8bc8bad453a64d3

Download Submit
C:\Windows\SysWOW64\GMCZ.exe.bat

Filesize
72B

MD5
7be35af8cfba0e75b6b20e62ce5c9969

SHA1
a9cb4bc6336a6c9906a363ab8ae51190b4a25a55

SHA256
3d6a2e40f4e6116b74dae01a97d1988a7275e746e8f326f291213547f35b5300

SHA512
93955f97339db43b15b73b04df28257a98b9aee4dcb5695172a4a252ffeb07cbf4a7d6382d6c0086648a36ab13d0b359347a96421638acde3f2225922ba2c4ce

Download Submit
C:\Windows\SysWOW64\MVV.exe.bat

Filesize
70B

MD5
f74b74c645a76d4b9e794e48f9a6ecbc

SHA1
d90ac6d77679c1d3382ce50d968044aa7dd315a1

SHA256
04c8677b3a3d59d9ce25525bea8044b9bcc2704e4538b5981072443666a3d25b

SHA512
34dd2c77893fc2b85a039c2a94d1d96797398b4ea7ef2389a6b6c73a93a54dc716de08a61f6e6f2cbff67156dcd6d6f7972f154bf5e53fb7077ce372f323ffb9

Download Submit
C:\Windows\SysWOW64\SEBKWV.exe.bat

Filesize
76B

MD5
f915ac508669256cc464a591d4d90322

SHA1
aecfd10f3493214c65d8dde27b703f8b3b95a3b9

SHA256
3bd10bea0bb60c958d9e87852dd57c76fe2b0926d71cc8245ba552b321d8c1ca

SHA512
a68223f498d09c993406d1ee5a22ab418ba819810247ea369e59a7e41c948269653e22f81e66f1f0f56f8d7cb7d7dd73b3bf9d0c7c5b348001d6029d7547e34f

Download Submit
C:\Windows\SysWOW64\ULIWIN.exe.bat

Filesize
76B

MD5
3bf498441c485ae090b3642550748534

SHA1
8996d53d3271118de79929f50b73280f51b3a891

SHA256
f45937c14be31dbec2a659b940ee4c5c554e24be91b81f6293913a3f43a51735

SHA512
8abc5678b7649a27be18c3d414f5f1978624ec943719159679faa6a3e5a21f7b7781e34e1110e431f176000fa8e025804355e9edf67ae8a533eca083b3319fb8

Download Submit
C:\Windows\TZXH.exe.bat

Filesize
54B

MD5
5f8efad385b03c40491c3daa26fe7ae8

SHA1
8a4cc91b5c9bb8f4a351f8f85d50847703a4084e

SHA256
d4607e07fdf17dd892c9debc951cf5b67d71e0733a34c6050529901f74e2098f

SHA512
2eb9f6e060309a355338c59919e5a6ff569451d6407d3f5dd24cd8c65e1499acf35a2d8a0e8f0cefb9aa03084b5980dd5ebdd036c4ec25e5fafc8a73b505ff4a

Download Submit
C:\Windows\system\AMI.exe

Filesize
208KB

MD5
47852a71b0cc046417ecb7dfc73cb56b

SHA1
4e70b4b1528b2835712630aadb3c78e4a8c45e05

SHA256
0111090eb5d37cb0f96e9e64ee7a3129d22210aafb7f95ba0452df8a3a08de55

SHA512
4f18ddab60135af610250073568d12d184fd7bbe49213c73ca15176c6ae1ac6b920c1d3445f7aad0db92923d7f57a2d896aef24671d924df60314ab394cae01d

Download Submit
C:\Windows\system\AMI.exe.bat

Filesize
66B

MD5
fcab13625645bd610af6c974ef84ee54

SHA1
8a454de170e781d2e63eb6679638223731a3cb14

SHA256
160f94bb2a69ff020a4608fc399bfb60b0d7c04368c697bc6d89675b8c8132c5

SHA512
35368a8bafbc38bf27184a4e3fa8284962778db3babdfacc1dc651f381bf63ee8a77b3a266c5706ac60177d88d5468d5d882972ca65527ee955c5748d9d80154

Download Submit
C:\Windows\system\GTZFP.exe.bat

Filesize
70B

MD5
08fa1fb298501e07fbb75cb3331d4d0c

SHA1
b7a482c229447384d7d1a37612dc13bf25d79855

SHA256
db7b367f04ec97ab64e68c02ee39ec4517202bf5a1e9e49dc09067bbc614dd5a

SHA512
7b0e64771c4b127ab44b9eff94db813fe70e9e3a10a34f042cf0697b045818fb39b3b2e7a504b0f22688e346e7b8983eba04c9ff7c755f7ee0a09c431564ee96

Download Submit
C:\Windows\system\KMOQHXY.exe.bat

Filesize
74B

MD5
97e13035a2569a0f29901de272047831

SHA1
d5683fd546805f036e74f3ef005f02f20efda94b

SHA256
cd2b0beb4e708435560185627e0158923b037aa2dd92c330fceca767285b1155

SHA512
4581778c4ac5c465d4b2e060322356e90ed5bf5b558ce0d98c135a3eb83ad50f6a22c15157c6c2ea5f94ff23710726d16864868950e151b4ac18b97c7d369d9b

Download Submit
C:\Windows\system\SCVRCV.exe.bat

Filesize
72B

MD5
17309173cd38c48d79754a6c47efeafa

SHA1
50d11a0d2fa1a642ea856a248bc516065e250e52

SHA256
22acba5d5036a5b1a980a19c7f929251d887be47cf57223bb8d4e89f2a5e1562

SHA512
214bb588bf9d43ea0a13467ed65dc6092d4d3c7e82b18e11bc7dc15c1e85490dd2c262e3d461849b15fd4d6e593a969b4891aa80e4f93e3f8ab16e2bb931dc8f

Download Submit
C:\Windows\system\VDGE.exe.bat

Filesize
68B

MD5
1a257955f52f9efa32d14fa767d31e62

SHA1
2335ca58055bec41a3b4c6c9e4b728534172411c

SHA256
8e8bdece6c4bd1f74ebf55c1b45a338f140e98e61ed1726ea23af12d4e7b2e18

SHA512
dae9c69177a0b8436dfe8a489f48bbd87ac805a54f87c2c4f4934f0fe35edba9eb2770387121258fcf56e2d33749aa668b6f37cadff91a308248bf8a9e19e8f3

Download Submit
C:\windows\ENW.exe

Filesize
208KB

MD5
cb6fc86c10cebd40b02f0be2890a2456

SHA1
709a2dab98b9e97596962f50ae45e6230207a79d

SHA256
868730c328e9945b399ebe35dd017fa8978373154bff75e2643125827219405c

SHA512
03607717c09b4aa353fc805afe260711fc4615769a88666b23ea976f85073f48aebb0a5aee3e35b477f981fda0cf7bc70e826f83c2da215226708a84ecc4e5fa

Download Submit
C:\windows\RGE.exe

Filesize
208KB

MD5
ba5be8bbac62c9c0bf32b531f889eb12

SHA1
da71dd3fc2d9218b202003639081d0f3330acea2

SHA256
5f819ea399285a180d385dac719b04d24ba472598fdc725eb4e7a307064015d9

SHA512
587e1fb5f6b5c225706585571f5ccf00dc819ee202d7ebe2842d739ba2e4c5279923fd50390be501506b9a34987b533a93bfd86a4eb1774c96446fa328885c97

Download Submit
C:\windows\TZXH.exe

Filesize
208KB

MD5
da11e7324b8c010985aa0059f79bdf28

SHA1
162c71f6bd2bc1a81e8d1765b602ed1f8151e1c5

SHA256
4af509671872622d32ed4c0161a265f3beb026e6c5a56636a930365bf38bf209

SHA512
837c295016f670edf81f643e326bf6d095af32da871f544e3a6568b7ac01d79b7d99b20f2381ba910bdce0a07ca8d4a1bad025536d7e5a7579108fc62a63b306

Download Submit
\Windows\SysWOW64\GMCZ.exe

Filesize
208KB

MD5
0768efa5781471249f115d09e30c5340

SHA1
404f5ed5e1f907b0a329c88c17a8e2c933d96514

SHA256
68864f3f9207d23bf9804beb42262a4c41b573f90ed95b5a65b62eb7c29e1153

SHA512
1840c33817ec49dff2256fad5816447e9d52a9c363a3a2ab35dbcce81c4d3e62fa19b3901acfbbab706cff5e31ce58161d4191811cd9b5d3201f83d9ebd5e360

Download Submit
\Windows\SysWOW64\SEBKWV.exe

Filesize
208KB

MD5
d4a6b525a6cf36ffb46e0d60289c9fae

SHA1
29edd706e0ac9e0440dbc34d35fead1b96055576

SHA256
ec6013d4d89834b9d1f9b60bca92c1c4b85fcbbad4f2fbd3762b9ffe35584e0c

SHA512
e0bf13f4d9594d27dcbc12bffc20fc3e730851e11f495b6ff2cbca609bb5c76502c151d1e639436af634dec3faf3c5ebb394d5a27a1fe3e14566d1eb52380761

Download Submit
\Windows\SysWOW64\ULIWIN.exe

Filesize
208KB

MD5
3449d68401ae546b8dfbdac814118303

SHA1
851c690c938e65aa3c9241b77fe0226bbf5f39ca

SHA256
27d9908959deb96321f5c86e29cd9c54993680abe9a5989df1dbeef79326c3dd

SHA512
4d342ae4a4eafd0c9ddcdacc8ee6b240b936f05d9469e01e2d74aa0d3f7b7d1603bb2190bb3c336502d54bafa995353875dec37ab36106a53180dd9632c715eb

Download Submit
\Windows\system\GTZFP.exe

Filesize
208KB

MD5
d9514c5ee4b1f6a1e14066c882430c7c

SHA1
c6fdf367fb1507449da3601e19f780e3944891dd

SHA256
72ef812a6ce26e58fe03aa53e14ec671cc786b3cf569684303e1d3aff0c82df7

SHA512
f82bd8e30b109ccc229232991d5ce1b4797cf47928c30f281a5cde5d6afd54202918c1237ea04856b743843432bf8dc090b48e4a969b1229bfd361ac0307db40

Download Submit
\Windows\system\KMOQHXY.exe

Filesize
208KB

MD5
76adee62e29609e1e4d21268dd8ae489

SHA1
4e6bd328b7c9c1c37fc6af701d8ddfd00dcff35d

SHA256
8259942d8a7f75d8cd8ada9e70e4d3bb5c8c5c09aacf339b5cd36c1f03dc3623

SHA512
4b0c31e1644e0b23dd836cf340a493d109e22008d47f5c0a893b4cd04900f2bdfa8307dd0d3b3ab83719325dd198672216c639b7d140807bc9cb84410d2ba90c

Download Submit
\Windows\system\SCVRCV.exe

Filesize
208KB

MD5
b777db6191838c2fe04209b93ef866d5

SHA1
beac82205160626d13d49efc4f5e217c47254d64

SHA256
65cc1b896c765bf8e51377be11e3084e7bbfd4b4b71db2041a14177ffd2c671c

SHA512
4824aa5d0a259fd9f2df5c90082b3132c39502ea9dc21fb374b58aa399243ee5f95ab2bdb16c9775c94fb9209253552922d63d1434d0a229d5f9fb285a367441

Download Submit
\Windows\system\VDGE.exe

Filesize
208KB

MD5
94d3789b138f5bd8b4b1ae3ed20710f5

SHA1
8dd704c2959cab09b24a16032c4eb5c378db6703

SHA256
acfc0da41f193d3d985d0c31e1250f5c16284852b80c595fd4275f994d1ed15f

SHA512
006ee4e8df0f25548d8fa84553843d366fe1cfe364f34c44cc9ab05cbf48fcd670d61d366482c988f87e52144c1bc7a4bc42030f87e43989dbe4a52ae937ae69

Download Submit
memory/576-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/580-69-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/752-90-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/752-102-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/964-195-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/964-207-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1060-193-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/1080-188-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1280-211-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/1472-121-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1472-109-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1572-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1640-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1640-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1844-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1844-128-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1968-225-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2060-160-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2060-172-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2064-18-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2080-175-0x0000000000290000-0x00000000002C8000-memory.dmp

Filesize
224KB

Download
memory/2144-156-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2304-143-0x0000000000280000-0x00000000002B8000-memory.dmp

Filesize
224KB

Download
memory/2372-54-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2372-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2440-51-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2576-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2576-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2588-34-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2688-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2908-126-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/2968-231-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2968-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download