a68472503f47b5c26530df3d7f346cd94a2641f94fe81092c6e1dc968de543ba

Analysis

max time kernel
170s
max time network
137s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21ad40ebba38ba8b5112e5efa800de23.exe
Size

123KB
MD5

21ad40ebba38ba8b5112e5efa800de23
SHA1

3e2702cfd93c19a61ff840e90f2b8ae8a9219cc5
SHA256

a68472503f47b5c26530df3d7f346cd94a2641f94fe81092c6e1dc968de543ba
SHA512

205decc5aede504c71898d5f6a59002fb5f48014c4846e2110b0d3cf019daec3dc3f93f036f90c495ee168593d4a111d6360125f064b7607e516500db7ce4297
SSDEEP

3072:JNV7lSLVJy8cfzsbZpZhrVFBmQy6Ge2QLxo:JPl0y/fcZbnlHGgLxo

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	sgcxcxxaspf081223.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\maincyucst = "C:\\Windows\\system32\\inf\\svchoct.exe C:\\Windows\\wftadfi16_081223a.dll d16tan"	sgcxcxxaspf081223.exe

Deletes itself 1 IoCs

pid	Process
1680	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2068	svchoct.exe
1656	sgcxcxxaspf081223.exe

Loads dropped DLL 3 IoCs

pid	Process
2720	21ad40ebba38ba8b5112e5efa800de23.exe
1504	cmd.exe
1504	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\scsys16_081223.dll	21ad40ebba38ba8b5112e5efa800de23.exe
File created	C:\Windows\SysWOW64\inf\svchoct.exe	21ad40ebba38ba8b5112e5efa800de23.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchoct.exe	21ad40ebba38ba8b5112e5efa800de23.exe
File created	C:\Windows\SysWOW64\inf\sppdcrs081223.scr	21ad40ebba38ba8b5112e5efa800de23.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tawisys.ini	21ad40ebba38ba8b5112e5efa800de23.exe
File created	C:\Windows\system\sgcxcxxaspf081223.exe	21ad40ebba38ba8b5112e5efa800de23.exe
File created	C:\Windows\dcbdcatys32_081223a.dll	21ad40ebba38ba8b5112e5efa800de23.exe
File created	C:\Windows\wftadfi16_081223a.dll	21ad40ebba38ba8b5112e5efa800de23.exe
File opened for modification	C:\Windows\tawisys.ini	sgcxcxxaspf081223.exe
File created	C:\Windows\dcbdcatys32_081223a.dll	sgcxcxxaspf081223.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	sgcxcxxaspf081223.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410573650"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FAC292F1-AB5A-11EE-B092-D2016227024C} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2720	21ad40ebba38ba8b5112e5efa800de23.exe
2720	21ad40ebba38ba8b5112e5efa800de23.exe
1656	sgcxcxxaspf081223.exe
1656	sgcxcxxaspf081223.exe
1656	sgcxcxxaspf081223.exe
1656	sgcxcxxaspf081223.exe
1656	sgcxcxxaspf081223.exe
1656	sgcxcxxaspf081223.exe
1656	sgcxcxxaspf081223.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	21ad40ebba38ba8b5112e5efa800de23.exe
Token: SeDebugPrivilege	2720	21ad40ebba38ba8b5112e5efa800de23.exe
Token: SeDebugPrivilege	1656	sgcxcxxaspf081223.exe
Token: SeDebugPrivilege	1656	sgcxcxxaspf081223.exe
Token: SeDebugPrivilege	1656	sgcxcxxaspf081223.exe
Token: SeDebugPrivilege	1656	sgcxcxxaspf081223.exe
Token: SeDebugPrivilege	1656	sgcxcxxaspf081223.exe
Token: SeDebugPrivilege	1656	sgcxcxxaspf081223.exe
Token: SeDebugPrivilege	1656	sgcxcxxaspf081223.exe
Token: SeDebugPrivilege	1656	sgcxcxxaspf081223.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
748	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
748	IEXPLORE.EXE
748	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2068	2720	21ad40ebba38ba8b5112e5efa800de23.exe	31
PID 2720 wrote to memory of 2068	2720	21ad40ebba38ba8b5112e5efa800de23.exe	31
PID 2720 wrote to memory of 2068	2720	21ad40ebba38ba8b5112e5efa800de23.exe	31
PID 2720 wrote to memory of 2068	2720	21ad40ebba38ba8b5112e5efa800de23.exe	31
PID 2720 wrote to memory of 1680	2720	21ad40ebba38ba8b5112e5efa800de23.exe	29
PID 2720 wrote to memory of 1680	2720	21ad40ebba38ba8b5112e5efa800de23.exe	29
PID 2720 wrote to memory of 1680	2720	21ad40ebba38ba8b5112e5efa800de23.exe	29
PID 2720 wrote to memory of 1680	2720	21ad40ebba38ba8b5112e5efa800de23.exe	29
PID 2068 wrote to memory of 1504	2068	svchoct.exe	32
PID 2068 wrote to memory of 1504	2068	svchoct.exe	32
PID 2068 wrote to memory of 1504	2068	svchoct.exe	32
PID 2068 wrote to memory of 1504	2068	svchoct.exe	32
PID 1504 wrote to memory of 1656	1504	cmd.exe	34
PID 1504 wrote to memory of 1656	1504	cmd.exe	34
PID 1504 wrote to memory of 1656	1504	cmd.exe	34
PID 1504 wrote to memory of 1656	1504	cmd.exe	34
PID 1656 wrote to memory of 748	1656	sgcxcxxaspf081223.exe	35
PID 1656 wrote to memory of 748	1656	sgcxcxxaspf081223.exe	35
PID 1656 wrote to memory of 748	1656	sgcxcxxaspf081223.exe	35
PID 1656 wrote to memory of 748	1656	sgcxcxxaspf081223.exe	35
PID 748 wrote to memory of 2792	748	IEXPLORE.EXE	37
PID 748 wrote to memory of 2792	748	IEXPLORE.EXE	37
PID 748 wrote to memory of 2792	748	IEXPLORE.EXE	37
PID 748 wrote to memory of 2792	748	IEXPLORE.EXE	37
PID 1656 wrote to memory of 748	1656	sgcxcxxaspf081223.exe	35

C:\Users\Admin\AppData\Local\Temp\21ad40ebba38ba8b5112e5efa800de23.exe
"C:\Users\Admin\AppData\Local\Temp\21ad40ebba38ba8b5112e5efa800de23.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\21ad40ebba38ba8b5112e5efa800de23.exe"
  2⤵
  - Deletes itself
  PID:1680
- C:\Windows\SysWOW64\inf\svchoct.exe
  "C:\Windows\system32\inf\svchoct.exe" C:\Windows\wftadfi16_081223a.dll d16tan
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylbs3tecj.bat"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\system\sgcxcxxaspf081223.exe
      "C:\Windows\system\sgcxcxxaspf081223.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:748
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:748 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88c273df731446d9f4abd4fbc80e2036

SHA1
76f37fc93e5e5abec9732b7f03cbf6669492a184

SHA256
2f039ff31d5a471b3e66f1186fab0fb5165cafc91b3685884a440dd4a3ff016c

SHA512
01921c7f200713b99f700fb5ea7591ecf42e49c73a0de031d14de7b9a188345bffa12d6ed1f6da3646bb30b96f34c9556047bde8f50da6426de4e620363819e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72340c4958dae2c5810c58a5b09def8a

SHA1
dcb028c5f802aafbee890717e96de5255add7ab7

SHA256
a512a2b9af2c8a25e54d441ae32146dee442ebca3cc56a04e7cf8d92aa91303f

SHA512
a7b11fdce5a1f2403c961769b86889b394ac81388b79935e7b5805967ee385a6dfc6b7a59c4465087cbc7becaf30e67f1b2d8ccf4bad68cfbfd883f2fd756844

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
669a14d65917a09e92271154d04fc7f5

SHA1
c1e82f1c6ba133308bc1cfac73771ab43f84dba4

SHA256
58a5db3ba4747d4388d02adad8d7e5530ade54219edfb24f3d32e70a1129ecfc

SHA512
481ee5c3f78f1e4add600b5444c05dbab1e17c4bb5d7642cf5d828f25f19113c5a8950a4c40cea39f064acec9c1b5b9ef773106a71a4cbe29368a86828ddcdee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad1fcbd3a32ef05307fb7cdbfc363795

SHA1
47fdf2f5086c040f00907e0460421e89392e24ce

SHA256
50cd18980b51533bfade5fed66451cf123025eaeb8ac9d96b62f5b0e4bc4ee58

SHA512
2598bbaf7463db776b1f0fd0ca5ba1093eb41dd585ba6e102b1686a392e9e64e0197d3f26668ad5911ed35558bf513d199c852a9c88d1ec608ffe21a99917b68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b6125ec9b9454373f8d5db919387c45

SHA1
41b5adffd018f51818e0ef6520498f84eb9831b6

SHA256
ce64a63d1a06500110788339decbb9a89e8e3a1f3626f0d75a84d127a12929bd

SHA512
df7902a8b007361db4db356b935ac022f0e52a0abb16bcd6a788c3bdb98325a03b048b3b20e314b64f2585cfa87b01e9274db02916ce2758c9a2163e714a1587

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
292b6c00d99a58147528c6464650a3a0

SHA1
3dbf5f914424ad3a1c5145386009853c937ca4e3

SHA256
418ec0640d980630ba4fb72136b037c703e9f6643dc3d77250a0fe5f60687bae

SHA512
a4a5771c4e332e4050f45f101f7367e96464bc47fa43ee160d51f5dbd6945631ff82038ef9056774439d6478ece8a45df74841d7791c17ea503946d416ee4867

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ee2402db49bdc0c31da320ffb413c7b

SHA1
45e66ec1452219533ec42bca8091673dc04b5f0c

SHA256
e2587e700e1ae7dc8686ba34a29ed2d2d6aed8b668f97dee1dd8da8b3f3c22ed

SHA512
9c99243f3baaf3f8e6cfd5224cdee24fb59ddb9b07ebc63c9cf35a9702573aebc987d690d65ad6e7179f62dfbd115c2cb24f37d7baae74a113d94a5d7297748d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
33599b4c0d42e9e009b4235afba9bd56

SHA1
d0b9ed82c06a6af1727d9cf604e407b7252c9bd4

SHA256
ff7590f9adc5b735d89682b35d1765bad9a590fdbfe00f2c41cb4812fb9ee0b4

SHA512
5557f8a214640e85a741e6dde5df9f00d85ca980d498b0360e0390f49c353c84b446c3484086b53cd6c63f2616eb53e61f3a09ad26f25a3243be106c48667ef0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ea6ab4e4f2eabfd28d395615984e748c

SHA1
d48fcdd2ffdd5309503b47ce12e0d25cca97dd57

SHA256
abd4a5191af78eb3c62806885779b6f3c67a76f57f3890155b8f4461f2c33640

SHA512
bd78d8ff88e6d7c6b069c6bb252f42caaef9bcdbe2c1e693687f27a492470e0996f0115f8fe0a55d1babb3e60e0d600245b51e6a99fe530266e83f6ba7956717

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5DDC.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5FF1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\SysWOW64\inf\svchoct.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\dcbdcatys32_081223a.dll

Filesize
236KB

MD5
f11e8839e7523778b7ce91fe7a405814

SHA1
35115ca4d16e3db0c6fd3e0ae298ac380e6da8cb

SHA256
5266e86873177107d5d8d3e8bc7c734ab84c71f828289cd2bc18e518a94eb17d

SHA512
f85894f1f8b7d17541dc5f3ed435d15108bcc5b06f20efe066c6f1712cb4ae5545a50182dc903a96a76f48ecbdb1b842930106a855c2b7b36beeb68f8140355f

Download Submit
C:\Windows\system\sgcxcxxaspf081223.exe

Filesize
123KB

MD5
21ad40ebba38ba8b5112e5efa800de23

SHA1
3e2702cfd93c19a61ff840e90f2b8ae8a9219cc5

SHA256
a68472503f47b5c26530df3d7f346cd94a2641f94fe81092c6e1dc968de543ba

SHA512
205decc5aede504c71898d5f6a59002fb5f48014c4846e2110b0d3cf019daec3dc3f93f036f90c495ee168593d4a111d6360125f064b7607e516500db7ce4297

Download Submit
C:\Windows\system\sgcxcxxaspf081223.exe

Filesize
98KB

MD5
d60ec2522b435cd576658f50079c2ed1

SHA1
e413e5cf5e243a29c810505ff97c9487bfce48e9

SHA256
6214b206707d28d13582aa3204e64cb25809ac1c38bc5cca9af7d11b667514c7

SHA512
68a75394c655173930440dbd61268dc9f6b0524e54e518bac4839e99bd6ef5906410e523dc5c9870afc51abdfc88e03260cc4c5a1e3461e7a8cdf020330eecc8

Download Submit
C:\Windows\tawisys.ini

Filesize
133B

MD5
96db3991b815fcae6f7547e59c423601

SHA1
f068557a3b9456d9d3dc28a980cb65df6dc422ab

SHA256
fbde73ab608799c03d2139d50703abdf8106e88d7874a6fe6ec3cc20f83ba721

SHA512
3eb3567b71c3df4d6e4e58bff44e0ac031063e2bc44b9b0d8a81f0765db5ca5b1219797c364def05e1aae3ce8114808136ccca3b077a8a00cf384cd89bdae6f3

Download Submit
C:\Windows\tawisys.ini

Filesize
384B

MD5
3fe4da3002f9b667570fa0595525dbf9

SHA1
c010b89db5a2fee8a66e20e63c7c844c0ca2f33d

SHA256
3e845268ad5c6850141be7b96e228f25d3d0c8ec6a980ff048a044aa37b7fd27

SHA512
0d575d285cfff6472aece7f76e169f34c86d4454ce1fe8e1a055b8c8ec5a31ca9a126c01979d1d723c2b7710eb39450aca9205ef813fd73e079a33cb56749705

Download Submit
C:\Windows\tawisys.ini

Filesize
435B

MD5
57fefac010c031fe46ab21f2b4731b05

SHA1
e2f5328bb74ec22e461125195eb25cf1affa1b6e

SHA256
4a41697f7b21980f057a93c9331011738804300dbabb7de67b4c9d2e1ded06c1

SHA512
bb277c5c01cb290dd0e6907320c69c8f563e1db28d865bcf759aa6bf6b3e0bfd55297ec39bd0fddef449997811beb7ad6f1f2797c3074ac5f8bcb1a2ccf5aeff

Download Submit
C:\Windows\tawisys.ini

Filesize
468B

MD5
98879f19f60013702adbd4753b4297ec

SHA1
72582bf61b158c5ebb5b8c62d76b8f16554b489b

SHA256
5d282278d3c6dd792d42da16de8c8e5ddcc2b4d73edb28e187a02d9243da4a28

SHA512
f39a3e653657856615dbf8a8b0f7d3afd36e438a39eedf27dfe88da0e2f5fdd25a53254f302cfaf51abf401b8014e84bcc47891907f9bb833116679a652539fb

Download Submit
C:\Windows\tawisys.ini

Filesize
82B

MD5
7f26c05ab68c4fc352a92867db487826

SHA1
c173527e850a71a66b69c2c3b74d4084d47f69e3

SHA256
148a02b13dc3f2658e550097afd319364d88f54b26c52304b9a955ae773e68eb

SHA512
7180bbcca3efca2c7bdc66fb3f974b106c46da93ad8f93f6fc8bb2ad47706004e330099181dfd64d436d29fbaefcfce88aa965b1d3e955eb05b341681a65fec0

Download Submit
C:\Windows\tawisys.ini

Filesize
495B

MD5
ed8dcf80c0a9ed84f631ed350e260447

SHA1
f05ad4dfa54a39020d8178a1791c385ff4dd92ab

SHA256
0148ec94ea584a299f02ada2032d74e88926ed37f36d3a6f0c5847760e71e5da

SHA512
56aadbbb31a544b1cfcba81d8a6f8ee9c80d4d49345fb9cfaefb4604c2db9ad53ad561418b227ca224bb9ce45e46e20c0de08f7eb8d32424e87b6f224a72adf6

Download Submit
C:\Windows\wftadfi16_081223a.dll

Filesize
36KB

MD5
201dff7c81ae1e05d4550bfaf93ad469

SHA1
cae1e5530988734f89521e46f4890eaeaab3b84c

SHA256
8ef55757f30292b735e694b471c926dd31d6c674f89bc8abff4e9ae9575d411d

SHA512
15ab50e0165964c3c40f98003c741011b5cf1f05bccfe57d5ef7c71e29d99a54bea800b6bc7b9e4f8987192be30a52ef4dc7160649aa367e5a2cb250ed0a92dc

Download Submit
\??\c:\mylbs3tecj.bat

Filesize
53B

MD5
da61e5e79afbc1c6f145fbbb67694d44

SHA1
a3cfcbf1b3da4bfa7a481757ae3f95e06b02f1cc

SHA256
fe892d6088d6f97bd93fb1539be587f5202f2623f6105a48cb88bbb197fa9a92

SHA512
36bdc3f9013019b3d2859b6b230c0c57acede2ddc7cfe4d68cb149e66bc303d080ac7f46124e7e0293055ac31434b73397ad5e175e7ec5181cff0063fa4c3488

Download Submit
\Windows\system\sgcxcxxaspf081223.exe

Filesize
56KB

MD5
a0ab589f068fa5a3cbcb9543d53d94b0

SHA1
54ca99d95d861c7def92d7006d02b7b4fa2e8229

SHA256
2f290fb07255707b97768e8d7958778bab16a75837e0a3be662bebc3248a2361

SHA512
b410b117d40357c2ce211f548a22bd93ec977b06988fb1ba7961e2239f67b6a08651bec2f4785a97accc276cd78924f52d87fbf3d78b8f2f60003122f413d57c

Download Submit
\Windows\system\sgcxcxxaspf081223.exe

Filesize
75KB

MD5
765443607fece5296db64c744155a526

SHA1
5c94feb863476c2f05a799ff081fadbb7e402529

SHA256
6c12e3d6ee38302739d15117ca6e920fb890e41e01015c70dfcf059b09a02423

SHA512
ce7bc8d7e8e5b809517f9ed3033adc30b3b616d4d9877fed91dbf5403856db3a0c3905d48f900729ffba7312831168865ae638a0ed83c391f956ad6d547e45db

Download Submit
memory/1504-78-0x0000000002010000-0x0000000002088000-memory.dmp

Filesize
480KB

Download
memory/1504-60-0x0000000002010000-0x0000000002088000-memory.dmp

Filesize
480KB

Download
memory/1504-58-0x0000000002010000-0x0000000002088000-memory.dmp

Filesize
480KB

Download
memory/1656-59-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-85-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-83-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2720-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2720-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download