50242b91f24c282bd51c8f742f19176e3054fc38a6413ede37f70fd5cd7eb13d

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54386e1ef991a60bda98b305feadc678.exe
Size

110KB
MD5

54386e1ef991a60bda98b305feadc678
SHA1

892125075d550437a3c5b28de2d1b37370b0762e
SHA256

50242b91f24c282bd51c8f742f19176e3054fc38a6413ede37f70fd5cd7eb13d
SHA512

0902d4d8eef6857cd0b65cdad6c9545fd18baabca50a9ef716a5fd14780fee501bbb25469474c36b1d34c5731193a4106cde05670058f92917710851b6731e50
SSDEEP

3072:wXzNDOJ6EnxF4TQIbpM+9Jut5BLnWDsD27n2:wDNhOxF4cIbJXut5BjWD4F

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	sgcxcxxaspf080515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\nyuserinit = "C:\\Windows\\system32\\inf\\svchosts.exe C:\\Windows\\system32\\lwfdfia16_080515.dll tanlt88"	sgcxcxxaspf080515.exe

Deletes itself 1 IoCs

pid	Process
2632	svchosts.exe

Executes dropped EXE 2 IoCs

pid	Process
2632	svchosts.exe
2480	sgcxcxxaspf080515.exe

Loads dropped DLL 7 IoCs

pid	Process
2948	54386e1ef991a60bda98b305feadc678.exe
2632	svchosts.exe
2632	svchosts.exe
2632	svchosts.exe
2632	svchosts.exe
2748	cmd.exe
2748	cmd.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mdccasys32_080515.dll	sgcxcxxaspf080515.exe
File created	C:\Windows\SysWOW64\inf\svchosts.exe	54386e1ef991a60bda98b305feadc678.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchosts.exe	54386e1ef991a60bda98b305feadc678.exe
File created	C:\Windows\SysWOW64\inf\sppdcrs080515.scr	54386e1ef991a60bda98b305feadc678.exe
File created	C:\Windows\SysWOW64\mdccasys32_080515.dll	54386e1ef991a60bda98b305feadc678.exe
File created	C:\Windows\SysWOW64\inf\scsys16_080515.dll	54386e1ef991a60bda98b305feadc678.exe
File created	C:\Windows\SysWOW64\lwfdfia16_080515.dll	54386e1ef991a60bda98b305feadc678.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pwisys.ini	svchosts.exe
File opened for modification	C:\Windows\pwisys.ini	sgcxcxxaspf080515.exe
File opened for modification	C:\Windows\pwisys.ini	54386e1ef991a60bda98b305feadc678.exe
File created	C:\Windows\system\sgcxcxxaspf080515.exe	54386e1ef991a60bda98b305feadc678.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411158516"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B5B2BF31-B0AC-11EE-B309-FE29290FA5F9} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	sgcxcxxaspf080515.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2948	54386e1ef991a60bda98b305feadc678.exe
2948	54386e1ef991a60bda98b305feadc678.exe
2480	sgcxcxxaspf080515.exe
2480	sgcxcxxaspf080515.exe
2480	sgcxcxxaspf080515.exe
2480	sgcxcxxaspf080515.exe
2480	sgcxcxxaspf080515.exe
2480	sgcxcxxaspf080515.exe
2480	sgcxcxxaspf080515.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	54386e1ef991a60bda98b305feadc678.exe
Token: SeDebugPrivilege	2948	54386e1ef991a60bda98b305feadc678.exe
Token: SeDebugPrivilege	2480	sgcxcxxaspf080515.exe
Token: SeDebugPrivilege	2480	sgcxcxxaspf080515.exe
Token: SeDebugPrivilege	2480	sgcxcxxaspf080515.exe
Token: SeDebugPrivilege	2480	sgcxcxxaspf080515.exe
Token: SeDebugPrivilege	2480	sgcxcxxaspf080515.exe
Token: SeDebugPrivilege	2480	sgcxcxxaspf080515.exe
Token: SeDebugPrivilege	2480	sgcxcxxaspf080515.exe
Token: SeDebugPrivilege	2480	sgcxcxxaspf080515.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2172	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
1164	IEXPLORE.EXE
1164	IEXPLORE.EXE
1164	IEXPLORE.EXE
1164	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2632	2948	54386e1ef991a60bda98b305feadc678.exe	28
PID 2948 wrote to memory of 2632	2948	54386e1ef991a60bda98b305feadc678.exe	28
PID 2948 wrote to memory of 2632	2948	54386e1ef991a60bda98b305feadc678.exe	28
PID 2948 wrote to memory of 2632	2948	54386e1ef991a60bda98b305feadc678.exe	28
PID 2632 wrote to memory of 2748	2632	svchosts.exe	29
PID 2632 wrote to memory of 2748	2632	svchosts.exe	29
PID 2632 wrote to memory of 2748	2632	svchosts.exe	29
PID 2632 wrote to memory of 2748	2632	svchosts.exe	29
PID 2748 wrote to memory of 2480	2748	cmd.exe	31
PID 2748 wrote to memory of 2480	2748	cmd.exe	31
PID 2748 wrote to memory of 2480	2748	cmd.exe	31
PID 2748 wrote to memory of 2480	2748	cmd.exe	31
PID 2480 wrote to memory of 2172	2480	sgcxcxxaspf080515.exe	32
PID 2480 wrote to memory of 2172	2480	sgcxcxxaspf080515.exe	32
PID 2480 wrote to memory of 2172	2480	sgcxcxxaspf080515.exe	32
PID 2480 wrote to memory of 2172	2480	sgcxcxxaspf080515.exe	32
PID 2172 wrote to memory of 1164	2172	IEXPLORE.EXE	34
PID 2172 wrote to memory of 1164	2172	IEXPLORE.EXE	34
PID 2172 wrote to memory of 1164	2172	IEXPLORE.EXE	34
PID 2172 wrote to memory of 1164	2172	IEXPLORE.EXE	34
PID 2480 wrote to memory of 2172	2480	sgcxcxxaspf080515.exe	32

C:\Users\Admin\AppData\Local\Temp\54386e1ef991a60bda98b305feadc678.exe
"C:\Users\Admin\AppData\Local\Temp\54386e1ef991a60bda98b305feadc678.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\inf\svchosts.exe
  "C:\Windows\system32\inf\svchosts.exe" C:\Windows\system32\lwfdfia16_080515.dll tanlt88
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\system\sgcxcxxaspf080515.exe
      "C:\Windows\system\sgcxcxxaspf080515.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
f6832080c620ca23022cd572f2e4b3a4

SHA1
5162bfa2dc5bbdcd48b5a7c6bad87330db56c888

SHA256
a947a1bb12ec3b9a3da144e49a7dbc33ed31a5bbe433c92c0b531fd7b5ff58f5

SHA512
acdc111d6236778ac917a915d8d30c99ab303ab553513482909449a4e2244b9b305329c9416b0df708fd4e236ba4b42ccaa5a2c1c5976f668ddaa14f7cf00109

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c50cb6b7131c2501f56c7d953187712d

SHA1
bad760ef617b41fe37b26d86a98b84b137ffc76c

SHA256
cf82f53bd4977b2c4a50de232304405c72f66c30b9c566103c2eca5032e87be7

SHA512
eb8737cef93197bae576ebe80e9ee1d6daf6fcacddfcddf74c01a7ba989705c5ef5594046fba23ce5bfc2c3f026bb82065bc3276fa919da9df3b05041f8ade8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0128616f1dc7894183157d150ce25223

SHA1
80e0e030ea9f7e123f6608f9818bcda4b87d89c0

SHA256
73b089a4752512d2a4d2b36719d4c5e17644e2134a0be20400f348185255838c

SHA512
7ce8f8629588f0f647526ef09d3cdce12de4bbaa397f20c04a3d45de8ddb1d88aa015db64e08e6e985cf8ca0b17b8e36dee7e40836554f3cf89ebb4d5c6fed25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95543aa9e62d1715c0ea064f05b614c8

SHA1
bcad842132fb1bd4acb0229a05f00f4bd575a507

SHA256
7d21fa8b959d5bdf914286320cca3718e538e5c23f61355c1de633a9602ea43c

SHA512
83d10735220aaef2fa2f6fc239e571f976cc1b941b4fba8e19c76d79c02f53ed7678f8fe3e4df6ed1d9fab5f67471c576f96610374b29b8f0a893a7f1b86bf9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec80476282a630d9992d79b7cbe76859

SHA1
621794fc683bb17dd2ba8b2b195445a01b3043fe

SHA256
0008c933469eb9387efa692065e77a759761d82bfd942f1936edaddb095d7df1

SHA512
be9ce7477117700a9faac53211d9269f67d70790645cdd7e5e76d4da23f9705d54b14e4b6595d5c3bd0b3f8a52100cdd703838dd31e2f1104fb94b7be43eeab8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46f18aee45992b5a3d227896e72e669d

SHA1
3f8d801da1983603f70a8d43b0afba32ec298dc9

SHA256
c6ff679743f13d031966edddda6d325cd050e5137314d7c116fab7263ab1e3e2

SHA512
68a21fc8bf63c478ada96fee68247d90e6381f7378f5fa0371fbc857c7e3b9a077e414ab7b156e10a79e71ed044f1902755670a53f1ed2c32e7378fd4beaa9a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39684eee0d43828f46af6cc70dced186

SHA1
725ca7977254bd3fcf14fc5b269d9f20b1085c77

SHA256
ffb012683e079e5f218a6cda152f7a30417e3752939a20fcbd924747f43ee0e5

SHA512
fb46ee422f5f9b0f2f04e9dd64f3a599d385fc29fdfdbe258f41f5e0dbb5efe2427f2ea14746eb052e1ab77875a92297adb9c4f8720496b885d97891e610e011

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
820f86f56b6a18863da60240868d1b5b

SHA1
3c213e0908a5c1c260f7167904f3087480e61a85

SHA256
5990bb89eb29629f28ed47c50e7cb7c293262314e6a3c964820d5376b5579b49

SHA512
0415c1f36ef79dd64d1c07ddc779eecbfcd0a76cebce9f6ff6c3b803b56b484f852db6b1fa3e5f90dfd6c0acd67bf2a5fd0b0f761756fe764a42da1701c83402

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21ae3fc57c4bb697c3bff3de6fd9bef5

SHA1
36564ea240a26b13eca1ace9ad8f8464c83d25db

SHA256
8760d4fe01297405d7c39cd94dd29b12e9533246ca836865c8d0ba79c76474ec

SHA512
a922c128b224f4cd018f62ccd24bf525fca5f6aae0255745c296b86d85251ff206d8d6ec1203b400a3d175757d7b497523297c6ec21bf67abe3e51dc75b7175c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ea9bb4ba85a8a0b36ddd23bff13ad0a

SHA1
ab8cf5edfc7237ec5940f9dc43a66db058699fa8

SHA256
7f7caa91ff2a6e47a131baaf1823c6f3447ccdcaac74d5b9722ae06dd9f9223b

SHA512
350c56d6733658d9c1518b86b92bc7c6d4be0c99b77569ecb311546817310e71d5ae399b92aed98febc2625f67e1ddd65b9b66cf35650ed751327e7d2a2d8215

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b0e1fed2429d46d8a954f88ce0e5cf99

SHA1
cf547518a8bf79a38efdb02ee1bd08f8629c407d

SHA256
81d66bff670c0a2ece691b2cee93ee965a165a5b7f7749eca9f9a0bbce3cc2ae

SHA512
fc7a354b461434e69e4f46c62d4e9eb31881d21d3f02a72f08665f0c977a8d25651d979701007cfe6347b2f3afedf0115818ce4cf7c97910998d6859ebcd09c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb80c6e7472496c3da419e93070fd9a0

SHA1
7722199fa367ad343819dae75a2537fb81993f8d

SHA256
b5a53c10ab1ad3f959c20f1fd1a0d627c17cac60e53a2345033233fad8996e8b

SHA512
f0e6c0ee8627060184379a335a6c4c958cdad36a557cdb8b04826dffc63dba1d42671a718ce5243fdd1a12c3854e9346625c8003da175eef67c54aef0f5f5b61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d1d18d6d1a0060ded16a7dbfa196463c

SHA1
e63fd67eda0d5505615d6b84e6ad1a1fed1cffa9

SHA256
1c1a89d0983805d9922273799fbb32e8630a61e89a30d5df411b3569ac175a47

SHA512
f8350136e7169c127d8ccc2f4eec3b1cceeab4a2f55b57aa78fa83924039894c811a7149512ea49960d5d638f6f59766c0b5e1eff936755727da24fd871be549

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
01573634eaff61b2a21e6aebbff2253f

SHA1
dee804d0da38c686b28308f10e9e9b21b563f64d

SHA256
303adb4c5f685e10d261a532f95e3894a36dcfb79a59bf568fdc3172b3a59058

SHA512
993f21692dc4b0a7b199812240445c47f4d3e54926d1450dffdbdcae916c88146efce0af7c67defd66536dc6c96710f062853f278fd09deebee53d3f28096f10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
29cbef026596704923c34943986f19e3

SHA1
4c41b463d8188d48c70dcf155e5926b3e4bbe014

SHA256
cf5e393c5a4359ea61c18daeded6936dcfb0974a27a5083354400176bc0b87b1

SHA512
816dcdfdd01f32cc658d353971dcad4dc0b2abd7312cc3eb7ad8d61d2364089212c80f1d7ca57e72554b8bd87fb9aa4fa71c676c9816bf84b3f65a7643325439

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d676d05321fbe55b34f45314c8a3abf0

SHA1
332200936d5dccf2cff356536114bf8ca8eaae2a

SHA256
118dfe038ae62495dc57e83b7999411090d09ce3274044f2970bf3da9d882815

SHA512
b315c81e752e8a166f701a5ff2d9c9d42ac4ed533e3c7ebe57362107bfcd6a28302d3149b30d6de26668ee137d378157ff1ded9e91ea396b54ef66aec5f4cb2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb487e8f4dff484a5bbc932b6e66e1d6

SHA1
a9c3a789b5b2a702531923dcbc2649c5469cd5d0

SHA256
5420988d9ac3c5e495a7f2a2f7a147487f1dd06044f39fba538b27ae91fb3042

SHA512
492289cfad0ca23c10417eb70beb15ce374aa6bd18c893eb2b1791cea5162c74883bf13dd40f4c43781daccd1f878532c3949407bac1d81cddbf57492deac4ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b768dbb8e4631d555ef2edccac987f4d

SHA1
0266aa9b950c69faace976f54f7dc9f9d06fbd3c

SHA256
fce712bb5d9da9b761b7cc87a3dc1f5dff7ae3c5ddf9d4d8eb431e994d63fdb0

SHA512
f3662617d30644851039430c0b19f7607364ccac0bd947e883943213b818e534486615fc4643e2f6c098d0202c36eab30ad383f43189117e265cb5d11a7ec6ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a011560108edd47262e727ca2e504f1

SHA1
9d9b4b1c5c5af79211c1309566aeca41009302ae

SHA256
3fff2dacd431d81d7845051fdf6fa7d7984f97d588e367c475514eda0ce6d4b9

SHA512
53ca72faf21872e595fb8c550f815af988b95ebde7b4bcce8d7539e3c5d817ef9550020de43dea7a341950ab43f697a39a5d560211534a44d1eb06743b1c6f38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84384fee4316e5dabfca5e01734d4aa1

SHA1
1668cb3909fc9817892840a12e5283a07d54b33f

SHA256
6a24678bcc932c4a71bce40936fd3bc15fdaa84c4943764f2287f484644c359a

SHA512
85b79ea4438b383c37b3c05ecd085048b00284bf40a95d777c365c3847a495a4cb8f814d2438a663a0a690a0fdd331543e7d5abd8c8b6b46984f00e1c1f9c257

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
33abae49f53b60c4c991ecd5b0436cce

SHA1
b78aa1a8cc0a08e90ea813e17d90eef2c21bb76e

SHA256
6ac6daa60dc9d64b155c871c1595a8db862e68855ff0d0a9c58da3ba84a1ed83

SHA512
7fd84be99730e5a24ad81e5530a930ff7ee8b43b6b1189fdaf11c046744171de9b3870359a7f036828db15f24edd0bd2453a733a0ae62fd7ea0394b2a6d8702f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
60e94a1aea1568685dd48007453e633b

SHA1
60b9e89a8ea03717931ca9373d2e9e6d7e2c960d

SHA256
6bbff791897491109c5030a9085b3ddb88475d641172e1751de54dcefff78206

SHA512
2601fdae7a17507644d5bb1a2636c7b60807b74c7363cf2a794a4a42a2ec1b7431bad4fb6b3e24bfb5a0016b1e9282a675bcf3f2bcc31270ed2291a96448aca2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7DBE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\SysWOW64\inf\svchosts.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\mdccasys32_080515.dll

Filesize
218KB

MD5
b02521c9f542d02cdaadb890609c8df3

SHA1
b7004371868d5f96a5228551e1420d599252547f

SHA256
b4b47a59a2263ad2210397f7153a13679d434946c418ab37750c40269d42e65f

SHA512
0fd75e37712440778ab216b5e410a42ee35ae33db4fa8d546128bcf31feedfd5bee442dda1c1e7d19a319be682cb92d2050809893bf29590e0170de1aa8a0edf

Download Submit
C:\Windows\pwisys.ini

Filesize
46B

MD5
19ae6b6db9fd19a4ef9c7fd4b27b45d2

SHA1
08d77f5aa82274517a93c6ad24396cbccddabdf3

SHA256
98c9129d8354991184b3312ec55b72c4a160af479d7d21ea4bfb56d3fd6c47d0

SHA512
0314a7494f1012cc8d3501dca4074ecbac8b2e19d705fb1430be34d946e677bc690c6e7bf3151af1ab7b5a2dccd1ee144555d50b83c978869876fa2e28a37d93

Download Submit
C:\Windows\pwisys.ini

Filesize
448B

MD5
0b364065ca09d61aabea352fba88a04e

SHA1
459b136ae51efbcabb224b3f9031739f782d42f2

SHA256
189aaec0fa8283aa9bdb605a9798d770f2c4518cc6fe5c31b7ab82dd37aa5539

SHA512
4a35dab5eaa5cd9afb2bfc475b6888a13c556c0d308d99d9395e01c4cbbc244a18679ffe1cf268603442b19fa8e7f85ec9b8ecdadc717eec264273a726b9d6c3

Download Submit
C:\Windows\pwisys.ini

Filesize
378B

MD5
d514959a7cb4eef1169a1604baa803c9

SHA1
a1d9dbb2579031d6448020ab1c0ccd5ee325d639

SHA256
1e8c7207fdff2cdc48737f79caaf9d8c7b0c0a6009a51314635bef0423afd7f9

SHA512
61856e969326aa622db3d4db8710875a039f53976204fee168cccb4439f36f445ed73bbff067215234f5eb69150b87fd44f728568cc05863456296cedf34ca17

Download Submit
C:\Windows\pwisys.ini

Filesize
412B

MD5
2aa800ab1b2697472b357e6fc0d3c48a

SHA1
525ae58ae6a2cedec44e6950897bc726925a4255

SHA256
72ddad5c48a07067698e9558ff06f33ee14ba8631f64fd4344c0a867c1e6ef35

SHA512
d30fc75da70fe5754a97c495512264b28d2c2d1f657d3c5d66b525f5c69b158eb0257972a2393d7075c072a76101fcc07599a09fd2c6b502b281279e16663593

Download Submit
C:\Windows\pwisys.ini

Filesize
445B

MD5
a35a36e64c3f81669e77e4f667aa9d8e

SHA1
ce6e66a2d3f50bbe1eec7714539497c4ac8263e7

SHA256
1924d504d41d7a18f5b7ce072301e7282d87b754f3c70d2ac0477b7d6fcd1f6c

SHA512
d8cad417273c58775005c9de5ef4cdfd2365f11466cc520b3522831f1dd764ffca190f1419276e25c455224e9d0a058f4abead08c1f6631c8a1d1499866d9491

Download Submit
C:\Windows\pwisys.ini

Filesize
472B

MD5
f8e87b2a847808cc95cdef93e3b70946

SHA1
4ec487f9bd92ccd2dcc3cb957efa1be99a36a9db

SHA256
d32e06ed2c88b01482c01e3462066a44fc292163eec4c31c6914880a3d22d88b

SHA512
fe9efaab4e5e50e67f82d6e9bcd328ddcd380079c49cb4f2087192dc48f2f51b13b7c2c3a90da8c8171641e4edd8927be00553837f3692bbeac1f58d5a50ab71

Download Submit
\??\c:\mylstecj.bat

Filesize
53B

MD5
94d0a2a547916c750d4d389461fe9248

SHA1
79850c7eef48247648b64d5b6ab4a327e79d9ba0

SHA256
ca608b14e38a37c9b7f17de97432c5f05601e4c7e859083af8fa2b4bf84fd1cc

SHA512
4e1b51d9650c13e41b77532ccc42b0a40af8935398443f90ef27c691a43bd6e05d04524757d8884e1594fd2a0e64370915bff1081173922e654e1c326d70b475

Download Submit
\Windows\SysWOW64\lwfdfia16_080515.dll

Filesize
30KB

MD5
4c4a8d1a787ed781a87907396aa7af0f

SHA1
ff4ef76616f3cce8f7eb8dbd109e508e63b88319

SHA256
3564461b7f12ec14ff75a6c00f9baa6f4a7309cacef4a48dda996fd1a1149da7

SHA512
b2348a2e7c0b71229ac2c56de40c6006efbe6f680c6c8acee7b1e5c8a0302c2d7b2d76f2c9496314c4c91316815404fd839ee6f6b17c187bdce495d23415ba65

Download Submit
\Windows\system\sgcxcxxaspf080515.exe

Filesize
110KB

MD5
54386e1ef991a60bda98b305feadc678

SHA1
892125075d550437a3c5b28de2d1b37370b0762e

SHA256
50242b91f24c282bd51c8f742f19176e3054fc38a6413ede37f70fd5cd7eb13d

SHA512
0902d4d8eef6857cd0b65cdad6c9545fd18baabca50a9ef716a5fd14780fee501bbb25469474c36b1d34c5731193a4106cde05670058f92917710851b6731e50

Download Submit
memory/2632-675-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2632-69-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2632-1198-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download